TCP/IP ALREADY VERIFIED field (TCPALVER subsystem parameter)
The TCPALVER subsystem parameter specifies whether
DB2® is to accept TCP/IP connection requests
containing only a user ID, or if a stronger form of security is required. If DB2 is to accept only a user ID, no password, RACF® PassTicket, or Kerberos ticket is needed.
The TCPALVER subsystem parameter has no effect in the following situations:
- Trusted context users that have been switched
- Connections that use SECPORT, including SSL implementations, such as AT-TLS
Acceptable values: | YES, CLIENT, NO, SERVER, SERVER_ENCRYPT |
Default: | NO (SERVER) |
Update: | option 32 on panel DSNTIPB |
DSNZPxxx: | DSN6FAC TCPALVER |
Security parameter: | Yes |
- YES
- A new connection is accepted with a user ID only.
- CLIENT
- This value can be used as an alternative to YES.
- NO
- A user ID and password are required for connection requests, or the connection must be authenticated by a RACF PassTicket or Kerberos ticket. The user ID and password can be encrypted or non-encrypted.
- SERVER
- This value can be used as an alternative to NO.
- SERVER_ENCRYPT
- A user ID and password are required for connection requests. Kerberos tickets are also accepted.
In addition, one of the following must be true:
- The user ID and password is AES (Advanced Encryption Standard)-encrypted.
- The connection is accepted on a port that ensures AT-TLS (Application Transparent - Transport Layer Security) policy protection, such as a DB2 security port (SECPORT).
Non-encrypted security credentials or RACF PassTickets are not accepted unless the connection is secured by the TCP/IP network. RACF PassTickets are encoded, which is considered to be a form of security that is weaker than encryption. DES (Data Encryption Standard)-based encryption is also considered insecure.
This value must be the same for all members of a data sharing group. This option applies to all incoming requests that use TCP/IP, regardless of the requesting location.
Note: This is a security-related parameter. If the parameter is set to YES or CLIENT, connections
are accepted with a user ID only. Security credentials such as a password are not required
to authenticate the user ID that is associated with the connection.
Recommendation: Setting
the parameter to SERVER_ENCRYPT provides the best security. Connections
are accepted only if user credentials are provided to authenticate
the user ID, and strong encryption is used to protect the user ID
and credentials.