DB2 Version 9.7 for Linux, UNIX, and Windows

Security plug-ins

Authentication for the DB2® database system is done using security plug-ins. A security plug-in is a dynamically-loadable library that provides authentication security services.

The DB2 database system provides the following types of plug-ins:
The DB2 database manager supports two mechanisms for plug-in authentication:
User ID/password authentication
This involves authentication using a user ID and password. The following authentication types are implemented using user ID/password authentication plug-ins:
  • - CLIENT
  • - SERVER
  • - SERVER_ENCRYPT
  • - DATA_ENCRYPT
  • - DATA_ENCRYPT_CMP
These authentication types determine how and where authentication of a user occurs. The authentication type used depends on the authentication type specified by the authentication database manager configuration parameter. If the SRVCON_AUTH parameter is specified it takes precedence over AUTHENTICATION when dealing with connect or attach operations.
GSS-API authentication
GSS-API is formally known as Generic Security Service Application Program Interface, Version 2 (IETF RFC2743) and Generic Security Service API Version 2: C-Bindings (IETF RFC2744). Kerberos authentication is also implemented using GSS-API. The following authentication types are implemented using GSS-API authentication plug-ins:
  • - KERBEROS
  • - GSSPLUGIN
  • - KRB_SERVER_ENCRYPT
  • - GSS_SERVER_ENCRYPT
KRB_SERVER_ENCRYPT and GSS_SERVER_ENCRYPT support both GSS-API authentication and user ID/password authentication; however, GSS-API authentication is the preferred authentication type.
Note: Authentication types determine how and where a user is authenticated. To use a particular authentication type, update the authentication database manager configuration parameter.

Each of the plug-ins can be used independently or in conjunction with one or more of the other plug-ins. For example, you might only use a server authentication plug-in and assume the DB2 defaults for client and group authentication. Alternatively, you might have only a group or client authentication plug-in. The only situation where both a client and server plug-in are required is for GSS-API authentication plug-ins.

The default behavior is to use a user ID/password plug-in that implements an operating-system-level mechanism for authentication. In previous releases, the default behavior is to directly use operating-system-level authentication without a plug-in implementation. Client-side Kerberos support is available on Solaris, AIX®, Windows, and Linux operating systems. For Windows platforms, Kerberos support is enabled by default.

DB2 database systems include sets of plug-ins for group retrieval, user ID/password authentication, and for Kerberos authentication. With the security plug-in architecture you can customize DB2 client and server authentication behavior by either developing your own plug-ins, or buying plug-ins from a third party.

Deployment of security plug-ins on DB2 clients

DB2 clients can support one group plug-in, one user ID/password authentication plug-in, and will negotiate with the DB2 server for a particular GSS-API plug-in. This negotiation consists of a scan by the client of the DB2 server's list of implemented GSS-API plug-ins for the first authentication plug-in name that matches an authentication plug-in implemented on the client. The server's list of plug-ins is specified in the srvcon_gssplugin_list database manager configuration parameter value, which contains the names of all of the plug-ins that are implemented on the server. The following figure portrays the security plug-in infrastructure on a DB2 client.
Figure 1. Deploying Security Plug-ins on DB2 Clients
The DB2 client has a plug-in interface that can accept user ID/password, Kerberos, GSS-API, and Group client plug-ins.

Deployment of security plug-ins on DB2 servers

DB2 servers can support one group plug-in, one user ID/password authentication plug-in, and multiple GSS-API plug-ins. The multiple GSS-API plug-ins are specified in the srvcon_gssplugin_list database manager configuration parameter value as a list. Only one GSS-API plug-in in this list can be a Kerberos plug-in.

