Protection

This topic describes supported standards for DB2 protection.

Encryption standards for DB2

The following table describes supported encryption standards for DB2.

Encryption

Authentication

Data

DB2 for z/OS

DB2 for i5/OS

DB2 for LUW

Kerberos

Yes

No

V8

V5R3

V8

SSL V3

Yes

Yes

V9

V5R4

V9.1

TLS V1

Yes

Yes

V9

V5R4

V9.1

AES

Yes

No

V8 (APAR PK56287)

V5R4

V9.5 (Fix Pack 3)

Configuring for Protection

The Data Provider grants execute on DB2 package to the DB2 public group

When creating DB2 packages, the Data Access Tool and the DB2 data providers set the execute permissions on DB2 packages to PUBLIC, which includes all DB2 users. To increase security on your DB2 server, we recommend that you revoke execute permissions to PUBLIC on these packages and grant execute permissions only to selected DB2 users or groups. Permissions granted to PUBLIC are granted to all DB2 users, which could leave your DB2 server vulnerable to attack.

By default, when you use the Data Source Wizard or Data Links, the Data Provider stores the user name in plain text in the Universal Data Link (UDL) or connection file. We recommend that you configure the Data Provider to use Enterprise Single Sign-On, which integrates Windows Active Directory accounts with IBM host system and DB2 credentials. Administrators map host and DB2 credentials to AD accounts, storing these in an encrypted SQL Server database. The Data Provider retrieves these mappings at runtime to securely authenticate users to remote IBM DB2 database servers. For more information about Enterprise Single Sign-On, see the Host Integration Server 2010 Security User's Guide (https://go.microsoft.com/fwlink/?LinkID=180767).

The Data Provider supports weak encryption based on DES and Diffie-Hellman

Optionally, the Data Provider supports authentication and data encryption using weak 56-bit Data Encryption Standard (DES) technologies. We recommend that you configure the Data Provider to use data encryption by using Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0. For encrypting authentication only, you can utilize the Advanced Encryption Standard (AES) to support 256-bit encryption.

The Data Provider connects using unencrypted, plain text, user name and password

By default, the Data Provider connects to remote DB2 server computers over a TCP/IP network using basic authentication, where the user name and password are not encrypted and are submitted in plain text. We recommend that you configure The Data Provider to use authentication encryption by using Kerberos, Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0, or authentication encryption using AES.

The Data Provider sends and receives unencrypted data

By default, the Data Provider sends and receives unencrypted data. We recommend that you configure the Data Provider to use data encryption by using Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0.

The Data Provider send additional network flow to support Defer Prepare

Optionally, you can specify TRUE to instruct the Data Provider to optimize the processing of parameterized database commands. The default value is FALSE. For the INSERT, UPDATE, and DELETE commands, the Data Provider can combine PREPARE, EXECUTE, and COMMIT commands into one network flow to the remote database. For the SELECT command, the Data Provider combines PREPARE and EXECUTE commands into one network flow. This optimization minimizes network traffic and can improve overall performance.