Considerations for DATA_ENCRYPT
Considerations must be taken when the DATA_ENCRYPT authentication type is used. The information applies to only communication buffer exit libraries.
The handling of communications that is protected with the authentication type DATA_ENCRYPT requires special mention. Unlike SSL, the encryption and decryption necessary to support DATA_ENCRYPT is run by the database manager. It is run after data is received from the client and before a reply is sent to the client.
Receive and DATA_ENCRYPT
When an encrypted DSS is received from the client, the buffer is decrypted as needed by the database manager. That is, the whole buffer is not decrypted all at one time. The communication buffer exit library is called with the decrypted data as it is decrypted.
The DSS length, or the DSS continuation length if the DSS is longer than a logical record, contains the length of the encrypted DSS. It does not contain the length of the decrypted buffer. As the encryption always adds padding, this length is always larger than the plaintext length. The length of the padding for DSS is a maximum of 8 bytes.
db2CommexitRecv is made, the DB2COMMEXIT_RECV_IN_FLAG_END_DECRYPT flag is passed as input to indicate the end of the encrypted DSS. Send and DATA_ENCRYPT
When a DSS reply to
the client is encrypted, multiple plaintext DSS and encrypted DSS
might make up the buffer which is sent to the client. As these DSS
are prepared, they are passed as input to the db2commexitSend routine. These passes are done one at a time as the plaintext data
must be used as input before encryption. The database manager might
receive an error condition which requires it to purge previously prepared,
but not sent, DSS. The communication buffer exit library might already
know about these libraries. The db2CommexitSend function
is called with a length of 0 and a flag DB2COMMEXIT_SEND_IN_FLAG_PURGE indicating that a purge occurred.