Sending encrypted passwords from workstation clients

Depending on the DRDA level, a remote client can use AES or DES encryption algorithm for sending passwords, user IDs and associated passwords, or other security-sensitive data to a Db2 for z/OS server. If the client explicitly requests AES encryption, only user IDs, passwords, or both are encrypted in AES, and any data in the request is encrypted in DES. Any persistent attempt to encrypt the data in AES causes the client to reject the connection request. See Security mechanisms for DRDA and SNA for more information about using DRDA encryption. See the Db2 for z/OS Program Directory for ICSF hardware and software requirements for AES encryption.

To enable the Db2 for z/OS AES server support, you must install and configure z/OS Integrated Cryptographic Services Facility (ICSF). During Db2 startup, DSNXINIT invokes the MVS™ LOAD macro service to load various ICSF services, including the ICSF CSNESYE and CSNESYD modules that Db2 calls for processing AES encryption and decryption requests. If ICSF is not installed or if ICSF services are not available, Db2 cannot provide AES support, and Db2 terminates the connection.

To use DES encryption, you can enable Db2 Connect to send encrypted passwords by setting database connection services (DCS) authentication to DCS_ENCRYPT in the DCS directory entry. When a client application issues an SQL CONNECT statement, the client negotiates this support with the database server. If supported, a shared private key is generated by the client and server using the Diffie-Hellman public key technology, and the password is encrypted using 56-bit DES with the shared private key. The encrypted password cannot be replayed, and the shared private key is generated on every connection. If the server does not support password encryption, the application receives SQLCODE -30073 (DRDA security manager level 6 is not supported).