db2connect ee trusted connections to mvs/db2

Doug Hipenbecker

db2connect ee trusted connections to mvs/db2
Your comment:
"On DB2 subsystem set DDF to accept ALREADY_VERYFIED APPC security"

Is this the SECURITY_IN & SECURITY_OUT columns on the SYSIBM.LUNAMES table.

They are both set to "A" which should allow for a userid w/o password to be
passed.

I'm still not able to get this trusting to work...any other things to look
for?

Any help would be appreciated!

Doug Hipenbecker
Miller Brewing Co

-----Original Message-----
From: [login to unmask email] [mailto:[login to unmask email]
Sent: Monday, September 13, 1999 5:56 PM
To: [login to unmask email]
Subject: Re: db2connect ee trusted connections to mvs/db2


First, let me tell you that you are going into some fairly dangerous
territory
here. When you enable trusted clients anybody who knows about (but does not
own)
an id with authority can come in and pretend to be this person. It is not
even
difficult to do on Windows NT and it is trivial on Windows 3.1 and Windows
95
machines. For example, if I know (or suspect) that MILLER is a privileged id
in
DB2 all I need to do is walk up to a Windows 3.1/95/98 machine and create id
MILLER. From that point on I can connect to DB2 and DB2 will trust that I am
MILLER and will give me all of the authority of MILLER. It is a bit harder
on
Windows NT because you have to be an administrator on Windows NT to be able
to
create new ids (on 3.1/95/98 anybody can do it: great security!). You can
exclude Windows 3.1/95/98 from being trusted by setting TRUST_ALLCLNTS=NO.

But if you still want to do this, here is what needs to be done on the DB2
Connect server box:
1. CATALOG DATABASE with AUTHENTICATION=CLIENT
2. CATALOG APPC node with SECURITY=SAME
3. set TRUST_ALLCLNTS=NO (to prevent Windows 3.1/95/98 from being trusted)

At each of the trusted clients CATALOG DATABASE with AUTHENTICATION=CLIENT

On DB2 subsystem set DDF to accept ALREADY_VERYFIED APPC security.

Leon Katsnelson, DB2 Connect Development Manager
mailto:[login to unmask email]


"Hipenbecker, Doug" <[login to unmask email]> on 09/13/99 03:17:34 PM

Please respond to DB2 Data Base Discussion List
<[login to unmask email]>

To: [login to unmask email]
cc:
Subject: db2connect ee trusted connections to mvs/db2




Greetings!

I am trying to test out WNT trusted client connections through to mvs/db2.

I have consulted some gurus and have the universal db2 connectivity guide
redbook, but I'm having some troubles.

We use db2connect ee 5.2.0.31 on aix with sna gateway dbs to mvs/db2.

My appc node has SECURITY=SAME
My instance parms:
AUTHENTICATION=CLIENT
TRUST_ALLCLNTS=YES
TRUST_CLNTAUTH=CLIENT

My cataloged gateway db has:
AUTHENTICATION=CLIENT

I would expect that if I'm already authenticated on a WNT client, I would
only have to provide my userid and not my password. The userid I'm using
has the sufficient privileges on the mvs host to the mvs/db2 database and
works with AUTHENTICATION=DCS on the catalogued db and AUTHENTICATION=SERVER
on the gateway db2connect instance. However, this requires db2 mvs host
authentication of password which I'm trying to avoid.

Can anybody help me out???

Thanks

Douglas J Hipenbecker
Information Management Services
Miller Brewing Company
Milwaukee, WI
[login to unmask email]
414-931-2971
<<...>>