authentication - Authentication type configuration parameter

This parameter specifies and determines how and where authentication of a user takes place.

Important: The SERVER_ENCRYPT authentication type is deprecated, and the SERVER_ENCRYPT_AES authentication type will not work in strict FIPS mode when FIPS 140-3 certified cryptographic modules are introduced in a future version of Db2. For more information on the deprecation, see Authentication methods for your server.
Important: The DATA_ENCRYPT authentication type is deprecated and might be removed in a future release. To encrypt data in-transit between clients and Db2® databases, we recommend that you use the Db2 database system support of Transport Layer Security (TLS). For more information, see Encryption of data in transit
Configuration type
Database manager
Applies to
  • Database server with local and remote clients
  • Client
  • Database server with local clients
  • Partitioned database server with local and remote clients
Parameter type
Configurable
Default [range]
SERVER [CLIENT; SERVER; SERVER_ENCRYPT; DATA_ENCRYPT; DATA_ENCRYPT_CMP; KERBEROS; KRB_SERVER_ENCRYPT; GSSPLUGIN; GSS_SERVER_ENCRYPT ]

If the value of the authentication parameter is SERVER, the user ID and password are sent from the client to the server so that authentication can take place on the server. The SERVER_ENCRYPT value provides the same behavior as the SERVER value, except that any user IDs and passwords that are sent over the network must be encrypted.

Starting with the Db2 Cancun Release (Db2 10.5.0.4), in order for the Db2 server to not accept CLEAR_TEXT_PASSWORD_SECURITY security mechanism when the authentication type is SERVER_ENCRYPT, set the Db2 DB2AUTH registry variable to JCC_ENFORCE_SECMEC at the server.

Set the DB2AUTH registry variable to JCC_NOENFORCE_SECMEC_MSG at the server in order to print the following warning message in the db2diag.log (for each connection) when Db2 accepts the CLEAR_TEXT_PASSWORD_SECURITY security mechanism from Java clients when the authentication type is SERVER_ENCRYPT: Connection accepted as SERVER ( JCC_NOENFORCE_SECMEC_MSG ).

Another new value is introduced in Db2 11.1.3.3, JCC_NOENFORCE_SECMEC_NOMSG, to represent the default configuration behavior for the SERVER_ENCRYPT authentication type which is to accept the security mechanisms but not print any warning to the db2diag.log.

To use AES, install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy" files from Oracle.

For a standards compliance (defined in the Standards compliance topic) configuration, SERVER is the only supported value.

A value of DATA_ENCRYPT means the server accepts encrypted SERVER authentication schemes and the encryption of user data. The authentication works the same way as SERVER_ENCRYPT.

The following user data is encrypted when you use the DATA_ENCRYPT authentication type:

  • SQL and XQuery statements
  • SQL program variable data
  • Output data from the server processing an SQL or XQuery statement and including a description of the data
  • Some or all of the answer set data resulting from a query
  • Large object (LOB) streaming
  • SQLDA descriptors

A value of DATA_ENCRYPT_CMP means the server accepts encrypted SERVER authentication schemes and the encryption of user data. In addition, this authentication type provides compatibility with earlier products that do not support the DATA_ENCRYPT authentication type. These products are permitted to connect with the SERVER_ENCRYPT authentication type, without encrypting user data. Products supporting the new authentication type must use it. This authentication type is valid only in the server's database manager configuration file and is not valid for the CATALOG DATABASE command.

You cannot set the authentication parameter to DATA_ENCRYPT if you set the alternate_auth_enc parameter to AES_CMP or AES_ONLY.

A value of CLIENT indicates that all authentication takes place at the client. No authentication needs to be performed at the server.
Attention: With the release of Db2 11.5.9, the CLIENT authentication type is deprecated. Do not use this authentication type going forward, as it is insecure in many situations and might be removed in a future release.

A value of KERBEROS means that authentication is performed at a Kerberos server by using the Kerberos security protocol. With an authentication type of KRB_SERVER_ENCRYPT at the server and clients that support the Kerberos security system, the effective system authentication type is KERBEROS. If the clients do not support the Kerberos security system, the system authentication type is effectively equivalent to SERVER_ENCRYPT.

A value of GSSPLUGIN means that authentication is performed using an external GSSAPI-based security mechanism. With an authentication type of GSS_SERVER_ENCRYPT at the server and clients that support the GSSPLUGIN security mechanism, the effective system authentication type is GSSPLUGIN if the clients support one of the server's plug-ins. If the clients do not support the GSSPLUGIN security mechanism, the system authentication type is effectively equivalent to SERVER_ENCRYPT.

Recommendation: Typically, the default value (SERVER) is adequate for local clients. If remote clients are connecting to the database server, SERVER_ENCRYPT is the suggested value to protect the user ID and password.
Note: SERVER_ENCRYPT will only protect the userid-password pair. If you are concerned about other plain-text data being flown, then use SSL.