DB2 Version 10.1 for Linux, UNIX, and Windows

Communication buffer exit libraries

The DB2® for Linux, UNIX, and Windows database manager provides customers and vendors the capability to review communication buffers. External trusted shared libraries are used to access the communication buffers, which flow between clients and database servers, before they are sent and received. These external libraries are known as communication buffer exit libraries.

With communication buffer exit libraries, you can examine communication buffers in order to provide solutions such as auditing or other security solutions based on the contents of the buffers. DB2 for Linux, UNIX, and Windows provides access to each buffer received from clients, as well as each buffer about to be sent to clients. Buffers are provided before they are encrypted with either DATA_ENCRYPT authentication or SSL. DB2 for Linux, UNIX, and Windows uses the DRDA® protocol to communicate between clients and the server. The communication buffers that are passed to the communication buffer exit library are formatted according to the DRDA protocol. The communication buffer exit library must understand the DRDA protocol that is used for communication.

DB2 for Linux, UNIX, and Windows provides the buffers regardless of communication protocol. Communication buffer exit libraries work consistently with TCPIP (IPv4 and IPv6), SSL, Inter-Process Communication (IPC), and named pipe.

In addition to the buffers, DB2 for Linux, UNIX, and Windows also makes available identity information, including the username and session authorization ID established for the connection to the database. This information is useful for scenarios that involve GSS-API plug-ins such as Kerberos. In this scenario, there is no standard username, but rather generic tickets from which the database manager derives the username. This detail is not available solely by looking at the communication buffer.

The database manager ensures that only trusted libraries are loaded. The libraries must be installed in a specific location that can be modified by only the instance owner. Furthermore, only a user with SYSADM authority can enable the library. This authority level is the same which is required to enable encryption (DATA_ENCRYPT or SSL).

The communication buffer exit library can terminate a connection if any buffer provided contains data that the library considers harmful. Both data that is sent to the server, as well as data that is returned to the client is included. For example, the communication buffer exit library might detect that the data returned from a select statement is inappropriate for the client to receive. A return code from the library indicates to the database manager that the connection must be terminated. The database managers stops that or any further communication buffers to the client and terminates the connection.

Note: Third party vendors typically provide these communication buffer exit libraries. DB2 for Linux, UNIX, and Windows does provide samples of libraries in the sqllib/samples/security/commexit directory. You might choose to develop your own libraries using the samples as a guide.