Shulou(Shulou.com)05/31 Report--

DB2 database what security, for this problem, this article describes the corresponding analysis and solution in detail, hoping to help more want to solve this problem of small partners to find a simpler and easier way.

Security gaps are dramatic-and can undermine customer confidence. Even if security is not the most exciting topic, it is an important concern for any enterprise using a database management system. At the same time, as more and more businesses participate in the electronic space, separating private data from public data becomes especially important. What is the DB2 database security?

DB2 database security

Any given company's database system may collect, store, and analyze thousands of rows of information, both public and private in nature. Because of this responsibility, the database must enable the database administrator to appropriately authorize and restrict access. In addition, the database must provide means to prevent unauthorized users from accessing confidential data.

But sometimes database security information is difficult to obtain or understand. Although you often hear how scalable and robust DB2 Universal Database (UDB) is, how often do you hear details about DB2's security features?

Because database security is one of the most important responsibilities of DBAs, you should not try to learn database security by trial and error. Securing your database involves:

Prevent unauthorized access to confidential data by anyone without the knowledge of the enterprise

Prevent unauthorized users from malicious deletion, destruction or unauthorized alteration of data

Monitoring user access data using auditing techniques

In this article, I'll take you through the security features in DB2 UDB v.7.1 for Windows, Unix, and OS/2, and describe some of the internal controls that can help you maximize security.

verification

One of the most fundamental concepts in database security is authentication, which is a fairly simple process by which a system verifies user identity. Users can respond to authentication requests by providing identification or authentication tokens.

You are probably already familiar with this concept. If you've ever been asked to show a photo ID(for example, when opening a bank account), someone has already made a verification request to you. You prove your identity by showing your driver's license (or other photo ID). In this case, your driver's license acts as an authentication token.

Figure 1. DB2 authorization role

Regardless of what you see in the movie, most software programs cannot use future systems (such as facial recognition) for verification. Instead, most authentication requests require you to provide a user ID and password. Your user ID indicates that you claim to be authorized to access the environment, and your password provides proof of your personal authentication. Of course, this authentication assumes that your password is well protected and that you are the only one who knows it.

User authentication is done by a security tool outside DB2, usually part of the operating system or a standalone product. In fact, security isn't just a database issue; operating system vendors spend a lot of time, money, and thought making sure their products are secure. However, some operating systems, including Microsoft Windows 95 and 98, do not have native security mechanisms. If you are using an operating system with no security mechanisms, you can configure your environment to rely on DB2 servers running on more secure systems to provide this security. For example, you can use reliable client options, which I'll discuss more about later in this article. (See DB2 Administration Guide for more information.)

You can also use third-party products, such as Distributed Computing Environment(DCE)Security Services defined by the Open Group, to add a layer of security to your environment. DB2 can coordinate these external security efforts with its security initiatives to protect the transactional or analytical environment.

Once the user authentication is successful, DB2 takes note of the user's identity and other relevant security information, such as a list of user groups. The user must use an SQL authorization name or authid to be recognized by DB2, which can be the same as the userid or mapping value. This connection information is retained for the duration of the user connection.

validation options

Because validation can be handled by the operating system or third-party products, DB2 provides different validation options that you can set in the database manager configuration (dbm cfg) file using the AUTHENTICATION parameter. DB2 uses this parameter to determine how and where validation should occur.

Many settings for the dbm cfg AUTHENTICATION parameter can be logically grouped into four different categories: SERVER, Client, DCE, Kerberos.

Server authentication. This group offers two main options:

SERVER Default security mechanism, indicating that authentication should occur on the server using the server's operating system. If the userid and password were specified during the connection, DB2 calls operating system functions to verify the submitted userid and password. (In Windows-based environments, user IDs are often referred to as usernames.) The username and password together are often referred to as a user account.)

SERVER_ENCRYSTPT is essentially the same as the default option, with the exception that the password passed from the client to the server is encrypted. DB2 uses a single DES(56-bit) cryptographic technique and the Diffie-Hellman algorithm to generate keys for encryption algorithms at connection time. RSA BSAFE Toolkit provides this support.

Client authentication. The only option in this group, CLIENT, indicates that authentication will occur on the client. A client is trusted if it resides on an operating system that has security features built into it (for example, AIX). Generally, all clients are trusted except Microsoft Windows 95 and 98, which are considered untrusted.

If the server receives requests from trusted and untrusted clients, the TRUST_ ALLCLNTS and TRUST_CLNTAUTH options allow trusted clients to gain access using client authentication, while untrusted clients must provide a password to successfully authenticate. See DB2 Administration Guide for details.

DB2 database security

DCE validation options. Some administrators prefer to implement DCE security services because DCE provides centralized management of users and passwords, does not pass plaintext passwords and user IDs, and provides single sign-on to users. DB2 uses third-party DCE products to provide integrated support for DCE security services. You can choose one of two settings:

DCE indicates that DCE security services are used to authenticate users. DB2 clients that have logged into DCE can get an encrypted "ticket" that they can use to prove their identity to the DB2 server.

DCE_SERVER_ENCRYSTT indicates that the server will accept the DCE ticket or user ID and encrypted password as proof of authentication, at the DB2 client's option.

Kerberos authentication options. Kerberos, a new authentication mechanism added to DB2 UDB v.7.1 as part of its tight integration with Microsoft Windows 2000, allows DB2 authentication to be accomplished with a single sign-on tool. Once authenticated, the user is not challenged again by any servers that exist in the Kerberos environment. This validation method can only be used if both the DB2 client and DB2 server are running on Windows 2000.

DCE and Kerberos use essentially the same underlying technology. When a client logs into the Kerberos security environment, the DB2 client can obtain encrypted Kerberos tickets to prove its identity to the specified DB2 server.

You can choose one of two settings:

KERBEROS indicates that users should be authenticated only with Kerberos security services.

KRB_SERVER_ENCRYSTT indicates that the server will accept Kerberos tickets or user IDs and encrypted passwords as proof of authentication, at the DB2 client's option.

authorized

Authenticated users participate in the second layer of DB2 security, authorization. Authorization is the process by which DB2 obtains information about authenticated DB2 users, including database operations that users can perform and data objects that users can access.

The answers to the security questions about DB2 database are shared here. I hope the above content can help you to some extent. If you still have a lot of doubts, you can pay attention to the industry information channel to learn more.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.