[DB2 learning records] 3. Basic DB2 security concepts-Identity Verification

DB2 has three main security mechanisms to help DBAs implement database security plans:
Authentication, authorization, and privilege ).

Five different permission levels: sysadm, sysctrl, sysmaint, dbadm, and load

A new concept in DB2 9 is tag-based access control (lbac) that allows control of who has the right to access individual rows and/or columns.

Install sample DB
Db2cmd
Db2sample
Creating Database "sample "...
Connecting to Database "sample "...
Creating tables and data in schema "myname "...
'Db2sampl' Processing complete.

The attach command is used to connect to a DB2 instance,
The CONNECT command is used to connect to the database in the DB2 instance.

DB2 attach to DB2
Instance Attachment Information
Instance Server = DB2/NT 9.5.0
Authorization id = myname
Local instance alias = DB2
 
DB2 connect to sample user test1 using "123"
Database connection information
Database Server = DB2/NT 9.5.0
SQL authorization id = test1
Local Database alias = sample
 
DB2 connect to sample user test1 using "123" new "456" Confirm "456" -- change the password
Database connection information
Database Server = DB2/NT 9.5.0
SQL authorization id = test1
Local Database alias = sample

For a long time, DB2 is usually bound to an OS account. That is to say, if different applications connect to DB2, a bunch of OS accounts are required.
This is not the same as Oracle and SQL Server. Otherwise, Kerberos authentication is required. It is a headache.

DB2 Authentication Type
DB2 get dBm cfg
Server connection authentication (srvcon_auth) = not_specified
Database Manager Authentication (authentication) = Server
The main two parameters are the impact types. For details, refer to the following:

Type	Description
Server	Authentication is performed on the server.
Server_encrypt	Authentication is performed on the server. The password is encrypted on the client and then sent to the server.
Client	Authentication is performed on the client (for exceptions, see dealing with untrusted clients ).
* Kerberos	Authentication is performed by Kerberos security software.
* Krb_server_encrypt	If the client is set to Kerberos, the Kerberos security software performs authentication. Otherwise, server_encrypt is used.
Data_encrypt	Authentication is performed on the server. The server accepts the encrypted user ID and password and encrypts the data. The operation method of this option is the same as that of server_encrypt, but data must also be encrypted.
Data_encrypt_cmp	The authentication method is the same as that of data_encrypt, but old clients that do not support data_encrypt can use server_encrypt for authentication. In this case, data is not encrypted. If the connected client supports data_encrypt, data encryption is performed instead of downgrading to server_encrypt for authentication. This authentication type is valid only in the database management program configuration file of the server and is invalid when catalog database is used on the client or gateway instance.
Gssplugin	The authentication method is determined by an external GSS-API plug-in.
Gss_server_encrypt	The authentication method is determined by an external GSS-API plug-in. Use server_encrypt authentication when the client does not support one of the server's GSS-API plug-ins.

* These settings are only valid for Windows 2000, Aix, Solaris, and Linux operating systems.

DB2 update dBm CFG using authentication server_encrypt --- Update verification method, which requires restart DB

Db20000i the update Database Manager configuration command completed
Successfully.
Sql1362w one or more of the parameters submitted for immediate modification
Were not changed dynamically. Client changes will not be valid tive until
Next time the application is started or the terminate command has been issued.
Server changes will not be valid tive until the next db2start command.

Set authentication on the Gateway

db2 catalog database myhostdb at node nd1 authentication SERVER
db2 terminate

Set authentication on the client

DB2 Catalog Database sample at node nd1 Authentication Server

Process untrusted clients

The following table summarizes Where authentication will be performed when each type of client sends a connection command to the server if the server's authentication type is set to client.

Is the ID/password provided?	Trust_allclets	Trust_clntauth	Untrusted client	Trusted Client	Host Client
No	Yes	CLIENT	CLIENT	CLIENT	CLIENT
No	Yes	SERVER	CLIENT	CLIENT	CLIENT
No	No	CLIENT	SERVER	CLIENT	CLIENT
No	No	SERVER	SERVER	CLIENT	CLIENT
No	DRDAONLY	CLIENT	SERVER	SERVER	CLIENT
No	DRDAONLY	SERVER	SERVER	SERVER	CLIENT
Yes	Yes	CLIENT	CLIENT	CLIENT	CLIENT
Yes	Yes	SERVER	SERVER	SERVER	SERVER
Yes	No	CLIENT	SERVER	CLIENT	CLIENT
Yes	No	SERVER	SERVER	SERVER	SERVER
Yes	DRDAONLY	CLIENT	SERVER	SERVER	CLIENT
Yes	DRDAONLY	SERVER	SERVER	SERVER	SERVER

Drdaonly means that only the host client is trusted, regardless of the DB2 version 8 Client Connected using drda.

Kerberos authentication conditions:
1. The client and server must belong to the same domain (in Windows terminology, it is a trusted domain ).
2. You must set an appropriate Principal (User ID in Kerberos ).
3. The keytab file of the server must be created and the instance owner must be able to read the file.
4. All machines must have a synchronous clock.

It seems that in the Windows domain, if it is both windows, it is better to implement it, but if there is Linux or UNIX, there is still to be done.