trust_allclnts - Trust all clients configuration parameter

This parameter and trust_clntauth are used to determine where users are validated to the database environment.

Configuration type
Database manager
Applies to
  • Database server with local and remote clients
  • Database server with local clients
  • Partitioned database server with local and remote clients
Parameter type
Default [range]
This parameter is only active when the authentication parameter is set to CLIENT.
Attention: With the release of Db2® 11.5.9, the CLIENT authentication type is deprecated. Do not use this authentication type going forward, as it is insecure in many situations and might be removed in a future release.

By accepting the default of YES for this parameter, all clients are treated as trusted clients. This means that the server assumes that a level of security is available at the client and the possibility that users can be validated at the client.

This parameter can only be changed to NO if the authentication parameter is set to CLIENT. If this parameter is set to NO, the untrusted clients must provide a userid and password combination when they connect to the server. Untrusted clients are operating system platforms that do not have a security subsystem for authenticating users.

Setting this parameter to DRDAONLY protects against all clients except clients from Db2 for z/OS®, Db2 for VM and VSE, and Db2 for OS/400®. Only these clients can be trusted to perform client-side authentication. All other clients must provide a user ID and password to be authenticated by the server.

When trust_allclnts is set to DRDAONLY, the trust_clntauth parameter is used to determine where the clients are authenticated. If trust_clntauth is set to CLIENT, authentication occurs at the client. If trust_clntauth is set to SERVER, authentication occurs at the client if no password is provided, and at the server if a password is provided.