Security enhancements

Db2 11.5.9 provides better control over the connection of remote clients to Db2 instances.

Attention: This mod pack release is currently available for the following Db2 products:
Table 1 displays a list of security enhancements in Db2 11.5.9:
Table 1. Security enhancements in 11.5.9
Enhancement Description
Restricted TCP/IP listener mode. If an unsecured TCP/IP connection is needed for certain Db2 features, the listener can now be started in restricted mode to prevent remote Db2 client connections. An example would be applications using type 2 connections over the secure port, while the Sync Point Manager uses the restricted TCP/IP port for processing. For more information, see svcename - TCP/IP service name configuration parameter.
SSL security type support for Db2 nodes registered on an LDAP server. Db2 11.5.9 includes enhancement to the REGISTER LDAP command to support the SSL security type [see Transport Layer Security (TLS)].
By adding SSL, SSL4, or SSL6 to the LDAP binding info, SSL security type gets updated on the LDAP server when node information is stored. When the LDAP server is queried by a Db2 client for the security type of a specific node, the SSL information is provided. This adds security type SSL support to nodes registered on LDAP.
New restricted use of IMPORT and EXPORT operations with the ADMIN_CMD procedure. With the release of Db2 11.5.9, Db2 database administrators can now restrict use of the ADMIN_CMD IMPORT and EXPORT features to predefined paths, by using the DB2_LOAD_RESTRICTED_IO_PATH miscellaneous variable.
For example, if the DB2_LOAD_RESTRICTED_IO_PATH option is enabled, the ADMIN_CMD(IMPORT) file path for FROM filename, and the path(s) for LOBS FROM lob-path and XML FROM xml-path must all exist within the restricted paths. Also, the ADMIN_CMD(EXPORT) file path for TO filename, and the path(s) for LOBS TO lob-path and XML TO xml-path must all exist within the restricted paths.