IBM® Data Server Driver for JDBC and SQLJ supports encryption of user IDs, passwords, or data when Java™ applications access data servers.
Those security mechanisms use DRDA® encryption. DRDA encryption is not intended to provide confidentiality and integrity of passwords or data over a network that is not secure, such as the Internet. DRDA encryption uses an anonymous key exchange, Diffie-Hellman, which does not provide authentication of the server or the client. DRDA encryption is vulnerable to man-in-the-middle attacks.
The IBM Data Server Driver for JDBC and SQLJ supports 56-bit DES (weak) encryption or 256-bit AES (strong) encryption. AES encryption is available with IBM Data Server Driver for JDBC and SQLJ type 4 connectivity only. You set the encryptionAlgorithm driver property to choose between 56-bit DES encryption (encryptionAlgorithm value of 1) and 256-bit AES encryption (encryptionAlgorithm value of 2). 256-bit AES encryption is used for a connection only if the database server supports it and is configured to use it.
If you use encrypted password security, encrypted user ID security, or encrypted user ID and encrypted password security, the IBM Java Cryptography Extension (JCE) needs to be enabled on your client. The IBM JCE is part of the IBM SDK for Java, Version 1.4.2 or later.
The IBM JCE needs to use 56-bit DES or 256-bit AES encrypted client/server communication from the IBM Data Server Driver for JDBC and SQLJ driver to DB2® for Linux, UNIX, and Windows servers.
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
When you use AES encryption with
the SDK for Java from Oracle,
the JCE Unlimited Strength Jurisdiction Policy File needs to be installed.
That file is available from Oracle. If the JCE Unlimited Strength
Jurisdiction Policy File is not found, a java.security.InvalidKeyException is
thrown.Connections to DB2 for i V6R1 or later servers can use encrypted password security or encrypted user ID and encrypted password security. For encrypted password security or encrypted user ID and encrypted password security, the IBM Java Cryptography Extension (ibmjceprovidere.jar) must be installed on your client. The IBM JCE is part of the IBM SDK for Java, Version 1.4.2 or later.
You can also use encrypted security-sensitive data in addition to encrypted user ID security or encrypted user ID and encrypted password security. You specify encryption of security-sensitive data through the ENCRYPTED_USER_AND_DATA_SECURITY or ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY securityMechanism value. ENCRYPTED_USER_AND_DATA_SECURITY is valid for connections to DB2 for z/OS® servers only.
Before you can use encrypted security-sensitive data, the z/OS Integrated Cryptographic Services Facility needs to be installed and enabled on the z/OS operating system.
To specify encrypted user ID or encrypted password security for a JDBC connection, use one of the following techniques.
import java.sql.*; // JDBC base
import com.ibm.db2.jcc.*; // IBM Data Server Driver for JDBC
// and SQLJ implementation of JDBC
…
Properties properties = new Properties(); // Create a Properties object
properties.put("user", "dbadm"); // Set user ID for the connection
properties.put("password", "dbadm"); // Set password for the connection
properties.put("securityMechanism",
new String("" +
com.ibm.db2.jcc.DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY +
""));
// Set security mechanism to
// user ID and encrypted password
properties.put("encryptionAlgorithm", "2");
// Request AES security
String url = "jdbc:db2://mvs1.sj.ibm.com:5021/san_jose";
// Set URL for the data source
Connection con = DriverManager.getConnection(url, properties);
// Create the connection
import java.sql.*; // JDBC base
import com.ibm.db2.jcc.*; // IBM Data Server Driver for JDBC
// and SQLJ implementation of JDBC
…
com.ibm.db2.jcc.DB2SimpleDataSource ds =
new com.ibm.db2.jcc.DB2SimpleDataSource();
// Create the DataSource object
ds.setDriverType(4); // Set the driver type
ds.setDatabaseName("san_jose"); // Set the location
ds.setServerName("mvs1.sj.ibm.com");
// Set the server name
ds.setPortNumber(5021); // Set the port number
ds.setUser("db2adm"); // Set the user ID
ds.setPassword("db2adm"); // Set the password
ds.setSecurityMechanism(
com.ibm.db2.jcc.DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY);
// Set security mechanism to
// User ID and encrypted password
ds.setEncryptionAlgorithm(2); // Request AES encryption
RACF password phrase security: If you are connecting to a DB2 for z/OS that is configured for RACF protection, and the RACF version supports RACF password phrases, you can supply a RACF password phrase for the password property value, instead of a simple password. A password phrase must conform to the following rules:
Password phrases of between 9 and 13 characters are allowed when the new-password-phrase exit (ICHPWX11) is installed on the z/OS system, and the exit allows password phrases of fewer than 14 characters.