To enable support for changing passwords in DB2® database products on Linux, you must configure the DB2 instance to use the security plug-ins IBMOSchgpwdclient
and IBMOSchgpwdserver.
Before you begin
The
plug-in libraries are located in the following directories:
- INSTHOME/sqllib/securityXX/plugin/IBM/client/IBMOSchgpwdclient.so
- INSTHOME/sqllib/securityXX/plugin/IBM/server/IBMOSchgpwdserver.so
where
INSTHOME is the home directory of the
instance owner and
securityXX is either
security32 or
security64,
depending on the bit-width of the instance.
Procedure
To deploy the security plug-ins in a DB2 instance, perform the following steps:
- Log in as a user with root authority.
- Create a PAM configuration file: /etc/pam.d/db2
Ensure that the file contains the appropriate set of rules,
as defined by your system administrator. For example, on SLES 9 this
can be used:
auth required pam_unix2.so nullok
account required pam_unix2.so
password required pam_pwcheck.so nullok tries=1
password required pam_unix2.so nullok use_authtok use_first_pass
session required pam_unix2.so
And on RHEL, this can be used:
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 dcredit=-1
ucredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow remember=3
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
- Enable the security plug-ins in the DB2 instance:
- Update the database manager configuration parameter SRVCON_PW_PLUGIN with
the value IBMOSchgpwdserver:
db2 update dbm cfg using srvcon_pw_plugin IBMOSchgpwdserver
- Update the database manager configuration parameter CLNT_PW_PLUGIN with
the value IBMOSchgpwdclient:
db2 update dbm cfg using CLNT_PW_PLUGIN IBMOSchgpwdclient
- Ensure that either the database manager configuration
parameter SRVCON_AUTH is set to a value of CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT,
or DATA_ENCRYPT_CMP, or the database manager configuration
parameter SRVCON_AUTH is set to a value of NOT_SPECIFIED and AUTHENTICATION is
set to a value of CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT,
or DATA_ENCRYPT_CMP.