Protection
This topic describes supported standards for DB2 protection.
Encryption standards for DB2
The following table describes supported encryption standards for DB2.
Encryption |
Authentication |
Data |
DB2 for z/OS |
DB2 for i5/OS |
DB2 for LUW |
Kerberos |
Yes |
No |
V8 |
V5R3 |
V8 |
SSL V3 |
Yes |
Yes |
V9 |
V5R4 |
V9.1 |
TLS V1 |
Yes |
Yes |
V9 |
V5R4 |
V9.1 |
AES |
Yes |
No |
V8 (APAR PK56287) |
V5R4 |
V9.5 (Fix Pack 3) |
Configuring for Protection
The Data Provider grants execute on DB2 package to the DB2 public group
When creating DB2 packages, the Data Access Tool and the DB2 data providers set the execute permissions on DB2 packages to PUBLIC, which includes all DB2 users. To increase security on your DB2 server, we recommend that you revoke execute permissions to PUBLIC on these packages and grant execute permissions only to selected DB2 users or groups. Permissions granted to PUBLIC are granted to all DB2 users, which could leave your DB2 server vulnerable to attack.
The Data Provider stores the user name in plain text in the Universal Data Link (UDL) or connection string file
By default, when you use the Data Source Wizard or Data Links, the Data Provider stores the user name in plain text in the Universal Data Link (UDL) or connection file. We recommend that you configure the Data Provider to use Enterprise Single Sign-On, which integrates Windows Active Directory accounts with IBM host system and DB2 credentials. Administrators map host and DB2 credentials to AD accounts, storing these in an encrypted SQL Server database. The Data Provider retrieves these mappings at runtime to securely authenticate users to remote IBM DB2 database servers. For more information about Enterprise Single Sign-On, see the Host Integration Server 2010 Security User's Guide (https://go.microsoft.com/fwlink/?LinkID=180767).
The Data Provider supports weak encryption based on DES and Diffie-Hellman
Optionally, the Data Provider supports authentication and data encryption using weak 56-bit Data Encryption Standard (DES) technologies. We recommend that you configure the Data Provider to use data encryption by using Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0. For encrypting authentication only, you can utilize the Advanced Encryption Standard (AES) to support 256-bit encryption.
The Data Provider connects using unencrypted, plain text, user name and password
By default, the Data Provider connects to remote DB2 server computers over a TCP/IP network using basic authentication, where the user name and password are not encrypted and are submitted in plain text. We recommend that you configure The Data Provider to use authentication encryption by using Kerberos, Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0, or authentication encryption using AES.
The Data Provider sends and receives unencrypted data
By default, the Data Provider sends and receives unencrypted data. We recommend that you configure the Data Provider to use data encryption by using Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0.
The Data Provider send additional network flow to support Defer Prepare
Optionally, you can specify TRUE to instruct the Data Provider to optimize the processing of parameterized database commands. The default value is FALSE. For the INSERT, UPDATE, and DELETE commands, the Data Provider can combine PREPARE, EXECUTE, and COMMIT commands into one network flow to the remote database. For the SELECT command, the Data Provider combines PREPARE and EXECUTE commands into one network flow. This optimization minimizes network traffic and can improve overall performance.