Hints and tips about OS/390 and z/OS security

This topic provides some hints and tips about security for DB2 Connect™ connecting to a DB2^® for OS/390^® and z/OS^® database server.

Extended security field

Ensure that the DB2 OS/390 and z/OS Extended Security Field is set to YES. This field appears in the DB2 for OS/390 and z/OS DSNTIPR panel.

Extended security codes

Until DB2 Universal Database™ for z/OS and OS/390 Version 5.1, connect requests that provided user IDs or passwords could fail with SQL30082 reason code 0, but no other indication as to what might be wrong.

DB2 Universal Database for z/OS and OS/390 Version 5.1 introduced an enhancement which provides support for extended security codes. Specifying extended security will provide additional diagnostics, such as (PASSWORD EXPIRED) in addition to the reason code.

To exploit this, the DB2 Universal Database for z/OS and OS/390 ZPARM installation parameter for extended security should be set to the value YES. Use the DB2 Universal Database for z/OS and OS/390 installation panel DSN6SYSP to set EXTSEC=YES. You can also use DDF panel 1 (DSNTIPR) to set this. The default value is EXTSEC=NO. In the case of an expired password, Windows^®, Linux™, UNIX^®, and Web applications using DB2 Connect will receive an SQL30082 error message.

TCP/IP security already verified

If you want to provide support for the DB2 security option AUTHENTICATION=CLIENT, then use DB2 Universal Database for z/OS and OS/390 installation panel DSNTIP4 (DDF panel 2) to set TCP/IP already verified security to YES.

Desktop ODBC and Java application security

Workstation ODBC and Java™ applications use dynamic SQL. This might create security concerns in some installations. DB2 Universal Database for z/OS and OS/390 introduces a new bind option DYNAMICRULES(BIND) that allows execution of dynamic SQL under the authorization of either the owner or the binder.

DB2 and DB2 Connect provide a new CLI/ODBC configuration parameter CURRENTPACKAGESET in the DB2CLI.INI configuration file. This should be set to a schema name that has the appropriate privileges. An SQL SET CURRENT PACKAGESET schema statement will automatically be issued after every connect for the application.

Use the ODBC Manager to update DB2CLI.INI.

Password change support

If a user ID's password has expired, an SQL CONNECT statement returns an error message, such as SQLCODE -30082 reason code 1. With DB2 Connect it is possible to change the password remotely. Through DRDA^®, DB2 Universal Database for z/OS and OS/390 can change the password for you, by issuing the following CONNECT statement:

CONNECT TO <database> USER <userid> USING <password>
   NEW <new_password> CONFIRM <new_password>

The "Change password" dialog of the DB2 Configuration Assistant can also be used to change the password.

Parent topic: DB2 Connect authentication considerations

Related reference
CONNECT (Type 1) statement BIND command