Encrypted passwords

Database user accounts must be authenticated during access requests to the Db2® database. For user accounts that use local authentication, Db2 stores the password in encrypted form in the system catalog.

Local authentication requires a password for every account. If you use LDAP authentication, a password is optional. During LDAP authentication, Db2 uses the services of an LDAP server in your environment to validate and verify Db2 database users.

  • When you are using the Db2 CLI commands, the clear-text password must be entered on the command line. You can set the environment variable DB_PASSWORD to avoid typing the password on the command line, but the variable is stored in clear text with the other environment variables.
  • To avoid displaying the password on the command line, in scripts, or in the environment variables, you can use the dbpassword command to create a locally stored encrypted password.

You cannot use stored passwords with ODBC or JDBC.

The dbpassword command syntax is:
dbpassword add -u user -pw password -host hostname|IP address
Where:
  • The user name is the Db2 database user name in the Db2 system catalog. If you do not specify the user name on the command line, the dbpassword command uses the environment variable DB_USER.
  • The password is the Db2 database user password in the Db2 system catalog or the password that is specified in the environment variable DB_PASSWORD. If you do not supply a password on the command line or in the environment variable, the system prompts you for a password.
  • The host name is the Db2 host. If you do not specify the host name on the command line, the dbpassword command uses the environment variable DB_HOST. You can create encrypted passwords for any number of user name/host pairs.

When you use the dbpassword add command to cache the password, quotation marks are not required around the user name or password values. You must only qualify the user name or password with a surrounding set of single quotation mark, double quotation mark pairs (for example, '"Bob"') if the value is case-sensitive. If you specify quoted or unquoted names or passwords in dbpassword or other db commands, you must use the same quoting style in all cases.

If you qualify a user name that is not case-sensitive with quotation marks (for example '"netezza"'), the command might still complete successfully, but it might not work in all command cases.

After you type the dbpassword command, the system sends the encrypted password to the Db2 host where it is compared against the user name/password in the system catalog.

  • If the information matches, the Db2 stores the encrypted information in a local password cache, and displays no additional message.
    • On Linux® and Solaris, the password cache is the file .dbpassword in the user home directory. The system creates this file without access permissions to other users, and refuses to accept a password cache whose permission allows other users access.
    • On Windows, the password cache is stored in the registry.
  • If the information does not match, Db2 displays a message that indicates that the authentication request failed. Db2 also logs all verification attempts.
  • If the database administrator changed a user password in the system catalog, the existing dbpasswords are invalid.