IBM Books

Administration Guide


Directory Services Security

When using DCE directory services in an environment without a DB2 Connect gateway, authentication is the same as is used for other DB2 Client Application Enabler accessing database servers. For more information, see "Authentication".

When using DCE directory services in an environment with a DB2 Connect gateway, the DB2 Connect administrator determines where user names and passwords are validated. With DCE directories, specify the following:

Table 57 shows the possible combinations of these values and where validation is performed for each combination using APPC connections. The combinations shown in this table are supported by DB2 Connect with DCE Directory Services.

Table 57. Valid Security Scenarios with DCE using APPC Connections
  Database Object of the Server Routing Object Validation
Case Authentication Security Authenticate at Gateway
1 CLIENT SAME 0 Remote client (or DB2 Connect workstation)
2 CLIENT SAME 1 DB2 Connect workstation
3 SERVER PROGRAM 0 DRDA server
4 SERVER PROGRAM 1 DB2 Connect workstation and DRDA server
5 DCE NONE Not applicable DCE

Table 58 shows the possible combinations of these values and where validation is performed for each combination using TCP/IP connections. The combinations shown in this table are supported by DB2 Connect with DCE Directory Services.

Table 58. Valid Security Scenarios with DCE using TCP/IP Connections
Case Authentication Authenticate at Gateway Validation
1 CLIENT 0 Client
2 CLIENT 1 DB2 Connect workstation
3 SERVER 0 DRDA server
4 Not applicable Not applicable None
5 DCE Not applicable DCE

Each combination is applicable to both APPC and TCP/IP and is described in more detail below:

  1. The user name and password are validated only at the remote client. (For a local client, the user name and password are validated only at the DB2 Connect workstation.)

    The user is expected to be authenticated at the location he or she first signs on to. The user ID is sent across the network, but not the password. Use this type of security only if all client workstations have adequate security facilities.

  2. The user name and password are validated at the DB2 Connect workstation only. The password is sent across the network from the remote client to the DB2 Connect workstation but not to the DRDA server.
  3. The user name and password are validated at the DRDA server only. The password is sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the DRDA server.
  4. The user name and password are validated at both the DB2 Connect workstation and the DRDA server. The password is sent across the network from the remote client to the DB2 Connect workstation and from the DB2 Connect workstation to the DRDA server.

    Because validation is performed in two places, the same set of user names and passwords must be maintained at both the DB2 Connect workstation and the DRDA server.

  5. A DCE token is obtained from the DCE Security Server.

Notes:

  1. For AIX-based systems, all users using security type SAME must belong to the AIX system group.

  2. For AIX-based systems with remote clients, the instance of the DB2 Connect product running on the DB2 Connect workstation must belong to the AIX system group.

  3. Access to a DRDA server is controlled by its own security mechanisms or subsystems; for example, the Virtual Telecommunications Access Method (VTAM) and Resource Access Control Facility (RACF). Access to protected database objects is controlled by the SQL GRANT and REVOKE statements.


[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]

[ DB2 List of Books | Search the DB2 Books ]