Encrypted password, user ID, or data security under the IBM Data Server Driver for JDBC and SQLJ

IBM® Data Server Driver for JDBC and SQLJ supports encryption of user IDs, passwords, or data when Java applications access data servers.

Those security mechanisms use DRDA encryption. DRDA encryption is not intended to provide confidentiality and integrity of passwords or data over a network that is not secure, such as the Internet. DRDA encryption uses an anonymous key exchange, Diffie-Hellman, which does not provide authentication of the server or the client. DRDA encryption is vulnerable to man-in-the-middle attacks.

The IBM Data Server Driver for JDBC and SQLJ supports 56-bit DES (weak) encryption or 256-bit AES (strong) encryption. AES encryption is available with IBM Data Server Driver for JDBC and SQLJ type 4 connectivity only. You set the encryptionAlgorithm driver property to choose between 56-bit DES encryption (encryptionAlgorithm value of 1) and 256-bit AES encryption (encryptionAlgorithm value of 2). 256-bit AES encryption is used for a connection only if the database server supports it and is configured to use it.

If you use encrypted password security, encrypted user ID security, or encrypted user ID and encrypted password security from a Db2 for z/OS® client, the Java Cryptography Extension, IBMJCE for z/OS needs to be enabled on the client. The Java Cryptography Extension is part of the IBM Developer Kit for z/OS, Java 2 Technology Edition. For information on how to enable IBMJCE, go to this URL on the web: http://www.ibm.com/servers/eserver/zseries/software/java/j5jce.html

For AES encryption, you need to get the unrestricted policy file for JCE. It is available at the following URL: 
https://www.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=jcesdk

Connections to Db2 for IBM i V6R1 or later servers can use encrypted password security or encrypted user ID and encrypted password security. For encrypted password security or encrypted user ID and encrypted password security, the IBM Java Cryptography Extension (ibmjceprovidere.jar) must be installed on your client. The IBM JCE is part of the IBM SDK for Java, Version 1.4.2 or later.

You can also use encrypted security-sensitive data in addition to encrypted user ID security or encrypted user ID and encrypted password security. You specify encryption of security-sensitive data through the ENCRYPTED_USER_AND_DATA_SECURITY or ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY securityMechanism value. ENCRYPTED_USER_AND_DATA_SECURITY is valid for connections to Db2 for z/OS servers only.

Db2 for z/OS or Db2 on Linux®, UNIX, and Windows systems database servers encrypt the following data when you specify encryption of security-sensitive data:
  • SQL statements that are being prepared, executed, or bound into a package
  • Input and output parameter information
  • Result sets
  • LOB data
  • XML data
  • Results of describe operations

Before you can use encrypted security-sensitive data, the z/OS Integrated Cryptographic Services Facility needs to be installed and enabled on the z/OS operating system.

To specify encrypted user ID or encrypted password security for a JDBC connection, use one of the following techniques.

For the DriverManager interface: Set the user ID, password, and security mechanism by setting the user, password, and securityMechanism properties in a Properties object, and then invoking the form of the getConnection method that includes the Properties object as a parameter. For example, use code like this to set the encrypted user ID and encrypted password security mechanism, with AES encryption: 
import java.sql.*;                        // JDBC base
import com.ibm.db2.jcc.*;                 // IBM Data Server Driver for JDBC
                                          // and SQLJ implementation of JDBC
…
Properties properties = new Properties(); // Create a Properties object
properties.put("user", "dbadm");          // Set user ID for the connection
properties.put("password", "dbadm");      // Set password for the connection
properties.put("securityMechanism", 
  new String("" + 
  com.ibm.db2.jcc.DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY +
  ""));
                                          // Set security mechanism to 
                                          // user ID and encrypted password
properties.put("encryptionAlgorithm", "2");
                                          // Request AES security
String url = "jdbc:db2://mvs1.sj.ibm.com:5021/san_jose";
                                          // Set URL for the data source
Connection con = DriverManager.getConnection(url, properties); 
                                          // Create the connection
For the DataSource interface: If you create and deploy the DataSource object, you can set the user ID, password, and security mechanism by invoking the DataSource.setUser, DataSource.setPassword, and DataSource.setSecurityMechanism methods after you create the DataSource object. For example, use code like this to set the encrypted user ID and encrypted password security mechanism, with AES encryption: 
import java.sql.*;                        // JDBC base
import com.ibm.db2.jcc.*;                 // IBM Data Server Driver for JDBC
                                          // and SQLJ implementation of JDBC
…
com.ibm.db2.jcc.DB2SimpleDataSource ds = 
  new com.ibm.db2.jcc.DB2SimpleDataSource();
                                          // Create the DataSource object
ds.setDriverType(4);                      // Set the driver type
ds.setDatabaseName("san_jose");           // Set the location
ds.setServerName("mvs1.sj.ibm.com");  
                                          // Set the server name
ds.setPortNumber(5021);                   // Set the port number
ds.setUser("db2adm");                     // Set the user ID
ds.setPassword("db2adm");                 // Set the password
ds.setSecurityMechanism(
  com.ibm.db2.jcc.DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY);
                                          // Set security mechanism to
                                          // User ID and encrypted password
ds.setEncryptionAlgorithm(2);             // Request AES encryption
Valid characters in passwords: All characters in the ASCII range X'20' (decimal 32) through X'7E' (decimal 126) are valid in passwords, except for the following characters:
  • X'20' (space) at the end of a password. The IBM Data Server Driver for JDBC and SQLJ strips space characters at the end of a password.
  • X'3B' (semicolon)
  • Any characters that cannot be converted to EBCDIC characters, if passwords in plain text are sent to a data server.

RACF® password phrase security: If you are connecting to a Db2 for z/OS that is configured for RACF protection, and the RACF version supports RACF password phrases, you can supply a RACF password phrase for the password property value, instead of a simple password. A password phrase must conform to the following rules:

  • A password phrase is a character string that can consist of mixed-case letters, numbers, and special characters, including blanks.
  • The length of the password phrase can be 9 to 100 characters, or 14 to 100 characters.

    Password phrases of between 9 and 13 characters are allowed when the new-password-phrase exit (ICHPWX11) is installed on the z/OS system, and the exit allows password phrases of fewer than 14 characters.

  • A password phrase must not contain the user ID, as sequential uppercase or sequential lowercase characters.
  • A password phrase must contain at least two alphabetic characters (A through Z or a through z).
  • A password phrase must contain at least two non-alphabetic characters (numerics, punctuation, or special characters).
  • A password phrase must not contain more than two consecutive characters that are identical.
  • If a single quotation mark (') is part of the password phrase, the single quotation mark must be represented as two consecutive single quotation marks ('').