Results 1 to 4 of 4
  1. #1
    Join Date
    Sep 2009
    Posts
    4

    Unanswered: Authentication on DB2 - Audit

    Hi:
    I've been tasked with auditing on some information security aspects of our db2 servers in our organization.To brief it up,we are:

    Clients:1500 gupta applications on windows xp workstations
    Windows Active Directory Infrastructure for clients (i.e, clients logon to windows domain)
    01 db2 server

    I also agree being not being very savvy on some db2 technical issues specially on developing client-side applications.

    Anyways, during a documentation review something come up to my atention and that was authentication model being used by the client applications that uses db2 server.It was clear to me that authentication is accomplished by db2 server itself because passwords are stored in db2 server in a special user table which is crypted by defacto encrypt function of db2 server.

    As far as i understand,db2 can interact with active Directory for authentication purposes and that would avoid storing passwords in db2 table which seems to me very questionable.

    My question would be if this interaction between db2 and ms active directory as authentication solution for gupta application is a typical task and not something that current database administrator could have arguments against such integration complexity.
    Any other alternative for authentication model would be great too since current password storage is unacceptable as i see it.

    Thank you

    Otb.

  2. #2
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    DB2 does not do authentication - it delegates the task to the operating system. This means, in particular, that a DB2 server on Windows will ask Windows to authenticate users first in AD, then locally on the server.

    Since DB2 does not authenticate users itself, the user IDs and passwords stored in a special table that you are referring to must belong to the application, and the question really is about your application being able to authenticate against AD.

  3. #3
    Join Date
    Sep 2009
    Posts
    4
    Having as a reference: Authentication methods for your server

    i think it all comes down to Kerberos-authentication vs a method where application authenticates itself by checking user credentials against information stored in a db2 table.

    Given an environment of application development for db2, is it a regular or acceptable practice to store userids and passwords in a db2 table so the applications authenticate with user credentials stored?

    I know this may sound simplistic, but how difficult is to implement a kerberos-authentication method with DB2?

    Thank you

  4. #4
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Quote Originally Posted by offtheboxuser View Post
    i think it all comes down to Kerberos-authentication
    So, you don't want Active Directory anymore?

    Quote Originally Posted by offtheboxuser View Post
    Given an environment of application development for db2, is it a regular or acceptable practice to store userids and passwords in a db2 table so the applications authenticate with user credentials stored?
    I has nothing to do with DB2 - it's the application architecture

    Quote Originally Posted by offtheboxuser View Post
    I know this may sound simplistic, but how difficult is to implement a kerberos-authentication method with DB2?
    It probably isn't very difficult, once you have Kerberos authentication set up on all your servers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •