DB2 Version 10.1 for Linux, UNIX, and Windows
DB2 Version 10.1 for Linux, UNIX, and Windows
This parameter specifies and determines how and where authentication of a user takes place.
If the value of the authentication parameter is SERVER, the user ID and password are sent from the client to the server so that authentication can take place on the server. The SERVER_ENCRYPT value provides the same behavior as the SERVER value. Except that any user IDs and passwords that are sent over the network must be encrypted. If the client is the IBM Data Server Driver for JDBC and SQLJ, user IDs and passwords that are not encrypted can be accepted by the DB2 server.
Starting with DB2 Version 10.1 Fix Pack 4, to have the DB2 server not accept CLEAR_TEXT_PASSWORD_SECURITY security mechanism when the authentication type is SERVER_ENCRYPT, set the DB2 DB2AUTH registry variable to JCC_ENFORCE_SECMEC at the server. No application modification is required. However, for JDBC applications that use Oracle JVM, modifications to the JDBC application is required. Modify the application to use the ENCRYPTED_USER_AND_PASSWORD_SECURITY security mechanism and the encryptionAlgorithm property AES. To use AES, install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy" files from Oracle.
For a standards compliance (defined in the "Standards compliance" topic) configuration, SERVER is the only supported value.
A value of DATA_ENCRYPT means the server accepts encrypted SERVER authentication schemes and the encryption of user data. The authentication works the same way as SERVER_ENCRYPT.
The following user data is encrypted when you use the DATA_ENCRYPT authentication type:
A value of DATA_ENCRYPT_CMP means the server accepts encrypted SERVER authentication schemes and the encryption of user data. In addition, this authentication type provides compatibility with earlier products that do not support the DATA_ENCRYPT authentication type. These products are permitted to connect with the SERVER_ENCRYPT authentication type, without encrypting user data. Products supporting the new authentication type must use it. This authentication type is valid only in the server's database manager configuration file and is not valid for the CATALOG DATABASE command.
You cannot set the authentication parameter to DATA_ENCRYPT if you set the alternate_auth_enc parameter to AES_CMP or AES_ONLY.
A value of CLIENT indicates that all authentication takes place at the client. No authentication needs to be performed at the server.
A value of KERBEROS means that authentication is performed at a Kerberos server by using the Kerberos security protocol. With an authentication type of KRB_SERVER_ENCRYPT at the server and clients that support the Kerberos security system, the effective system authentication type is KERBEROS. If the clients do not support the Kerberos security system, the system authentication type is effectively equivalent to SERVER_ENCRYPT.
A value of GSSPLUGIN means that authentication is performed using an external GSSAPI-based security mechanism. With an authentication type of GSS_SERVER_ENCRYPT at the server and clients that support the GSSPLUGIN security mechanism, the effective system authentication type is GSSPLUGIN if the clients support one of the server's plug-ins. If the clients do not support the GSSPLUGIN security mechanism, the system authentication type is effectively equivalent to SERVER_ENCRYPT.
Recommendation: Typically, the default value (SERVER) is adequate for local clients. If remote clients are connecting to the database server, SERVER_ENCRYPT is the suggested value to protect the user ID and password.