alternate_auth_enc - Alternate encryption algorithm for incoming connections at server configuration parameter

This configuration parameter specifies the alternate encryption algorithm used to encrypt the user IDs and passwords submitted to a Db2® database server for authentication. Specifically, this parameter affects the encryption algorithm when the authentication method negotiated between the Db2 client and the Db2 database server is SERVER_ENCRYPT.

Important: The DATA_ENCRYPT authentication type is deprecated and might be removed in a future release. To encrypt data in-transit between clients and Db2 databases, we recommend that you use the Db2 database system support of Transport Layer Security (TLS). For more information, see Encryption of data in transit
Configuration type
Database manager
Applies to
  • Database server with local and remote clients
  • Database server with local clients
  • Partitioned database server with local and remote clients
Parameter type
Configurable
Default [range]
NOT_SPECIFIED [AES_CMP; AES_ONLY]

The user ID and password submitted for authentication on the Db2 database server are encrypted when the authentication method negotiated between the Db2 client and the Db2 server is SERVER_ENCRYPT. The authentication method negotiated depends on the authentication type setting on the server and the authentication type requested by the client. The choice of the encryption algorithm used to encrypt the user ID and password depends on the setting of the alternate_auth_enc database manager configuration parameter. It can be either DES or AES depending on this setting.

When the default (NOT_SPECIFIED) value is used, the database server accepts the encryption algorithm that the client proposes.

When alternate_auth_enc is set to AES_ONLY, the database server will only accept connections that use AES encryption. If the client does not support AES encryption, then the connection is rejected.

When alternate_auth_enc is set to AES_CMP, the database server will accept user IDs and passwords that are encrypted using either AES or DES, but it will negotiate for AES if the client supports AES encryption.

Note: You cannot set alternate_auth_enc to AES_CMP or AES_ONLY if authentication is set to DATA_ENCRYPT.