Security
The Microsoft OLE DB Provider for DB2 (Data Provider) connects Microsoft SQL Server 2008 R2 database applications to remote IBM DB2 relational database management servers, for on-line transaction processing, analysis and reporting. The Data Provider functions as a DB2 application requester client supporting the standard distributed relational database architecture (DRDA) protocols and formats that are compatible with IBM DB2 server products functioning as DB2 application servers.
The Data Provider enables interoperability between DB2 client applications and DB2 server databases by issuing structured query language statements. These include data definition language statements for administration and data manipulation management statements for read and write operations. The Data Provider connects the DB2 client applications to the DB2 server databases across a transmission control protocol over internet protocol (TCP/IP) network that uses the optional security features described in this topic.
Security Features in the Data Provider
The Data Provider grants execute on DB2 package to the DB2 public group
When creating DB2 packages, the Data Access Tool and the DB2 data providers set the execute permissions on DB2 packages to PUBLIC. We recommend that you revoke execute permissions to PUBLIC on these packages and grant execute only to selected DB2 users or groups. Permissions granted to PUBLIC are granted to all DB2 users, which could leave your DB2 server vulnerable to attack.
The Data Provider stores the user name in plain text in the Universal Data Link (UDL) or connection string file
By default, when you use the Data Source Wizard or Data Links, the Data Provider stores the user name in plain text in the Universal Data Link (UDL) or connection file. We recommend that the administrator or developer configure the Data Provider to use Enterprise Single Sign-On, which integrates Windows Active Directory accounts with IBM host system and DB2 credentials. Administrators map host and DB2 credentials to AD accounts, storing these in an encrypted SQL Server database. The Data Provider can retrieve these mappings at runtime to securely authenticate users to remote IBM DB2 database servers. For more information about Enterprise Single Sign-On, see the Host Integration Server 2009 Security User's Guide (https://go.microsoft.com/fwlink/?LinkID=180767).
The Data Provider supports weak encryption based on DES and Diffie-Hellman
Optionally, the Data Provider supports 56-bit authentication and Data Encryption Standard (DES) technologies, relying on a Diffie-Hellman algorithm to generate a 256 bit shared private key between the client and server. This key is compatible with the standard DRDA protocol and supported IBM DB2 server products. We recommend that the administrator or developer configure the Data Provider to use data encryption using Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0.
The Data Provider connects using unencrypted, plain text, user name and password
By default, the Data Provider connects to remote DB2 server computers via a TCP/IP network relying on unencrypted, plain text user name and password. We recommend that the administrator or developer configure The Data Provider to use authentication encryption using Kerberos, Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0.
The Data Provider sends and receives unencrypted data
By default, the Data Provider sends and receives unencrypted data. We recommend that the administrator or developer configure the Data Provider to use data encryption using Secure Sockets Layer (SSL) V3.0 or Transport Layer Security (TLS) V1.0.