473,390 Members | 1,149 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,390 software developers and data experts.

client authentication

I am trying to understand "client authentication" works. My environment is
DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4
as the client. We currently have DB2/LUW set up as follows:

Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
Database manager authentication (AUTHENTICATION) = SERVER
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trust all clients (TRUST_ALLCLNTS) = YES
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO

When we connect from VSE we always specify a userID and password. The
userID and password we specify exist only on the Linux server, and not at
all on VSE.

Reading about client authentication I see that VSE can act as a "trusted
client". But I'm still not sure what this means.

The way we have things set up on VSE is we are running as "client only". We
do not have the server part of DB2 Server for VSE running. I don't know if
this will have any bearing on my questions, but I wanted to point it out.

First of all, from a batch client application in any case, and I believe
also from an online CICS client application, the VSE CONNECT statement
requires both an authorization name (user ID) and a password. When the
server is set to AUTHENTICATION = SERVER, which it is right now, it makes
sense that I use the userID and password that is defined on that server
(Linux). This all works just fine.

What I don't understand is how AUTHENTICATION = CLIENT is supposed to work.
What user ID (authorization name) and password would I supply in this case?
I can't just omit them, as VSE does not support this (for batch clients, at
least). At first appearances it sounds like I would supply the USERID and
password that are defined to my VSE security system (CA-Top Secret). But
this doesn't make sense, as this user ID is not even defined within DB2/LUW.
Specifically, my VSE user ID is "FJS". But the user defined to DB2/LUW is
"MGR_DEV1". How would DB2/LUW know that the user connected as FJS
corresponds to the user MGR_DEV1.

Confused!

Frank
---
Frank Swarbrick
Senior Developer/Analyst - Mainframe Applications
FirstBank Data Corporation - Lakewood, CO USA
Jan 5 '07 #1
2 7486
You need to go to the online information center and do a search on
"authentication". Select the first result, a perfect match, read it,
then follow the link to "Authentication methods for your server". That
page has a chart that shows the differences.

Authentication is determining that you are who you claim you are. Server
authentication, as you state, does the checking on the server. This
requires transmitting the userid and password (unencrypted in your case)
to the server. When the server's operating system tells UDB that the
password is valid for the user, the authentication is complete. When
client authentication is being used, the client performs the check.

You are correct that UDB will not understand that your client id FJS
will be unknown to UDB and that UDB will not know to correlate FJS with
MGR_DEV1. This may or may not be a problem. The decision to allow a user
to do anything in UDB is called "authorization" and is a different
function from the authentication perfromed by an operating system. The
UDB "GRANT" statement us used to control authorizations.

I don't know what happens with client group authentication on a VSE
system. On Linux, the user's groups on the authenticating system would
be the ones made available for authorization purposes. (Note that this
could be a security problem if you have root access to a client system
and can make yourself a member of a group that matches the sysadm group
on the server.) Windows systems have the same issues as Linux but there
are additional server profile variables that can control how groups are
determined in a Windows networking environment where domain controllers
exist.

If MGR_DEV1 is a dbadm or sysadm through a group authorization, I"d keep
the authentication as server. Changing your AUTHENTICATION to
SERVER-ENCRYPT at the server and the client will provide additional
security if your communication lines are compromised. Passwords should
never be sent in the clear when encrypted methods are readily available.
Kerberos authentication is also an option but that will require at least
two additional servers (one active and one backup) on your network
unless you're willing to share that function on a server that does
something else.

Phil Sherman
Frank Swarbrick wrote:
I am trying to understand "client authentication" works. My environment is
DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4
as the client. We currently have DB2/LUW set up as follows:

Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
Database manager authentication (AUTHENTICATION) = SERVER
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trust all clients (TRUST_ALLCLNTS) = YES
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO

When we connect from VSE we always specify a userID and password. The
userID and password we specify exist only on the Linux server, and not at
all on VSE.

Reading about client authentication I see that VSE can act as a "trusted
client". But I'm still not sure what this means.

The way we have things set up on VSE is we are running as "client only". We
do not have the server part of DB2 Server for VSE running. I don't know if
this will have any bearing on my questions, but I wanted to point it out.

First of all, from a batch client application in any case, and I believe
also from an online CICS client application, the VSE CONNECT statement
requires both an authorization name (user ID) and a password. When the
server is set to AUTHENTICATION = SERVER, which it is right now, it makes
sense that I use the userID and password that is defined on that server
(Linux). This all works just fine.

