Purpose

Determines which authentication method the driver uses when it establishes a connection.

When user ID/password authentication is used, the encryption method that is used for user IDs and passwords is negotiated during the connection process. Supported encryption methods are:

  • Advanced Encryption Standard (AES)
  • Data Encryption Standard (DES)

To use AES encryption, the following requirements and restrictions apply:

  • AES is supported for the following DB2 databases:
    • DB2 V9.x and higher for Linux/UNIX/Windows
    • DB2 UDB V8.1 for Linux/UNIX/Windows (requires DB2 Fix Pack 16)
    • DB2 V9.1 for z/OS
    • DB2 UDB V8.1 for z/OS (requires DB2 PTF for APAR PK56287)
  • The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files, which require Java SE 5 or higher, must be installed on the client or application server. You can obtain these files from the following URL:

    http://www.oracle.com/technetwork/java/javase/downloads/index.html

  • The DB2 authentication parameter on the database server must be set to a value of SERVER_ENCRYPT.
  • For DB2 V9.7 for Linux/UNIX/Windows, the DB2 alternate_auth_enc parameter on the database server must be set to allow AES encryption.
  • AES encryption cannot be used if the EncryptionMethod property is set to a value of DBEncryption or requestDBEncryption.

Valid Values

clearText | client | encryptedPassword | encryptedPasswordAES | encryptedUIDPassword | encryptedUIDPasswordAES | kerberos | pluginSecurity

Behavior

If set to clearText, the driver uses user ID/password authentication. The driver sends the user ID and password in clear text to the DB2 server for authentication. If a user ID and password are not specified, the driver throws an exception.

If set to client, the driver uses client authentication. The DB2 server relies on the client to authenticate the user and does not provide additional authentication. The driver ignores any user ID or password specified.

If set to encryptedPassword, the driver uses user ID/password authentication. The driver sends a user ID in clear text and an encrypted password to the DB2 server for authentication. If the requirements for AES encryption are met, the driver uses AES encryption; otherwise, the driver allows a downgrade to DES encryption. If the EncryptionMethod property is set to a value of DBEncryption or requestDBEncryption, the driver downgrades encryption to DES. If a user ID and password are not specified, the driver throws an exception.

If set to encryptedPasswordAES, the driver uses user ID/password authentication. The driver sends a clear text user ID and an AES-encrypted password to the DB2 server for authentication. The driver throws an exception in the following cases:

  • If the database server indicates encryption must be downgraded to DES
  • If a user ID and password are not specified
  • If the EncryptionMethod property is set to a value of DBEncryption or requestDBEncryption

If set to encryptedUIDPassword, the driver uses user ID/password authentication. The driver sends an encrypted user ID and password to the DB2 server for authentication. If the requirements for AES encryption are met, the driver uses AES encryption; otherwise, the driver allows a downgrade to DES encryption. If the EncryptionMethod property is set to a value of DBEncryption or requestDBEncryption, the driver downgrades encryption to DES. If a user ID and password are not specified, the driver throws an exception.

If set to encryptedUIDPasswordAES, the driver uses user ID/password authentication. The driver sends an AES-encrypted user ID and password to the DB2 server for authentication. The driver throws an exception in the following situations:

  • If the database server indicates encryption must be downgraded to DES
  • If a user ID and password are not specified
  • If the EncryptionMethod property is set to a value of DBEncryption or requestDBEncryption.

If set to kerberos, the driver uses Kerberos authentication. The driver ignores any user ID or password specified.

If set to pluginSecurity, the driver uses security plug-ins for authentication. The driver supports GSS plug-in for authentication and it is configured using the GSSPluginName and GSSPluginObject properties.

Notes

  • The User property provides the user ID. The Password property provides the password. The EncryptionMethod property determines whether the driver uses data encryption.
  • If you enable AES encryption by setting the AuthenticationMethod property to encryptedPasswordAES or encryptedUIDPasswordAES, a random number generator is used for secure seeding. Secure seeding is configurable through the RandomGenerator and SecureRandomAlgorithm connection properties.

Default

clearText

Data Type

String

See also