Deploying a user ID/password plug-in

To customize the Db2® security system's user ID/password authentication behavior, you can develop your own user ID/password authentication plug-ins or buy one from a third party.

Before you begin

Depending on their intended usage, all user ID-password based authentication plug-ins must be placed in either the client plug-in directory or the server plug-in directory. If a plug-in is placed in the client plug-in directory, it will be used both for local authorization checking and for validating the client when it attempts to connect with the server. If the plug-in is placed in the server plug-in directory, it will be used for handling incoming connections to the server and for checking whether an authorization ID exists and is valid whenever the GRANT statement is issued without specifying either the keyword USER or GROUP. In most situations, user ID/password authentication requires only a server-side plug-in. It is possible, though generally deemed less useful, to have only a client user ID/password plug-in. It is possible, though quite unusual to require matching user ID/password plug-ins on both the client and the server.
Note: You must stop the Db2 server or any applications using the plug-ins before you deploy a new version of an existing plug-in. Undefined behavior including traps will occur if a process is still using a plug-in when a new version (with the same name) is copied over it. This restriction is not in effect when you deploy a plugin for the first time or when the plug-in is not in use.
After you acquire user ID/password authentication plug-ins that are suitable for your database management system, you can deploy them.

Procedure

  • To deploy a user ID/password authentication plug-in on the database server, perform the following steps on the database server:
    1. Copy the user ID/password authentication plug-in library in the server plug-in directory.
    2. Update the database manager configuration parameter srvcon_pw_plugin with the name of the server plug-in.
      This plug-in is used by the server when it is handling CONNECT and ATTACH requests.
    3. Either:
      • Set the database manager configuration parameter srvcon_auth to the CLIENT, SERVER, or SERVER_ENCRYPT authentication type. Or:
      • Set the database manager configuration parameter srvcon_auth to NOT_SPECIFIED and set authentication to CLIENT, SERVER, or SERVER_ENCRYPT authentication type.
  • To deploy a user ID/password authentication plug-in on database clients, perform the following steps on each client:
    1. Copy the user ID/password authentication plug-in library in the client plug-in directory.
    2. Update the database manager configuration parameter clnt_pw_plugin with the name of the client plug-in. This plug-in is loaded and called regardless of where the authentication is being done, not only when the database configuration parameter, authentication is set to CLIENT.
  • For local authorization on a client, server, or gateway using a user ID/password authentication plug-in, perform the following steps on each client, server, or gateway:
    1. Copy the user ID/password authentication plug-in library in the client plug-in directory on the client, server, or gateway.
    2. Update the database manager configuration parameter clnt_pw_plugin with the name of the plug-in.
    3. Set the authentication database manager configuration parameter to CLIENT, SERVER, or SERVER_ENCRYPT.
    Attention: SERVER_ENCRYPT is disabled on Db2 clients and servers running in strict FIPS mode. You are recommended to use SERVER authentication with TLS as a more secure alternative. For more information on TLS, see Encryption of data in transit.