3.1.10 Secure the Java Development Kit Installation Path (JDK_PATH)

Information

The JDK_PATH parameter contains the directory under which the Software Developer's Kit (SDK) for Java(TM) is installed. The Java SDK is used for running Java stored procedures and user-defined functions. It is recommended that the owner of this directory is bin on Linux and AIX, and a member of the Db2 administration group on Windows. The directory should have read and execute permission for all users, but only write permission for the owner.

Rationale:

Restricting access to the Java JDK will help ensure that only an authorized JDK is used for running Java routines within Db2.

Solution

For Windows and Linux:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command to change the JDK path, if necessary:

db2 => update database manager configuration using
jdk_path <valid directory>

Additional steps for Windows:

Connect to the Db2 host

Right-click over the directory used as the JDK path

Choose Properties

Select the Security tab

Assign ownership of the directory to the Db2 Administrator

Grant all Db2 administrator accounts the Full Control authority

Grant only read and execute privileges to all other users (revoke all other privileges)

Additional steps for Linux:

Connect to the Db2 host as root

Change to the directory used as the JDK path

Assign bin to be the owner of the directory using the chown command

Change the permissions for the directory

$ chmod -R 755

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: d5b79196a2f15fe8f3dbd421fc894bf0b00627ef7e72f0e7b183a9db8b7d66dc