DB2 Version 9.7 for Linux, UNIX, and Windows

Security under the IBM Data Server Driver for JDBC and SQLJ

When you use the IBM® Data Server Driver for JDBC and SQLJ, you choose a security mechanism by specifying a value for the securityMechanism property.

You can set the securityMechanism property in one of the following ways:

If you use the DriverManager interface, set securityMechanism in a java.util.Properties object before you invoke the form of the getConnection method that includes the java.util.Properties parameter.
If you use the DataSource interface, and you are creating and deploying your own DataSource objects, invoke the DataSource.setSecurityMechanism method after you create a DataSource object.

You can determine the security mechanism that is in effect for a connection by calling the DB2Connection.getDB2SecurityMechanism method.

The following table lists the security mechanisms that the IBM Data Server Driver for JDBC and SQLJ supports, and the data sources that support those security mechanisms.

Table 1. Data server support for IBM Data Server Driver for JDBC and SQLJ security mechanisms
Security mechanism	Supported by DB2® for Linux, UNIX, and Windows	Supported by DB2 for z/OS®	Supported by IBM Informix®	Supported by DB2 for i
User ID and password	Yes	Yes	Yes	Yes
User ID only	Yes	Yes	Yes	Yes
User ID and encrypted password¹	Yes	Yes	Yes	Yes³
Encrypted user ID¹	Yes	Yes	No	No
Encrypted user ID and encrypted password¹	Yes	Yes	Yes	Yes³
Encrypted user ID and encrypted security-sensitive data¹	No	Yes	No	No
Encrypted user ID, encrypted password, and encrypted security-sensitive data¹	Yes	Yes	No	No
Kerberos²	Yes	Yes	No	Yes
Plugin²	Yes	No	No	No
Certificate authentication²	No	Yes	No	No
Note: These security mechanisms use DRDA® encryption. DRDA encryption is not intended to provide confidentiality and integrity of passwords or data over a network that is not secure, such as the Internet. DRDA encryption uses an anonymous key exchange, Diffie-Hellman, which does not provide authentication of the server or the client. DRDA encryption is vulnerable to man-in-the-middle attacks. Available for IBM Data Server Driver for JDBC and SQLJ type 4 connectivity only. The version of the data source must be DB2 for i V6R1 or later.

The following table lists the security mechanisms that the IBM Data Server Driver for JDBC and SQLJ supports, and the value that you need to specify for the securityMechanism property to specify each security mechanism.

The default security mechanism is CLEAR_TEXT_PASSWORD_SECURITY. If the server does not support CLEAR_TEXT_PASSWORD_SECURITY, an error occurs. In addition, any other mismatch in security mechanism support between the requester and the server results in an error.

Table 2. Security mechanisms supported by the IBM Data Server Driver for JDBC and SQLJ
Security mechanism	`securityMechanism` property value
User ID and password	`DB2BaseDataSource.CLEAR_TEXT_PASSWORD_SECURITY`
User ID only	`DB2BaseDataSource.USER_ONLY_SECURITY`
User ID and encrypted password¹	`DB2BaseDataSource.ENCRYPTED_PASSWORD_SECURITY`
Encrypted user ID¹	`DB2BaseDataSource.ENCRYPTED_USER_ONLY_SECURITY`
Encrypted user ID and encrypted password¹	`DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY`
Encrypted user ID and encrypted security-sensitive data¹	`DB2BaseDataSource.ENCRYPTED_USER_AND_DATA_SECURITY`
Encrypted user ID, encrypted password, and encrypted security-sensitive data¹	`DB2BaseDataSource.ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY`
Kerberos	`DB2BaseDataSource.KERBEROS_SECURITY`
Plugin	`DB2BaseDataSource.PLUGIN_SECURITY`
Certificate authentication	`DB2BaseDataSource.TLS_CLIENT_CERTIFICATE_SECURITY`
Note: DRDA encryption is not intended to provide confidentiality and integrity of passwords or data over a network that is not secure, such as the Internet. DRDA encryption uses an anonymous key exchange, Diffie-Hellman, which does not provide authentication of the server or the client. DRDA encryption is vulnerable to man-in-the-middle attacks.

The following table shows possible DB2 for Linux, UNIX, and Windows server authentication types and the compatible IBM Data Server Driver for JDBC and SQLJ securityMechanism property values.

Table 3. Compatible DB2 for Linux, UNIX, and Windows server authentication types and IBM Data Server Driver for JDBC and SQLJ securityMechanism values
DB2 for Linux, UNIX, and Windows server authentication type	securityMechanism setting
CLIENT	USER_ONLY_SECURITY
SERVER	CLEAR_TEXT_PASSWORD_SECURITY
SERVER_ENCRYPT	CLEAR_TEXT_PASSWORD_SECURITY, ENCRYPTED_PASSWORD_SECURITY, or ENCRYPTED_USER_AND_PASSWORD_SECURITY
DATA_ENCRYPT	ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY
KERBEROS	KERBEROS_SECURITY or PLUGIN_SECURITY²
KRB_SERVER_ENCRYPT	KERBEROS_SECURITY , PLUGIN_SECURITY¹, ENCRYPTED_PASSWORD_SECURITY, or ENCRYPTED_USER_AND_PASSWORD_SECURITY
GSSPLUGIN	PLUGIN_SECURITY¹ or KERBEROS_SECURITY
GSS_SERVER_ENCRYPT³	CLEAR_TEXT_PASSWORD_SECURITY, ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, PLUGIN_SECURITY, or KERBEROS_SECURITY
Notes: For PLUGIN_SECURITY, the plugin must be a Kerberos plugin. For PLUGIN_SECURITY, one of the plugins at the server identifies itself as supporting Kerberos. GSS_SERVER_ENCRYPT is a combination of GSSPLUGIN and SERVER_ENCRYPT.