Learning Visually with Examples [Electronic resources] نسخه متنی

Understanding DB2® Learning Visually with Examples
By Raul F. Chong, Clara Liu, Sylvia F. Qi, Dwaine R. Snow

Publisher	: Prentice Hall PTR
Pub Date	: January 25, 2005
ISBN	: 0-13-185916-1
Pages	: 928

10.2. Authentication

Authentication is the process of validating a supplied user ID and password against a security facility. This authentication occurs when you try to connect to a database or attach to an instance. The security facility is external to DB2; user IDs and passwords are not stored in a DB2 server. Authentication can occur at any of the following:

At a DB2 server ( Figure 10.1, Instance 1)
At a DB2 client (Figure 10.1, Instance 2)
Using a customized loadable library via Generic Security Service (GSS) (Figure 10.1, Instance 3)
At a Kerberos security service (Figure 10.1, Instance 4)

The authentication process also determines which operating system groups the user belongs to. Group membership lookup is essential because it lets users inherit certain authorities or privileges through groups.

The following sections describe how to configure the authentication type by using configuration parameters at the DB2 server and at the client respectively. The combination of the client and server authentication configuration determines where and how the authentication will take place (the authentication method).

10.2.1. Configuring the Authentication Type at a DB2 Server

To configure the authentication type at a DB2 server, you use the Database Manager (DBM) Configuration parameter AUTHENTICATION. If you are not already familiar with DBM Configuration parameters, refer to Chapter 5, Understanding the DB2 Environment, DB2 Instances, and Databases. For completeness, we are including the command here to display the current DBM parameter settings:

get dbm cfg

From the output, locate the following line where the authentication type is specified:


Database manager authentication        (AUTHENTICATION) = SERVER

SERVER is the default authentication type of an instance. Figure 10.2 shows this authentication type.

Figure 10.2. Configuring the authentication type at a DB2 server

To change the value to the KERBEROS authentication type, for example, use this DB2 command:

update dbm cfg using authentication KERBEROS

Alternatively, you can use the Control Center to make this change. Chapter 4, Using the DB2 Tools, describes the Control Center in detail.

Table 10.1 summarizes the values the AUTHENTICATION parameter accepts.

Table 10.1. Description of the Authentication Types
Authentication Type	Description
SERVER	Authenticates users at the DB2 server. This is the default value.
SERVER_ENCRYPT	Authenticates users at the DB2 server. When the user ID and password are sent to the server, they are both encrypted.
KERBEROS	Authenticates users at a Kerberos server.
KRB_SERVER_ENCRYPT	Authenticates users at a Kerberos server if both the DB2 server and client support Kerberos security service. Use SERVER_ENCRYPT instead if the client does not support Kerberos security service.
GSSPLUGIN	Authenticates users using an external GSS Application Programming Interface (GSSAPI)-based security mechanism.
GSS_SERVER_ENCRYPT	Authenticates users using an external GSSAPI-based security mechanism if both the DB2 server and client support GSS. Use SERVER_ENCRYPT instead if the client does not support GSS.
CLIENT	Authenticates users at the DB2 client depending on the settings of two other configuration parameters: TRUST_CLNTAUTH and TRUST_ALLCLNTS.

The output of the

get dbm cfg command includes another authentication-related parameter, called server connection authentication (SRVCON_AUTH):


Server Connection Authentication          (SRVCON_AUTH) = NOT_SPECIFIED

This parameter sets the authentication type at the DB2 server for incoming database connections. Note that only database connections evaluate the value of this parameter. Explicit instance attachment and operations that require implicit instance attachment still use AUTHENTICATION to resolve the authentication type.

These examples show how to implicitly attach to an instance:

update dbm cfg

create database SAMPLE

By default, SRVCON_AUTH has a value of NOT_SPECIFIED. In this case, the value of AUTHENTICATION is used instead.

10.2.2. Configuring the Authentication Type at a DB2 Client

When a client is configured to connect to a database, you need to catalog the node and the database. The

catalog database command has an option called AUTHENTICATION that allows you to indicate the authentication type to be used when connecting to the specified database from a DB2 client as shown in Figure 10.3.

Figure 10.3. Configuring the authentication type at a DB2 client

Figure 10.4 illustrates the syntax of the

catalog database command.

