Security enhancements
Db2 11.5.9 provides better control over the connection of remote clients to Db2 instances.
Attention: This mod pack release is currently available for
the following Db2 products:
- Db2 Distributed (on-premises)
- Db2 Warehouse on Cloud
Table 1 displays a list of security enhancements in Db2
11.5.9:
| Enhancement | Description |
|---|---|
| Restricted TCP/IP listener mode. | If an unsecured TCP/IP connection is needed for certain Db2 features, the listener can now be started in restricted mode to prevent remote Db2 client connections. An example would be applications using type 2 connections over the secure port, while the Sync Point Manager uses the restricted TCP/IP port for processing. For more information, see svcename - TCP/IP service name configuration parameter. |
| SSL security type support for Db2 nodes registered on an LDAP server. | Db2
11.5.9
includes enhancement to the REGISTER LDAP
command to support the SSL security type [see Transport Layer
Security (TLS)]. By adding SSL, SSL4, or
SSL6 to the LDAP binding info, SSL security type gets updated on the LDAP server
when node information is stored. When the LDAP server is queried by a Db2 client for the
security type of a specific node, the SSL information is provided. This adds security type SSL
support to nodes registered on LDAP. |
| New restricted use of IMPORT and EXPORT operations with the ADMIN_CMD procedure. | With the release of Db2
11.5.9,
Db2 database administrators can now restrict use of the ADMIN_CMD IMPORT and
EXPORT features
to predefined paths, by using the DB2_LOAD_RESTRICTED_IO_PATH miscellaneous variable. For example, if the DB2_LOAD_RESTRICTED_IO_PATH option is enabled, the ADMIN_CMD(IMPORT) file path for FROM
filename, and the path(s) for LOBS FROM lob-path and XML FROM
xml-path must all exist within the restricted paths. Also, the ADMIN_CMD(EXPORT) file path
for TO filename, and the path(s) for LOBS TO lob-path and
XML TO xml-path must all exist within the restricted paths. |