Whether a process can gain access to a specific DB2 subsystem can be controlled outside of DB2. A common procedure is to grant access only through RACF or a similar security system. DB2 address spaces and profiles for access to DB2 from various environments are defined as resources to RACF. These profiles are identified by the subsystem and the environment. Environments include
Each request to access DB2 is associated with an ID. RACF checks that the ID is authorized for DB2 resources and permits or refuses access to DB2. The RACF system provides several advantages of its own. For example, RACF can
Local DB2 Access
A local DB2 user is subject to several checks even before reaching DB2. For example, if you are running a program that accesses DB2 under TSO and using the TSO log-on ID as the DB2 primary authorization ID, that ID was verified with a password when the user logged on to TSO. When the user gains access to DB2, a user-written or IBM-supplied exit routine called by DB2 can check the authorization ID further, change it, and associate it with secondary IDs. In providing these services, DB2 can use the services of an external security system.
A remote user is also subject to several checks before reaching your DB2 subsystem. You can use RACF or a similar security subsystem to control access from remote subsystems and clients.
RACF also provides the ability to
DB2's communications database does allow some control of authentication in that you can cause IDs to be translated before sending them to the remote system. For more information about accessing DB2 and the CDB, refer to Chapter 2.
IMS and CICS Security
Access to DB2 can also be controlled from within IMS or CICS.
Kerberos security is a network security technology developed at the Massachusetts Institute of Technology. DB2 for z/OS can use Kerberos security services to authenticate remote users. With Kerberos security services, remote end users access DB2 when they issue their Kerberos name and password. This same name and password are used for access thoughout the network, so a separate MVS password to access DB2 is not necessary.
The Kerberos security technology does not require passwords to flow in readable text, making it secure even in client/server environments. This flexibility is possible because Kerberos uses an authentication technology that encrypts tickets that contain authentication information for the end user.
DB2 support for Kerberos security requires RACF or the functional equivalent. The Network Authentication and Privacy Service provides Kerberos support and relies on a security product, such as RACF, to provide registry support.
You can use Kerberos security only if you have RACF.