Figure 10.4. Syntax of the CATALOG DATABASE command


>>-CATALOG--+-DATABASE-+--database-name--+-----------+---------->
'-DB-------'                 '-AS--alias-'
>--+-------------------+---------------------------------------->
+-ON--+-path--+-----+
|     '-drive-'     |
'-AT NODE--nodename-'
>--+--------------------------------------------------------------+-->
'-AUTHENTICATION--+-SERVER-----------------------------------+-'
+-CLIENT-----------------------------------+
+-SERVER_ENCRYPT---------------------------+
+-KERBEROS TARGET PRINCIPAL--principalname-+
+-SQL_AUTHENTICATION_DATAENC---------------+
+-SQL_AUTHENTICATION_DATAENC_CMP-----------+
'-GSSPLUGIN--------------------------------'
>--+------------------------+----------------------------------><
'-WITH--"comment-string"-'

The authentication type SERVER is the default. To change this setting, explicitly specify the AUTHENTICATION keyword along with one of the supported values shown in Table 10.2. The following is an example of using GSSPLUGIN authentication.

catalog db sample at node dbsrv authentication gssplugin

Table 10.2. Authentication Types Supported at DB2 Clients
Supported Authentication Values		Description
SERVER		Authenticates users at the DB2 server where the database resides. This is the default value.
SERVER_ENCRYPT		Authenticates users at the DB2 server where the database resides. When the user ID and password are sent to the server, they are both encrypted.
KERBEROS		Authenticates users at a Kerberos server.
	TARGET PRINCIPAL principalname	Fully qualify the Kerberos principal name for the target server. For UNIX and Linux systems, use a name like: name/instance@REALM For Windows 2000, principalname is the logon account of the DB2 server service, which may look like one of the following: userid@DOMAIN userid@xxx.xxx.xxx.com domain\userid
SQL_AUTHENTICATION_DATAENC		Authenticates users at the DB2 server. In addition, data encryption must be used for the connections.
SQL_AUTHENTICATION_DATAENC_CMP		Authenticates users at the DB2 server. In addition, data encryption must be used. If the client or server does not support data encryption, use SERVER_ENCRYPT instead.
GSSPLUGIN		Authenticates users with an external GSSAPI-based security mechanism.
CLIENT		Authenticates users at the DB2 client depending on the settings of two other configuration parameters: TRUST_CLNTAUTH and TRUST_ALLCLNTS

10.2.3. Authenticating Users at the DB2 Server

As mentioned earlier, authenticating a user and the associated password at the DB2 server is the default behavior. The DBM configuration parameter at the server and the authentication option in the database directory entry are both set to SERVER. DB2 does not maintain any user and password information. This implies that the user ID and password pair must be defined in the security facility built in the operating system of the server. Figure 10.5 demonstrates a few scenarios of server authentication.

Figure 10.5. Example of SERVER authentication

[View full size image]

NOTE

As long as the database server authentication type is set to SERVER, authentication will always take place at the server.

In Scenario A, A1 issues a

CONNECT statement to connect to the SAMPLE database that is remotely located in the

dbsrv DB2 server. The user ID

bob and the password

bobpass are also provided. This pair of information is validated by the DB2 server security facility at A2. Once validated,

bob is connected to SAMPLE in A3 provided that he has the appropriate CONNECT privilege (privileges are discussed later in this chapter).

Scenario B uses the same environment except that no user ID and password are provided in the

CONNECT statement. When a remote database connection is requested, it is mandatory to supply a user ID and password. Therefore, the

CONNECT statement specified in B1 fails.

Scenarios A and B are both remote requests. It is also very common to make local database connections from the DB2 server itself. Scenario C demonstrates such a request. Since you must have already logged into the server console with a valid user ID and password, it is not necessary to supply a user ID and password in the

CONNECT statement at C1. If you choose to connect to the database with a different user ID, then you need to issue the

CONNECT statement with the user ID and password you wish as shown in A1.

The SERVER_ENCRYPT authentication type behaves exactly the same as SERVER authentication except that both the user ID and password are encrypted.

10.2.4. Authenticating Users with the Kerberos Security Service

Kerberos is a network authentication protocol that employs secret-key cryptography to provide strong authentication for client/server applications. By using an encrypted key, Kerberos makes single sign-on to a remote DB2 server possible. Refer to Figure 10.6 to see how Kerberos authentication works with DB2.

Figure 10.6. Example of Kerberos authentication

To employ the authentication plug-in, set the AUTHENTICATION type to GSSPLUGIN or GSS_SERVER_ENCRYPT so that the specified library modules are loaded at instance start time. DB2 clients then load an appropriate plug-in based on the security mechanism negotiated with the server during

CONNECT or

attach . You use the LOCAL_GSSPLUGIN Database Manager Configuration parameter to specify the name of the plug-in and must include the library name when using GSSPLUGIN or GSS_SERVER_ENCRYPT. Figure 10.7 illustrates an example of GSS.

Figure 10.7. Example of GSS authentication

[View full size image]

When clients do not support the GSSPLUGIN security mechanism, you can use the GSS_SERVER_ENCRYPT authentication type, which allows those clients to establish database connections with behavior equivalent to SERVER_ENCRYPT.

The DB2 Version 8.2 authentication scheme requires plug-ins to manage the following:

Group membership
Authentication at the client
Authentication at the server

If you do not specify the loadable libraries, DB2-supplied plug-ins are used instead. A few Database Manager Configuration parameters are introduced to support authentication plug-ins, and they are listed in Fenced means that the plug-ins run in a different address space from the DB2 system controller process and unfenced means executing the plug-ins in the same address space.) It is recommended to run user-defined modules in fenced mode to protect the system controller.

