5.3 Database Manager Configuration Parameter: ALTERNATE_AUTH_ENC

Information

The ALTERNATE_AUTH_ENC database manager configuration parameter specifies the encryption algorithm that is used to encrypt user ID and password that are sent from the client during a connect or attach. This parameter is in effect when the authentication method that is negotiated between the client and the server is SERVER_ENCRYPT.

It is recommended to set this parameter to AES_ONLY.

Rationale:

If this parameter is set to a value other than AES_ONLY, the server can accept the DES encryption algorithm to encrypt the user credentials and DES is cryptographically weak in comparison to AES.

Impact:

It is important to be aware that the implementation of this recommendation results in a brief downtime. It is therefore advisable to ensure that the setting is implemented during an approved maintenance window.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Attach to the Db2 instance

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration parameter
using alternate_auth_enc aes_only

Restart the Db2 instance.

db2 => db2stop
db2 => db2start

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: 0d102400f0e59b03c335715738f1b2eef70bc5856b548002770fe1b7081b914e