Section 10.2. Authentication

10.2. Authentication

Authentication is the process of validating a supplied user ID and password against a security facility. This authentication occurs when you try to connect to a database or attach to an instance. The security facility is external to DB2; user IDs and passwords are not stored in a DB2 server. Authentication can occur at any of the following:

• At a DB2 server ( Figure 10.1, Instance 1)

• At a DB2 client (Figure 10.1, Instance 2)

• Using a customized loadable library via Generic Security Service (GSS) (Figure 10.1, Instance 3)

• At a Kerberos security service (Figure 10.1, Instance 4)

The authentication process also determines which operating system groups the user belongs to. Group membership lookup is essential because it lets users inherit certain authorities or privileges through groups.

The following sections describe how to configure the authentication type by using configuration parameters at the DB2 server and at the client respectively. The combination of the client and server authentication configuration determines where and how the authentication will take place (the authentication method).

10.2.1. Configuring the Authentication Type at a DB2 Server

To configure the authentication type at a DB2 server, you use the Database Manager (DBM) Configuration parameter AUTHENTICATION. If you are not already familiar with DBM Configuration parameters, refer to Chapter 5, Understanding the DB2 Environment, DB2 Instances, and Databases. For completeness, we are including the command here to display the current DBM parameter settings:

 get dbm cfg 

From the output, locate the following line where the authentication type is specified:

 Database manager authentication        (AUTHENTICATION) = SERVER 

SERVER is the default authentication type of an instance. Figure 10.2 shows this authentication type.

To change the value to the KERBEROS authentication type, for example, use this DB2 command:

 update dbm cfg using authentication KERBEROS 

Alternatively, you can use the Control Center to make this change. Chapter 4, Using the DB2 Tools, describes the Control Center in detail.

Table 10.1 summarizes the values the AUTHENTICATION parameter accepts.

The output of the get dbm cfg command includes another authentication-related parameter, called server connection authentication (SRVCON_AUTH):

 Server Connection Authentication          (SRVCON_AUTH) = NOT_SPECIFIED 

This parameter sets the authentication type at the DB2 server for incoming database connections. Note that only database connections evaluate the value of this parameter. Explicit instance attachment and operations that require implicit instance attachment still use AUTHENTICATION to resolve the authentication type.

These examples show how to implicitly attach to an instance:

 update dbm cfg create database SAMPLE 

By default, SRVCON_AUTH has a value of NOT_SPECIFIED. In this case, the value of AUTHENTICATION is used instead.

10.2.2. Configuring the Authentication Type at a DB2 Client

When a client is configured to connect to a database, you need to catalog the node and the database. The catalog database command has an option called AUTHENTICATION that allows you to indicate the authentication type to be used when connecting to the specified database from a DB2 client as shown in Figure 10.3.

Figure 10.4 illustrates the syntax of the catalog database command.

Figure 10.4. Syntax of the CATALOG DATABASE command

 >>-CATALOG--+-DATABASE-+--database-name--+-----------+---------->             '-DB-------'                 '-AS--alias-' >--+-------------------+---------------------------------------->    +-ON--+-path--+-----+    |     '-drive-'     |    '-AT NODE--nodename-' >--+--------------------------------------------------------------+-->    '-AUTHENTICATION--+-SERVER-----------------------------------+-'                      +-CLIENT-----------------------------------+                      +-SERVER_ENCRYPT---------------------------+                      +-KERBEROS TARGET PRINCIPAL--principalname-+                      +-SQL_AUTHENTICATION_DATAENC---------------+                      +-SQL_AUTHENTICATION_DATAENC_CMP-----------+                      '-GSSPLUGIN--------------------------------' >--+------------------------+----------------------------------><    '-WITH--"comment-string"-' 

The authentication type SERVER is the default. To change this setting, explicitly specify the AUTHENTICATION keyword along with one of the supported values shown in Table 10.2. The following is an example of using GSSPLUGIN authentication.

 catalog db sample at node dbsrv authentication gssplugin 

10.2.3. Authenticating Users at the DB2 Server

As mentioned earlier, authenticating a user and the associated password at the DB2 server is the default behavior. The DBM configuration parameter at the server and the authentication option in the database directory entry are both set to SERVER. DB2 does not maintain any user and password information. This implies that the user ID and password pair must be defined in the security facility built in the operating system of the server. Figure 10.5 demonstrates a few scenarios of server authentication.

