db2connect ee trusted connections to mvs/db2

Carlos Olson

db2connect ee trusted connections to mvs/db2
I found the note below in the archives regarding trusted client connections
to OS390 DB2 using DB2 Connect; however, I need to know how this can be
implemented if using TCP/IP as your protocol in the Client Configuration
Assistant.
Any help would be greatly appreciated,

Carlos Olson
Database Administrator

QRS Corporation
1400 Marina Way South
Richmond, California 94804

510.215.3873 voice
510.621.3873 fax
[login to unmask email]

-----Original Message----- From: [login to unmask email] [mailto:[login to unmask email]
Sent: Monday, September 13, 1999 5:56 PM To: [login to unmask email]
Subject: Re: db2connect ee trusted connections to mvs/db2
First, let me tell you that you are going into some fairly dangerous
territory here. When you enable trusted clients anybody who knows about (but
does not own) an id with authority can come in and pretend to be this
person. It is not even difficult to do on Windows NT and it is trivial on
Windows 3.1 and Windows 95 machines. For example, if I know (or suspect)
that MILLER is a privileged id in DB2 all I need to do is walk up to a
Windows 3.1/95/98 machine and create id MILLER. From that point on I can
connect to DB2 and DB2 will trust that I am MILLER and will give me all of
the authority of MILLER. It is a bit harder on Windows NT because you have
to be an administrator on Windows NT to be able to create new ids (on
3.1/95/98 anybody can do it: great security!). You can exclude Windows
3.1/95/98 from being trusted by setting TRUST_ALLCLNTS=NO.
But if you still want to do this, here is what needs to be done on the DB2
Connect server box: 1. CATALOG DATABASE with AUTHENTICATION=CLIENT 2.
CATALOG APPC node with SECURITY=SAME 3. set TRUST_ALLCLNTS=NO (to prevent
Windows 3.1/95/98 from being trusted)
At each of the trusted clients CATALOG DATABASE with AUTHENTICATION=CLIENT
On DB2 subsystem set DDF to accept ALREADY_VERYFIED APPC security.
Leon Katsnelson, DB2 Connect Development Manager mailto:[login to unmask email]