Detections
Analytics
5.1 Specify a Secure Connection Authentication Type (SRVCON_AUTH)
Information
The SRVCON_AUTH database manager configuration parameter specifies how and where authentication takes place for incoming connections to the database. This parameter overrides the AUTHENTICATION parameter.This parameter can take on any of the following values:
NOT_SPECIFIED
SERVER
SERVER_ENCRYPT
KERBEROS
KRB_SERVER_ENCRYPT
GSSPLUGIN
GSS_SERVER_ENCRYPT
SERVER_ENCRYPT_TOKEN
KERBEROS_TOKEN
GSSPLUGIN_TOKEN
KRB_SVR_ENC_TOKEN
GSS_SVR_ENC_TOKEN
If this parameter is set to NOT_SPECIFIED, then the type of authentication for connections is determined by the AUTHENTICATION parameter.
Recommendations:
Do not use CLIENT authentication type.
Rationale:
When using CLIENT authentication type, the server trusts the client to authenticate the connecting user. A malicious user can connect to the database as any user including a database administrator by simply creating that user on the client system. Note that CLIENT authentication is deprecated and can only be set if the DB2AUTH registry variable contains ENABLE_CLIENT_AUTHN.
When using SERVER authentication type without SSL enabled, the user ID and password that are sent from the client to the server during a connect or an attach are in plaintext format. Therefore, these credentials are exposed when sent across an unsecure network and can be intercepted by a malicious user.
The SERVER_ENCRYPT authentication type has been deprecated and may be removed in a future version of Db2. The Diffie-Hellman key exchange size does not meet NIST SP 80-131A recommendations. TLS is recommended to use to protect client-server communications.
Impact:
It is important to be aware that the implementation of this recommendation results in a brief downtime. It is advisable to ensure that the setting is implemented during an approved maintenance window.
Solution
Attach to the Db2 instancedb2 => attach to <db2instance>
Run the following command:
db2 => update database manager configuration parameter
using srvcon_auth <authentication type>
Restart the Db2 instance.
db2 => db2stop
db2 => db2start
Refer to the 'encryption of data in motion' section for more information about using SSL for client-server communication.
See Also
Item Details
Audit Name: CIS IBM DB2 12.1 v1.0.0 Linux OS Level 1
Category: ACCESS CONTROL
References: 800-53|AC-2(1), 800-53|AC-3, CSCv7|16.2
Plugin: Unix
Control ID: 1155cbae9af2f02b185bbea9538a41a2760c877134dd8f323f6c0219988a5e6d