Security under the IBM Data Server Driver for JDBC and SQLJ
When you use the IBM® Data Server Driver for JDBC and
SQLJ,
you choose a security mechanism by specifying a value for the securityMechanism Connection
or DataSource
property,
or the db2.jcc.securityMechanism global configuration property.
- If you use the DriverManager interface, set
securityMechanism
in a java.util.Properties object before you invoke the form of the getConnection method that includes the java.util.Properties parameter. - If you use the DataSource interface, and you are creating and deploying your own DataSource objects, invoke the DataSource.setSecurityMechanism method after you create a DataSource object.
You can determine the security mechanism that is in effect for a connection by calling the DB2Connection.getDB2SecurityMechanism method.
The following table lists the security mechanisms that the IBM Data Server Driver for JDBC and SQLJ supports, and the data sources that support those security mechanisms.
Security mechanism | Supported by Db2 on Linux, UNIX, and Windows systems | Supported by Db2 for z/OS® | Supported by IBM Informix® | Supported by Db2 for IBM i |
---|---|---|---|---|
User ID and password | Yes | Yes | Yes | Yes |
User ID only | Yes | Yes | Yes | Yes |
User ID and encrypted password1 | Yes | Yes | Yes | Yes4 |
Encrypted user ID1 | Yes2 | Yes | No | No |
Encrypted user ID and encrypted password1 | Yes | Yes | No5 | Yes4 |
Encrypted user ID and encrypted security-sensitive data1 | No | Yes | No | No |
Encrypted user ID, encrypted password, and encrypted security-sensitive data1 | Yes | Yes | No | No |
Kerberos3 | Yes | Yes | No | Yes |
Plugin3 | Yes | No | No | No |
Certificate authentication3 | No | Yes | No | No |
Token authentication | Yes | No | No | No |
Note:
|
The following table lists the security mechanisms that the IBM Data Server Driver for JDBC and
SQLJ supports,
and the value that you need to specify for the securityMechanism
property
to specify each security mechanism.
- When you explicitly set the security mechanism to
ENCRYPTED_USER_AND_PASSWORD_SECURITY
(9), and a retry process with an alternative security mechanism is not defined, the driver does not retry the connection withCLEAR_TEXT_PASSWORD_SECURITY
(3). The driver throws an exception withReason: Security mechanism not supported
. - When ICSF or the cryptoprocessor are not enabled on a z/OS system on which a Db2 for z/OS data server runs, the driver returns an
error with
Reason: Local security service non-retryable error
. The driver retries the connection by opening a new socket usingCLEAR_TEXT_PASSWORD_SECURITY
(3). - When FIPS 140-3 cryptographic security is enabled for the Java™ runtime environment or SDK for Java, and the
connection to the data server uses
ENCRYPTED_USER_AND_PASSWORD_SECURITY
(9) by default, the driver throws an exception withCaused by: java.lang.ExceptionInInitializerError
. The driver retries the connection withCLEAR_TEXT_PASSWORD_SECURITY
(3). - When the version of the Java runtime environment or SDK
for Java is Version 8 or older, the policy files have expired,
and the connection to the data server uses
ENCRYPTED_USER_AND_PASSWORD_SECURITY
(9) by default, the driver throws ajava.security.InvalidKeyException
. The driver retries the connection withCLEAR_TEXT_PASSWORD_SECURITY
(3). - When a connection to a Db2 for z/OS or
Db2 on Linux, UNIX, and Windows systems data server uses SSL, the
connection uses
CLEAR_TEXT_PASSWORD_SECURITY
(3) by default. If you explicitly set the security mechanism to another value, the driver uses the explicitly set value.
- The default security mechanism is
ENCRYPTED_USER_AND_PASSWORD_SECURITY
. If the data server does not supportENCRYPTED_USER_AND_PASSWORD_SECURITY
, but supportsCLEAR_TEXT_PASSWORD_SECURITY
, the driver changes the security mechanism toCLEAR_TEXT_PASSWORD_SECURITY
and attempts to connect to the data server.When the driver retries the connection usingCLEAR_TEXT_PASSWORD_SECURITY
, performance might be degraded. To minimize the performance impact, take one of the following actions:- Explicitly set the security mechanism to CLEAR_TEXT_PASSWORD_SECURITY on the client side.
- Change the data server setting to support ENCRYPTED_USER_AND_PASSWORD_SECURITY.