What I don't understand is how AUTHENTICATION = CLIENT is supposed to work.
What user ID (authorization name) and password would I supply in this case?
I can't just omit them, as VSE does not support this (for batch clients, at
least). At first appearances it sounds like I would supply the USERID and
password that are defined to my VSE security system (CA-Top Secret). But
this doesn't make sense, as this user ID is not even defined within DB2/LUW.
Specifically, my VSE user ID is "FJS". But the user defined to DB2/LUW is
"MGR_DEV1". How would DB2/LUW know that the user connected as FJS
corresponds to the user MGR_DEV1.

Confused!

Frank
---
Frank Swarbrick
Senior Developer/Analyst - Mainframe Applications
FirstBank Data Corporation - Lakewood, CO USA
Jan 7 '07 #2
Frank Swarbrick wrote:
I am trying to understand "client authentication" works. My environment
is DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE
7.4
as the client. We currently have DB2/LUW set up as follows:

Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
Database manager authentication (AUTHENTICATION) = SERVER
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trust all clients (TRUST_ALLCLNTS) = YES
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO

When we connect from VSE we always specify a userID and password. The
userID and password we specify exist only on the Linux server, and not at
all on VSE.
You have SERVER authentication, which means that DB2 will verify
login/password at the server. For that, you must specify credentials that
are known at the server.
Reading about client authentication I see that VSE can act as a "trusted
client". But I'm still not sure what this means.
There are clients that can usually not be trusted, for example Windows 95
etc. Those systems do not have a sane and secure environment because you
could use the system w/o logging in.
What I don't understand is how AUTHENTICATION = CLIENT is supposed to
work. What user ID (authorization name) and password would I supply in
this case? I can't just omit them, as VSE does not support this (for batch
clients, at
least). At first appearances it sounds like I would supply the USERID and
password that are defined to my VSE security system (CA-Top Secret). But
this doesn't make sense, as this user ID is not even defined within
DB2/LUW.
Authentication CLIENT means that DB2 relies on the client to do the
authentication. Therefore, the DB2 server doesn't have to know the
password and it doesn't have to do the authentication.
Specifically, my VSE user ID is "FJS". But the user defined to DB2/LUW
is
"MGR_DEV1". How would DB2/LUW know that the user connected as FJS
corresponds to the user MGR_DEV1.
It doesn't. If you don't connect as MGR_DEV1 (in which case you have to
authenticate as that user), you will be connected to DB2 as FJS.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Jan 7 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Dan | last post by:
Good Day All, I am writing a Smart Client application that will be used both internally and externally within our organiztion. The user will need to log on to the application. Since I can't...
0
by: Joey Edelstein | last post by:
Hi, We are trying to add a Client Certificate support for our web app that emulates a hardware device web app. The hardware uses a 2 factors authentication, which requires a Web Service client...
5
by: wrytat | last post by:
I'm not sure if I'm posting the correct place. I posted it somewhere else, but someone told me to post it at another place. Anyway, some background first. I am currently building a web...
1
by: John Yung | last post by:
Hi, I have a client (C# MS Excel Project) calling a Web Service to retrieve and update data. One of the business requirement is the client's NT Login ID, IP Address and computer name must be log...
1
by: davesmith | last post by:
I have a need for a very simple web server that can authenticate clients using integrated windows authentication. I have been asked to propose a solution that doesn't use IIS. I know that...
6
by: Hao | last post by:
There is a wield issue in inspecting the network traffic on the web service client side. There are two soap calls if credentials are used. The first call has no credentials and is rejected by the...
4
by: peteh | last post by:
Hi All; On a DB2 v9.1 (DPF) - RH Linux server, we have a local userid EXECMSTR that has dbadm privileges and executes all batch processing to load and maintain a large data warehouse application....
2
by: Enda Manni | last post by:
Hi, I have a gSoap Web Service written using C++, it uses SOAP username and password authentication. I also have a C# form client consuming the web service, all this was working fine until I...
0
by: =?Utf-8?B?PT10aW1lPT0=?= | last post by:
I am trying to build a proof of concept of a WCF service utilisting a wsHttpBinding with Transport Certificate security. I am having problems connecting to it with a console client - everytime I...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.