5.1 Specify a Secure Connection Authentication Type (SRVCON_AUTH)

Information

This parameter can take on any of the following values:

NOT_SPECIFIED

CLIENT

SERVER

SERVER_ENCRYPT

KERBEROS

KRB_SERVER_ENCRYPT

GSSPLUGIN

GSS_SERVER_ENCRYPT

SERVER_ENCRYPT_TOKEN

KERBEROS_TOKEN

GSSPLUGIN_TOKEN

KRB_SVR_ENC_TOKEN

GSS_SVR_ENC_TOKEN

If this parameter is set to NOT_SPECIFIED, then the type of authentication for connections is determined by the AUTHENTICATION parameter.

Recommendations:

Do not use CLIENT authentication type.

SERVER_ENCRYPT instead of SERVER is recommended as a compensating configuration if TLS cannot be used to encrypted client server communications.

Rationale:

When using CLIENT authentication type, the server trusts the client to authenticate the connecting user. A malicious user can connect to the database as any user including a database administrator by simply creating that user on the client system.

When using SERVER authentication type without SSL enabled, the user ID and password that are sent from the client to the server during a connect or an attach are in plaintext format. Therefore, these credentials are exposed when sent across an unsecure network and can be intercepted by a malicious user.

Impact:

It is important to be aware that the implementation of this recommendation results in a brief downtime. It is advisable to ensure that the setting is implemented during an approved maintenance window.

Solution

Attach to the Db2 instance

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration parameter
using srvcon_auth <authentication type>

Restart the Db2 instance.

db2 => db2stop
db2 => db2start

Refer to the 'encryption of data in motion' section for more information about using SSL for client-server communication.

See Also

https://workbench.cisecurity.org/benchmarks/10752