Any mismatch in security mechanism support between the requester and the data server other than
CLEAR_TEXT_PASSWORD_SECURITY
andENCRYPTED_USER_AND_PASSWORD_SECURITY
results in an error. - A connection to a Db2 for z/OS subsystem
or data sharing group that uses the default security mechanism of
ENCRYPTED_USER_AND_PASSWORD_SECURITY
(9) and AES encryption is successful only if the z/OS Integrated Cryptographic Service Facility (ICSF) is enabled on the z/OS system where each subsystem or data sharing member is installed. ICSF is required for decrypting the user ID and password. If ICSF is not installed, you need to set the security mechanism toCLEAR_TEXT_PASSWORD_SECURITY
(3).
Before version 4.33 of the
IBM Data Server Driver for JDBC and
SQLJ, the default security mechanism
is CLEAR_TEXT_PASSWORD_SECURITY
(3). If the data server does not support
CLEAR_TEXT_PASSWORD_SECURITY
(3), but supports
ENCRYPTED_USER_AND_PASSWORD_SECURITY
(9), the driver changes the security mechanism
to ENCRYPTED_USER_AND_PASSWORD_SECURITY
(9) and attempts to connect to the data
server. Any other mismatch in security mechanism support between the requester and the data server
results in an error.
Security mechanism | securityMechanism property value |
---|---|
User ID and password | DB2BaseDataSource.CLEAR_TEXT_PASSWORD_SECURITY (3) |
User ID only | DB2BaseDataSource.USER_ONLY_SECURITY (4) |
User ID and encrypted password1 | DB2BaseDataSource.ENCRYPTED_PASSWORD_SECURITY (7) |
Encrypted user ID1 | DB2BaseDataSource.ENCRYPTED_USER_ONLY_SECURITY (16) |
Encrypted user ID and encrypted password1, 2 | DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY (9) |
Encrypted user ID and encrypted security-sensitive data1 | DB2BaseDataSource.ENCRYPTED_USER_AND_DATA_SECURITY (12) |
Encrypted user ID, encrypted password, and encrypted security-sensitive data1 | DB2BaseDataSource.ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY (13) |
Kerberos | DB2BaseDataSource.KERBEROS_SECURITY (11) |
Plugin | DB2BaseDataSource.PLUGIN_SECURITY (15) |
Certificate authentication | DB2BaseDataSource.TLS_CLIENT_CERTIFICATE_SECURITY (18) |
Token authentication | DB2BaseDataSource.TOKEN_SECURITY (19) |
Note:
|
Db2 on Linux, UNIX, and Windows systems server authentication type | securityMechanism setting |
---|---|
CLIENT | USER_ONLY_SECURITY |
SERVER | CLEAR_TEXT_PASSWORD_SECURITY |
SERVER_ENCRYPT | CLEAR_TEXT_PASSWORD_SECURITY, ENCRYPTED_PASSWORD_SECURITY, or ENCRYPTED_USER_AND_PASSWORD_SECURITY |
DATA_ENCRYPT | ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY |
KERBEROS | KERBEROS_SECURITY or PLUGIN_SECURITY2 |
KRB_SERVER_ENCRYPT | KERBEROS_SECURITY , PLUGIN_SECURITY1, ENCRYPTED_PASSWORD_SECURITY, or ENCRYPTED_USER_AND_PASSWORD_SECURITY |
GSSPLUGIN | PLUGIN_SECURITY1 or KERBEROS_SECURITY |
GSS_SERVER_ENCRYPT3 | CLEAR_TEXT_PASSWORD_SECURITY, ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, PLUGIN_SECURITY, or KERBEROS_SECURITY |
SERVER_ENCRYPT_TOKEN | ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, or TOKEN_SECURITY |
KERBEROS_TOKEN | KERBEROS_SECURITY, PLUGIN_SECURITY or TOKEN_SECURITY |
KRB_SVR_ENC_TOKEN | ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, KERBEROS_SECURITY, PLUGIN_SECURITY, or TOKEN_SECURITY |
GSSPLUGIN_TOKEN | KERBEROS_SECURITY, PLUGIN_SECURITY, or TOKEN_SECURITY |
GSS_SVR_ENC_TOKEN | ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, PLUGIN_SECURITY, KERBEROS_SECURITY, or TOKEN_SECURITY |
Notes:
|