To customize the DB2® security system's
user ID/password authentication behavior, you can develop your own
user ID/password authentication plug-ins or buy one from a third party.
Before you begin
Depending on their intended usage, all user ID-password based
authentication plug-ins must be placed in either the client plug-in
directory or the server plug-in directory. If a plug-in is placed
in the client plug-in directory, it will be used both for local authorization
checking and for validating the client when it attempts to connect
with the server. If the plug-in is placed in the server plug-in directory,
it will be used for handling incoming connections to the server and
for checking whether an authorization ID exists and is valid whenever
the GRANT statement is issued without specifying either the keyword
USER or GROUP. In most situations, user ID/password authentication
requires only a server-side plug-in. It is possible, though generally
deemed less useful, to have only a client user ID/password plug-in.
It is possible, though quite unusual to require matching user ID/password
plug-ins on both the client and the server.
Note: You must stop the DB2 server or any applications using
the plug-ins before you deploy a new version of an existing plug-in.
Undefined behavior including traps will occur if a process is still
using a plug-in when a new version (with the same name) is copied
over it. This restriction is not in effect when you deploy a plugin
for the first time or when the plug-in is not in use.
After
you acquire user ID/password authentication plug-ins that are suitable
for your database management system, you can deploy them.
Procedure
- To deploy a user ID/password authentication plug-in on
the database server, perform the following steps on the database server:
- Copy the user ID/password authentication plug-in library
in the server plug-in directory.
- Update the database manager configuration parameter srvcon_pw_plugin with
the name of the server plug-in. This plug-in is used by
the server when it is handling CONNECT and ATTACH requests.
- Either:
- Set the database manager configuration parameter srvcon_auth to
the CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT,
or DATA_ENCRYPT_CMP authentication type. Or:
- Set the database manager configuration parameter srvcon_auth to NOT_SPECIFIED and
set authentication to CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT,
or DATA_ENCRYPT_CMP authentication type.
- To deploy a user ID/password authentication plug-in on
database clients, perform the following steps on each client:
- Copy the user ID/password authentication plug-in library
in the client plug-in directory.
- Update the database manager configuration parameter clnt_pw_plugin with
the name of the client plug-in. This plug-in is loaded and called
regardless of where the authentication is being done, not only when
the database configuration parameter, authentication is
set to CLIENT.
- For local authorization on a client, server, or gateway
using a user ID/password authentication plug-in, perform the following
steps on each client, server, or gateway:
- Copy the user ID/password authentication plug-in library
in the client plug-in directory on the client, server, or gateway.
- Update the database manager configuration parameter clnt_pw_plugin with
the name of the plug-in.
- Set the authentication database
manager configuration parameter to CLIENT, SERVER, SERVER_ENCRYPT, DATA_ENCRYPT,
or DATA_ENCRYPT_CMP.