Figure 10.5. Example of SERVER authentication

NOTE

As long as the database server authentication type is set to SERVER, authentication will always take place at the server.

In Scenario A, A1 issues a CONNECT statement to connect to the SAMPLE database that is remotely located in the dbsrv DB2 server. The user ID bob and the password bobpass are also provided. This pair of information is validated by the DB2 server security facility at A2. Once validated, bob is connected to SAMPLE in A3 provided that he has the appropriate CONNECT privilege (privileges are discussed later in this chapter).

Scenario B uses the same environment except that no user ID and password are provided in the CONNECT statement. When a remote database connection is requested, it is mandatory to supply a user ID and password. Therefore, the CONNECT statement specified in B1 fails.

Scenarios A and B are both remote requests. It is also very common to make local database connections from the DB2 server itself. Scenario C demonstrates such a request. Since you must have already logged into the server console with a valid user ID and password, it is not necessary to supply a user ID and password in the CONNECT statement at C1. If you choose to connect to the database with a different user ID, then you need to issue the CONNECT statement with the user ID and password you wish as shown in A1.

The SERVER_ENCRYPT authentication type behaves exactly the same as SERVER authentication except that both the user ID and password are encrypted.

10.2.4. Authenticating Users with the Kerberos Security Service

Kerberos is a network authentication protocol that employs secret-key cryptography to provide strong authentication for client/server applications. By using an encrypted key, Kerberos makes single sign-on to a remote DB2 server possible. Refer to Figure 10.6 to see how Kerberos authentication works with DB2.

Figure 10.6. Example of Kerberos authentication

In Figure 10.6:

1. A user logs in to the Kerberos system.

2. The Kerberos key distribution center generates a ticket and target principal name.

3. The DB2 client requests a service ticket for a DB2 server.

4. The Kerberos Key Distribution Center (KDC) grants a service ticket for the DB2 server.

5. The DB2 client connects to the DB2 server using the service ticket.

6. The DB2 server validates the service ticket and accepts the DB2 client connection request.

NOTE

Prior to DB2 Version 8.2, Kerberos only supported Windows 2000 platforms. With Version 8.2, Kerberos extended support to the Linux and UNIX platforms too.

The AUTHENTICATION type KERBEROS allows Kerberos-enabled clients to be authenticated at the Kerberos server. Although Kerberos is gaining popularity, there will be clients that do not have Kerberos support enabled. To accommodate these clients and at the same time ensure all clients are able to connect securely, you can set the authentication type at the DB2 server as KRB_SERVER_ENCRYPT. This option allows all Kerberos-enabled clients to be authenticated with Kerberos security service, while other clients use SERVER_ENCRYPT authentication instead.

Table 10.3 summarizes the resolved authentication types based on different client and server authentication settings related to Kerberos.

10.2.5. Authenticating Users with Generic Security Service Plug-ins

With DB2 Version 8.2, you can write authentication mechanisms to implement your own security model. These authentication modules follow the Generic Security Service Application Programming Interface (GSSAPI) standard as documented in the Internet's Requests for Comments (RFC) (see www.rfc-editor.org/rfc.html).

To employ the authentication plug-in, set the AUTHENTICATION type to GSSPLUGIN or GSS_SERVER_ENCRYPT so that the specified library modules are loaded at instance start time. DB2 clients then load an appropriate plug-in based on the security mechanism negotiated with the server during CONNECT or attach. You use the LOCAL_GSSPLUGIN Database Manager Configuration parameter to specify the name of the plug-in and must include the library name when using GSSPLUGIN or GSS_SERVER_ENCRYPT. Figure 10.7 illustrates an example of GSS.

