Brief introduction
DB2 UDB provides a framework for writing custom security plug-ins that administrators can use to perform DB2 UDB authentication. This framework is introduced in the DB2 UDB V8.2, and also supports plug-in authentication based on the Universal Security Service Application Programming interface (Generic, application programming Interface,gss-api).
Many DB2 UDB administrators use the GSS-API plug-in for Kerberos based authentication. Due to the smooth development of NFS V4 (network File System Version 4, [IETF RFC-3530]), and the RFC requires the use of newer GSS-API mechanisms, such as SPKM (Simple public Key Mechanis M, [IETF RFC-2025]) and Lipkey (A low infrastructure public Key mechanism Using SPKM, [IETF RFC-2847]), DB2 UDB will soon have support for these new security mechanisms of Gss-api products.
Part 2nd of the DB2 UDB Security article describes and explains the DB2 UDB Security plug-in architecture for authentication. This article provides further information about the new GSS-API security mechanism. It will also describe how to implement public-key-based authentication by using the new GSS-API security mechanism with customizable DB2 UDB security plug-ins.
DB2 UDB Security Plug-in for authentication
Authentication is the process of validating user-supplied credentials using security mechanisms, as discussed in part 1th of the DB2 security article. In DB2 UDB, user and group authentication is managed by the external devices of the DB2 UDB as plug-ins, such as the operating system, domain controller, or Kerberos security system.
The security plug-in is the dynamic Loadable library loaded by the DB2 UDB to provide the following features:
Group Retrieval Plug-in: Retrieves the member information for a given user.
Client Authentication plug-in: Manages authentication on the DB2 client.
Server Authentication plug-in: Manages authentication on the DB2 server.
DB2 UDB supports two types of plug-in authentication mechanisms:
Use authentication for user IDs and passwords.
Using GSS-API authentication, its formal representation is Generic Security Service application program Interface Version 2 [IETF RFC2743] and Generic security Service API Version 2:c-binding [IETF RFC2744].
In DB2 Version 8.2, the default behavior is to use the user Id/password plug-in that implements the authentication mechanism at the operating system level. The following figure provides a high-level view of the DB2 UDB Security plug-in Infrastructure:
Figure 1. Advanced view of the DB2 UDB Security plug-in Infrastructure
With the DB2 UDB Security plug-in architecture, you can customize the authentication behavior by developing your own plug-ins or by purchasing plug-ins from a third party. To allow custom DB2 UDB authentication behavior, DB2 UDB provides APIs that can be used to modify existing plug-ins or build new security plug-ins. This article focuses on using GSS-API for authentication and shows you how to take advantage of the new GSS-API security mechanisms, such as SPKM (simple public Key mechanism, [IETF RFC-2025]), and Lipkey (A low Infrast The ructure public Key mechanism using SPKM, [IETF RFC-2847]) for DB2 UDB authentication.