DB2 10.5 for Linux, UNIX, and Windows

Deploying a change password plug-in (Linux)

To enable support for changing passwords in DB2® database products on Linux, you must configure the DB2 instance to use the security plug-ins IBMOSchgpwdclient and IBMOSchgpwdserver.

Before you begin

The plug-in libraries are located in the following directories:
  • INSTHOME/sqllib/securityXX/plugin/IBM/client/IBMOSchgpwdclient.so
  • INSTHOME/sqllib/securityXX/plugin/IBM/server/IBMOSchgpwdserver.so
where INSTHOME is the home directory of the instance owner and securityXX is either security32 or security64, depending on the bit-width of the instance.

Procedure

To deploy the security plug-ins in a DB2 instance, perform the following steps:

  1. Log in as a user with root authority.
  2. Create a PAM configuration file: /etc/pam.d/db2

    Ensure that the file contains the appropriate set of rules, as defined by your system administrator. For example, on SLES 9 this can be used:

    auth     required pam_unix2.so    nullok
account  required pam_unix2.so
password required pam_pwcheck.so  nullok tries=1
password required pam_unix2.so    nullok use_authtok use_first_pass
session  required pam_unix2.so

    And on RHEL, this can be used:

    #%PAM-1.0 
auth     required   /lib/security/$ISA/pam_env.so 
auth     sufficient /lib/security/$ISA/pam_unix.so likeauth nullok 
auth     required   /lib/security/$ISA/pam_deny.so

account  required   /lib/security/$ISA/pam_unix.so 
account  sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account  required   /lib/security/$ISA/pam_permit.so

password requisite  /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1 
      ucredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 
      shadow remember=3
password required   /lib/security/$ISA/pam_deny.so

session  required   /lib/security/$ISA/pam_limits.so
session  required   /lib/security/$ISA/pam_unix.so
  3. Enable the security plug-ins in the DB2 instance:
    1. Update the database manager configuration parameter SRVCON_PW_PLUGIN with the value IBMOSchgpwdserver: 
      db2 update dbm cfg using srvcon_pw_plugin IBMOSchgpwdserver
    2. Update the database manager configuration parameter CLNT_PW_PLUGIN with the value IBMOSchgpwdclient: 
      db2 update dbm cfg using CLNT_PW_PLUGIN IBMOSchgpwdclient
    3. Ensure that either the database manager configuration parameter SRVCON_AUTH is set to a value of CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT, or DATA_ENCRYPT_CMP, or the database manager configuration parameter SRVCON_AUTH is set to a value of NOT_SPECIFIED and AUTHENTICATION is set to a value of CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT, or DATA_ENCRYPT_CMP.