5.2 Specify a Secure Authentication Type (AUTHENTICATION)

Information

The AUTHENTICATION database manager configuration parameter specifies how and where authentication takes place for incoming connections to the database as well as local authorization of commands run outside a connection or attachment, such as tools run from the command line. This parameter can be overridden by the SRVCON_AUTH parameter for incoming connections.

This parameter can take on any of the following values:

CLIENT

SERVER

SERVER_ENCRYPT

DATA_ENCRYPT

DATA_ENCRYPT_CMP

KERBEROS

KRB_SERVER_ENCRYPT

GSSPLUGIN

GSS_SERVER_ENCRYPT

Recommendations:

Do not use CLIENT, DATA_ENCRYPT or DATA_ENCRYPT_CMP authentication types.

SERVER_ENCRYPT instead of SERVER is recommended as a compensating configuration if TLS cannot be used to encrypted client server communications.

Rationale:

When using CLIENT authentication type, the server trusts the client to authenticate the connecting user. A malicious user can connect to the database as any user including a database administrator by simply creating that user on the client system.

DATA_ENCRYPT and DATA_ENCRYPT_CMP authentication types provide the ability to encrypt both user credentials and user data when sent from the client to the server. Since these authentication types use DES encryption algorithm which is cryptographically weak, they are deprecated in favor of SSL.

When using SERVER authentication type without SSL enabled, the user ID and password that are sent from the client to the server during a connect or an attach are in plaintext format. Therefore, these credentials are exposed when sent across an insecure network and can be intercepted by a malicious user.

Impact:

It is important to be aware that the implementation of this recommendation results in a brief downtime. It is therefore advisable to ensure that the setting is implemented during an approved maintenance window.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration parameter
using authentication <authentication type>

Restart the Db2 instance.

db2 => db2stop
db2 => db2start

Refer to the 'encryption of data in motion' section for more information about using SSL for client-server communication.

See Also

https://workbench.cisecurity.org/benchmarks/10752