Authentication types supported with Db2 Connect Server
Certain combinations of authentication and security settings are supported with Db2 Connect.
- Authentication types for TCP/IP connections
- The TCP/IP communication protocol does not support Authentication options at the network
protocol layer. The authentication type determines where authentication takes place. Only the
combinations shown in this table are supported by Db2 Connect. The
authentication setting is in the database directory entry at the Db2 Connect
Server.
Table 1. Valid Authentication Scenarios Scenario Authentication setting Validation 1 CLIENT Client 2 SERVER IBM mainframe database server 3 SERVER_ENCRYPT IBM mainframe database server 4 KERBEROS Kerberos security 6 SERVER_ENCRYPT_AES Host database server - Discussion of Authentication types
- The following discussion applies to the connections described
previously and listed in Table 1.
Each scenario is described in more detail, as follows:
- In scenario 1, the user name and password are validated only at the remote client. For a local
client, the user name and password are validated only at the Db2 Connect
Server.
The user is expected to be authenticated at the location they sign on to. The user ID is sent across the network, but not the password. Use this type of security only if all client workstations have adequate security facilities that can be trusted.
- In scenario 2, the user name and password are validated at the IBM mainframe database server only. The user ID and password is sent across the network from the remote client to the Db2 Connect Server and from the Db2 Connect Server to the IBM mainframe database server.
- Scenario 3 is the same as scenario 2, except that the user ID and password are encrypted.
- In scenario 4, a Kerberos ticket is obtained by the client from the Kerberos KDC. The ticket is passed unaltered through Db2 Connect Server, where it is validated by the server.
- Scenario 5 is the same as scenario 3, except that an Advanced Encryption Standard (AES) encryption algorithm is used.
- In scenario 1, the user name and password are validated only at the remote client. For a local
client, the user name and password are validated only at the Db2 Connect
Server.