In addition to server-side security plug-ins, you might also need to deploy client authorization plug-ins on your database server. When you run instance-level operations like db2start and db2trc, the DB2 database manager performs authorization checking for these operations using client authentication plug-ins. Therefore, you should install the client authentication plug-in that corresponds to the server plug-in that is specified by the authentication database manager configuration parameter. There is a main distinction between authentication and srvcon_auth. Specifically, they could be set to different values to cause one mechanism to be used to authenticate database connections and another mechanism to be used for local authorization. The most common usage is srvcon_auth set as GSSPLUGIN and authentication set as SERVER. If you do not use client authentication plug-ins on the database server, instance level operations such as db2start will fail. For example, if the authentication type is SERVER and no user-supplied client plug-in is used, the DB2 database system will use the IBM-shipped default client operating-system plug-in. The following figure portrays the security plug-in infrastructure on a DB2 server.
Figure 2. Deploying Security Plug-ins on DB2 Servers
The DB2 server supports group, server, and client (local authorization) plug-ins.
Note: The integrity of your DB2 database system installation can be compromised if the deployment of security plug-ins are not adequately coded, reviewed, and tested. The DB2 database system takes precaution against many common types of failures, but it cannot guarantee complete integrity when user-written security plug-ins are deployed.

Enabling security plug-ins

The system administrator can specify the names of the plug-ins to use for each authentication mechanism by updating certain plug-in-related database manager configuration parameters. If these parameters are null, they will default to the DB2-supplied plug-ins for group retrieval, user ID/password management, or Kerberos (if authentication is set to Kerberos -- on the server). DB2 does not provide a default GSS-API plug-in. Therefore, if system administrators specify an authentication type of GSSPLUGIN in authentication parameter, they must also specify a GSS-API authentication plug-in in srvcon_gssplugin_list.

How DB2 loads security plug-ins

All of the supported plug-ins identified by the database manager configuration parameters are loaded when the database manager starts.

The DB2 client will load a plug-in appropriate for the security mechanism negotiated with the server during connect or attach operations. It is possible that a client application can cause multiple security plug-ins to be concurrently loaded and used. This situation can occur, for example, in a threaded program that has concurrent connections to different databases from different instances.

Actions other than connect or attach operations require authorization (such as updating the database manager configuration, starting and stopping the database manager, turning DB2 trace on and off) as well. For such actions, the DB2 client program will load a plug-in specified in another database manager configuration parameter. If authentication is set to GSSPLUGIN, DB2 database manager will use the plug-in specified by local_gssplugin. If authentication is set to KERBEROS, DB2 database manager will use the plug-in specified by clnt_krb_plugin. Otherwise, DB2 database manager will use the plug-in specified by clnt_pw_plugin.

Security plug-ins APIs can be called from either an IPv4 platform or an IPv6 platform. An IPv4 address is a 32-bit address that has a readable form a.b.c.d, where each of a-d represents a decimal number from 0-255. An IPv6 address is a 128-bit address of the form a:b:c:d:e:f:g:h, where each of a-h represents 4 hex digits.

Developing security plug-ins

If you are developing a security plug-in, you need to implement the standard authentication functions that DB2 database manager will use. If you are using your own customized security plug-in, you can use a user ID of up to 255 characters on a connect statement issued through the CLP or a dynamic SQL statement. For the available types of plug-ins, the functionality you will need to implement is as follows:
Group retrieval
Gets the list of groups to which a user belongs.
User ID/password authentication
  • Identifies the default security context (client only).
  • Validates and optionally changes a password.
  • Determines if a given string represents a valid user (server only).
  • Modifies the user ID or password provided on the client before it is sent to the server (client only).
  • Returns the DB2 authorization ID associated with a given user.
GSS-API authentication
  • Implements the required GSS-API functions.
  • Identifies the default security context (client only).
  • Generates initial credentials based on a user ID and password and optionally changes password (client only).
  • Creates and accepts security tickets.
  • Returns the DB2 authorization ID associated with a given GSS-API security context.
Related concepts:
Authentication methods for your server
Related reference:
authentication - Authentication type configuration parameter
clnt_krb_plugin - Client Kerberos plug-in configuration parameter
clnt_pw_plugin - Client userid-password plug-in configuration parameter
local_gssplugin - GSS API plug-in used for local instance level authorization configuration parameter
Security plug-in samples
srvcon_auth - Authentication type for incoming connections at the server configuration parameter
srvcon_gssplugin_list - List of GSS API plug-ins for incoming connections at the server configuration parameter