Figure 10.7. Example of GSS authentication

When clients do not support the GSSPLUGIN security mechanism, you can use the GSS_SERVER_ENCRYPT authentication type, which allows those clients to establish database connections with behavior equivalent to SERVER_ENCRYPT.

The DB2 Version 8.2 authentication scheme requires plug-ins to manage the following:

• Group membership

• Authentication at the client

• Authentication at the server

If you do not specify the loadable libraries, DB2-supplied plug-ins are used instead. A few Database Manager Configuration parameters are introduced to support authentication plug-ins, and they are listed in Table 10.4. Table 10.4 lists the new Database Manager Configuration parameters that support authentication plug-ins.

DB2 provides sample plug-ins so you can develop your own plug-ins more easily. You must place the library files in the designated directory where DB2 looks for:

• Client-side user authentication plug-ins in the directory

  $DFTDBPATH/security/client-plugins (for Linux/UNIX)

  $DFTDBPATH\security\client-plugins (for Windows)

• Server-side user authentication plug-ins in the directory

  $DFTDBPATH/security/server-plugins (for Linux/UNIX)

  $DFTDBPATH\security\server-plugins (for Windows)

• Group plug-ins in the directory

  $DFTDBPATH/security/group-plugins (for Linux/UNIX)

  $DFTDBPATH\security\group-plugins (for Windows)

You specify the name of the plug-in as a Database Manager Configuration parameter. Use the full name of the library file, but do not include the file extension or the path. For example, to configure the group plug-in, issue:

 update dbm cfg using group_plugin mygrplib 

10.2.6. Authenticating Users at the DB2 Clients

When you want to allow DB2 clients to perform their own authentication, set the server authentication type to CLIENT. This setting does not mean that client authentication applies to every client; qualified clients are determined by two other DBM Configuration parametersTRUST_ALLCLNTS and TRUST_CLNTAUTH.

TRUST_ALLCLNTS (as you can tell from the name) specifies whether DB2 is going to trust all clients. DB2 categorizes clients into these types:

• Untrusted clients do not have a reliable security facility, such as Windows 98, Windows ME, and Classic Mac OS.

• Trusted clients have reliable security facilities like Windows 2000, AIX, z/OS, and Linux.

• Distributed Relational Database Architecture (DRDA) clients are on host legacy systems with reliable security facilities, including DB2 for z/OS, DB2 for iSeries, and DB2 for VM and VSE.

NOTE

Even though all DB2 Version 8 clients use the DRDA database communication protocol to communicate with DB2 servers, only clients running on mainframe legacy systems are considered as DRDA clients for historical and backward compatibility reasons.

TRUST_ALLCLNTS accepts any of the values summarized in Table 10.5.

You can specify a more granular security scheme with TRUST_ALLCLNTS. For example, you can let trusted clients perform authentication on their own and, at the same time, force untrusted clients to be authenticated at the server.

Consider a scenario in which you log into a Windows 2000 machine as localuser and connect to the remote database without specifying a user ID and password. localuser will be the connected authorization ID at the database. What if you want to connect to the database with a different user ID, for example, poweruser, who has the authority to perform a database backup? To allow such behavior, use TRUST_CLNTAUTH to specify where authentication will take place if a user ID and password are supplied in a CONNECT statement or attach command. Table 10.6 presents the values for TRUST_CLNTAUTH.

DB2 evaluates TRUST_ALLCLNTS and TRUST_CLNTAUTH only if you set AUTHENTICATION to CLIENT on the DB2 server. Figures 10.8, 10.9, 10.10, and 10.11 illustrate how to use these parameters.

In Figure 10.8, TRUST_ALLCLNTS is set to YES, so all clients are considered trusted and can perform their own authentication.

In Figure 10.9, TRUST_ALLCLNTS is set to NO, so only trusted clients perform their own authentication. Authentication for untrusted clients is done at the server.

In Figure 10.10, TRUST_CLNAUTH is set to SERVER. When user ID and password are specified in the CONNECT statement, authentication is performed at the server.

In Figure 10.11, TRUST_CLNTAUTH is set to SERVER and both clients provide user ID and password in the CONNECT statement. Hence, authentication is performed at the server for both clients.