Security under the IBM Data Server Driver for JDBC and SQLJ
When you use the IBM® Data Server Driver for JDBC and
SQLJ,
you choose a security mechanism by specifying a value for the securityMechanism Connection
or DataSource
property,
or the db2.jcc.securityMechanism global configuration property.
- If you use the DriverManager interface, set
securityMechanism
in a java.util.Properties object before you invoke the form of the getConnection method that includes the java.util.Properties parameter. - If you use the DataSource interface, and you are creating and deploying your own DataSource objects, invoke the DataSource.setSecurityMechanism method after you create a DataSource object.
You can determine the security mechanism that is in effect for a connection by calling the DB2Connection.getDB2SecurityMechanism method.
The following table lists the security mechanisms that the IBM Data Server Driver for JDBC and SQLJ supports, and the data sources that support those security mechanisms.
Security mechanism | Supported by Db2 on Linux, UNIX, and Windows systems | Supported by Db2 for z/OS® | Supported by IBM Informix® | Supported by Db2 for IBM i |
---|---|---|---|---|
User ID and password | Yes | Yes | Yes | Yes |
User ID only | Yes | Yes | Yes | Yes |
User ID and encrypted password1 | Yes | Yes | Yes | Yes3 |
Encrypted user ID1 | Yes | Yes | No | No |
Encrypted user ID and encrypted password1 | Yes | Yes | Yes | Yes3 |
Encrypted user ID and encrypted security-sensitive data1 | No | Yes | No | No |
Encrypted user ID, encrypted password, and encrypted security-sensitive data1 | Yes | Yes | No | No |
Kerberos2 | Yes | Yes | No | Yes |
Plugin2 | Yes | No | No | No |
Certificate authentication2 | No | Yes | No | No |
Token authentication | Yes | No | No | No |
Note:
|
The following table lists the security mechanisms that the IBM Data Server Driver for JDBC and
SQLJ supports,
and the value that you need to specify for the securityMechanism
property
to specify each security mechanism.
The default security mechanism is CLEAR_TEXT_PASSWORD_SECURITY
. If the data
server does not support CLEAR_TEXT_PASSWORD_SECURITY
but supports
ENCRYPTED_USER_AND_PASSWORD_SECURITY
, the IBM Data Server Driver for JDBC and SQLJ
driver upgrades the security mechanism to ENCRYPTED_USER_AND_PASSWORD_SECURITY
and
attempts to connect to the server. Any other mismatch in security mechanism support between the
requester and the server results in an
error.
Security mechanism | securityMechanism property value |
---|---|
User ID and password | DB2BaseDataSource.CLEAR_TEXT_PASSWORD_SECURITY |
User ID only | DB2BaseDataSource.USER_ONLY_SECURITY |
User ID and encrypted password1 | DB2BaseDataSource.ENCRYPTED_PASSWORD_SECURITY |
Encrypted user ID1 | DB2BaseDataSource.ENCRYPTED_USER_ONLY_SECURITY |
Encrypted user ID and encrypted password1 | DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY |
Encrypted user ID and encrypted security-sensitive data1 | DB2BaseDataSource.ENCRYPTED_USER_AND_DATA_SECURITY |
Encrypted user ID, encrypted password, and encrypted security-sensitive data1 | DB2BaseDataSource.ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY |
Kerberos | DB2BaseDataSource.KERBEROS_SECURITY |
Plugin | DB2BaseDataSource.PLUGIN_SECURITY |
Certificate authentication | DB2BaseDataSource.TLS_CLIENT_CERTIFICATE_SECURITY |
Token authentication | DB2BaseDataSource.TOKEN_SECURITY |
Note:
|
Db2 on Linux, UNIX, and Windows systems server authentication type | securityMechanism setting |
---|---|
CLIENT | USER_ONLY_SECURITY |
SERVER | CLEAR_TEXT_PASSWORD_SECURITY |
SERVER_ENCRYPT | CLEAR_TEXT_PASSWORD_SECURITY, ENCRYPTED_PASSWORD_SECURITY, or ENCRYPTED_USER_AND_PASSWORD_SECURITY |
DATA_ENCRYPT | ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY |
KERBEROS | KERBEROS_SECURITY or PLUGIN_SECURITY2 |
KRB_SERVER_ENCRYPT | KERBEROS_SECURITY , PLUGIN_SECURITY1, ENCRYPTED_PASSWORD_SECURITY, or ENCRYPTED_USER_AND_PASSWORD_SECURITY |
GSSPLUGIN | PLUGIN_SECURITY1 or KERBEROS_SECURITY |
GSS_SERVER_ENCRYPT3 | CLEAR_TEXT_PASSWORD_SECURITY, ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, PLUGIN_SECURITY, or KERBEROS_SECURITY |
SERVER_ENCRYPT_TOKEN | ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, or TOKEN_SECURITY |
KERBEROS_TOKEN | KERBEROS_SECURITY, PLUGIN_SECURITY or TOKEN_SECURITY |
KRB_SVR_ENC_TOKEN | ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, KERBEROS_SECURITY, PLUGIN_SECURITY, or TOKEN_SECURITY |
GSSPLUGIN_TOKEN | KERBEROS_SECURITY, PLUGIN_SECURITY, or TOKEN_SECURITY |
GSS_SVR_ENC_TOKEN | ENCRYPTED_PASSWORD_SECURITY, ENCRYPTED_USER_AND_PASSWORD_SECURITY, PLUGIN_SECURITY, KERBEROS_SECURITY, or TOKEN_SECURITY |
Notes:
|