5.3 Database Manager Configuration Parameter: ALTERNATE_AUTH_ENC

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The ALTERNATE_AUTH_ENC database manager configuration parameter specifies the encryption algorithm that is used to encrypt user ID and password that are sent from the client during a connect or attach. This parameter is in effect when the authentication method that is negotiated between the client and the server is SERVER_ENCRYPT.

It is recommended to set this parameter to AES_ONLY.

Rationale:

If this parameter is set to a value other than AES_ONLY, the server can accept the DES encryption algorithm to encrypt the user credentials and DES is cryptographically weak in comparison to AES.

Impact:

It is important to be aware that the implementation of this recommendation results in a brief downtime. It is therefore advisable to ensure that the setting is implemented during an approved maintenance window.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Attach to the Db2 instance

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration parameter
using alternate_auth_enc aes_only

Restart the Db2 instance.

db2 => db2stop
db2 => db2start

See Also

https://workbench.cisecurity.org/files/4033