Security types supported with DB2 Connect

This topic lists the various combinations of authentication and security settings that are supported with DB2 Connect™.

Security types for TCP/IP connections

The TCP/IP communication protocol does not support security options at the network protocol layer. The authentication type determines where authentication takes place. Only the combinations shown in this table are supported by DB2 Connect. The authentication setting is in the database directory entry at the DB2 Connect server.

Table 1. Valid Security Scenarios
Scenario	Authentication setting	Validation
1	CLIENT	Client
2	SERVER	Host or System i™ database server
3	SERVER_ENCRYPT	Host or System i database server
4	KERBEROS	Kerberos security
5	DATA_ENCRYPT	Host or System i database server

Discussion of security types

The following discussion applies to the connections described above and listed in Table 1. Each scenario is described in more detail, as follows:

In scenario 1, the user name and password are validated only at the remote client. For a local client, the user name and password are validated only at the DB2 Connect server.
The user is expected to be authenticated at the location they sign on to. The user ID is sent across the network, but not the password. Use this type of security only if all client workstations have adequate security facilities that can be trusted.
In scenario 2, the user name and password are validated at the host or System i database server only. The user ID and password is sent across the network from the remote client to the DB2 Connect server and from the DB2 Connect server to the host or System i database server.
Scenario 3 is the same as scenario 2, except that the user ID and password are encrypted.
In scenario 4, a Kerberos ticket is obtained by the client from the Kerberos KDC. The ticket is passed unaltered through DB2 Connect to the server, where it is validated by the server.
Scenario 5 is the same as scenario 3, except that the user data is also encrypted.

Parent topic: DB2 Connect authentication considerations