Since this is an instance-level parameter, it applies to all plug-ins within the same instance.

The default value is FENCED.

DB2 provides sample plug-ins so you can develop your own plug-ins more easily. You must place the library files in the designated directory where DB2 looks for:

Client-side user authentication plug-ins in the directory
$DFTDBPATH/security/client-plugins (for Linux/UNIX)
$DFTDBPATH\security\client-plugins (for Windows)
Server-side user authentication plug-ins in the directory
$DFTDBPATH/security/server-plugins (for Linux/UNIX)
$DFTDBPATH\security\server-plugins (for Windows)
Group plug-ins in the directory
$DFTDBPATH/security/group-plugins (for Linux/UNIX)
$DFTDBPATH\security\group-plugins (for Windows)

You specify the name of the plug-in as a Database Manager Configuration parameter. Use the full name of the library file, but do not include the file extension or the path. For example, to configure the group plug-in, issue:

update dbm cfg using group_plugin mygrplib

10.2.6. Authenticating Users at the DB2 Clients

When you want to allow DB2 clients to perform their own authentication, set the server authentication type to CLIENT. This setting does not mean that client authentication applies to every client; qualified clients are determined by two other DBM Configuration parametersTRUST_ALLCLNTS and TRUST_CLNTAUTH.

TRUST_ALLCLNTS (as you can tell from the name) specifies whether DB2 is going to trust all clients. DB2 categorizes clients into these types:

Untrusted clients do not have a reliable security facility, such as Windows 98, Windows ME, and Classic Mac OS.
Trusted clients have reliable security facilities like Windows 2000, AIX, z/OS, and Linux.
Distributed Relational Database Architecture (DRDA) clients are on host legacy systems with reliable security facilities, including DB2 for z/OS, DB2 for iSeries, and DB2 for VM and VSE.

NOTE

Even though all DB2 Version 8 clients use the DRDA database communication protocol to communicate with DB2 servers, only clients running on mainframe legacy systems are considered as DRDA clients for historical and backward compatibility reasons.

TRUST_ALLCLNTS accepts any of the values summarized in Table 10.5.

Table 10.5. Values Allowed for TRUST_ALLCLNTS
TRUST_ALLCLNTS value	Description
YES	Trusts all clients. This is the default setting. Authentication will take place at the client. See the exception mentioned in the TRUST_CLNTAUTH discussion.
NO	Trust only clients with reliable security facilities (i.e., trusted clients). Untrusted clients must provide user ID and password for authentication to take place at the server.
DRDAONLY	Trusts only clients that are running on iSeries, zSeries, VM, and VSE platforms. All other clients must provide user IDs and passwords.

You can specify a more granular security scheme with TRUST_ALLCLNTS. For example, you can let trusted clients perform authentication on their own and, at the same time, force untrusted clients to be authenticated at the server.

Consider a scenario in which you log into a Windows 2000 machine as

localuser and connect to the remote database without specifying a user ID and password.

localuser will be the connected authorization ID at the database. What if you want to connect to the database with a different user ID, for example,

poweruser , who has the authority to perform a database backup? To allow such behavior, use TRUST_CLNTAUTH to specify where authentication will take place if a user ID and password are supplied in a

CONNECT statement or

attach command. Table 10.6 presents the values for TRUST_CLNTAUTH.

Table 10.6. Values Allowed for TRUST_CLNTAUTH
TRUST_CLNTAUTH Value	Description
CLIENT	Authentication is performed at the client; user ID and password are not required.
SERVER	Authentication is done at the server only if the user ID and password are supplied.

DB2 evaluates TRUST_ALLCLNTS and TRUST_CLNTAUTH only if you set AUTHENTICATION to CLIENT on the DB2 server. Figures 10.8, 10.9, 10.10, and 10.11 illustrate how to use these parameters.

Figure 10.8. Example 1: TRUST_ALLCLNTS and TRUST_CLNTAUTH

Figure 10.9. Example 2: TRUST_ALLCLNTS and TRUST_CLNTAUTH

Figure 10.10. Example 3: TRUST_ALLCLNTS and TRUST_CLNTAUTH

Figure 10.11. Example 4: TRUST_ALLCLNTS and TRUST_CLNTAUTH

In Figure 10.8, TRUST_ALLCLNTS is set to YES, so all clients are considered trusted and can perform their own authentication.

In Figure 10.9, TRUST_ALLCLNTS is set to NO, so only trusted clients perform their own authentication. Authentication for untrusted clients is done at the server.

In Figure 10.10, TRUST_CLNAUTH is set to SERVER. When user ID and password are specified in the

CONNECT statement, authentication is performed at the server.

In Figure 10.11, TRUST_CLNTAUTH is set to SERVER and both clients provide user ID and password in the

CONNECT statement. Hence, authentication is performed at the server for both clients.



•	Index