[DB2 LUW] Prevent connections from older client versions?

Greg Palgrave

[DB2 LUW] Prevent connections from older client versions?

Hi List,

For various reasons, we have a mixture of old (9.5, 9.7) and new JDBC and DB2 client versions  scattered across servers and workstations. 

We are running servers on Db2 LUW 10.5 FP9 on Linux RHEL 6.x  We will be upgrading to 11.5, hence there is a  desire to upgrade the older clients.

I have created an Event Monitor for connections, so I can track the older clients and see where and when they are used.

We can deal with the server versions quite easily, and work is in progress. My problem is a handful of workstations with older client software are still being used, despite repeated requests to upgrade the client. 

There are 'discussions' happening, but I am seeking a way to prevent anyone from connecting to the servers with an older version of the Db2 clients/tools etc. in case we need to go down that path.

My first thought was the Connect Proc, but it seems from the very sparse documentation on the Connect Proc, and some quick testing, that CLIENT_PRDID is not one of the global variables available to the connect proc.

The second problem is that the connect proc does not apply to superusers (SYSADM, SYSCTRL, and SYSMAINT) and, unfortunately, one of the culprits is a Dev superuser :(

The Db2 governor also has no way to check the CLIENT_PRDID, and as far as I can tell, neither does DB2 Workload Management (not that we are licensed in any case).

The only other thing I can think of, is the very ugly solution of running a periodical check of connections using TABLE (MON_GET_CONNECTION) and forcing off the connection. Unfortunately I can't provide a nice "You're client is too old" error message using this method, so it will inevitably result in them just continually reconnecting and/or raising a trouble ticket.

Is there any other way to prevent the client connections?

 

Cheers

Greg

 

 

Charles Brown

[DB2 LUW] Prevent connections from older client versions?
(in response to Greg Palgrave)
Re “...Is there any other way to prevent the client connections?”

Hello Greg, ...hope all is well. My understanding is in db2, all client connection threads are resolved and authenticated at the instance level. That being said, I’m inclined to say there’s very little client product version filtering you can do. Simply, just not enough room. Therefore I’d encourage you invest time and resource in client upgrades. Your SCCM folks can push these upgrades for you quick, fast in a hurry.

Hope this helps.
Charles

Sent from my iPad

> On Jan 30, 2020, at 7:30 PM, Greg Palgrave <[login to unmask email]> wrote:
>
> Is there any other way to prevent the client connections?
>

Pete Suhner

RE: [DB2 LUW] Prevent connections from older client versions?
(in response to Greg Palgrave)

Hi Greg,
haven't tried, but I think it should be possible to simply drop the respective packages for old client versions.

Package names are documented per version (example for Db2 v10.5 -  the "db2clp*.bnd" stuff) they might also change with specific FixPacks I'd assume.

While this will still allow them to connect, they won't be able to access data and therefore will most likely be forced to upgrade their clients.

Possible for clients only, though. JDBC will use the more generic SYSSH / SYSLH packages.

Best regards,

Pete Suhner

Edited By:
Pete Suhner[Organization Members] @ Jan 31, 2020 - 01:12 PM (Europe/Zurich)

Charles Brown

[DB2 LUW] Prevent connections from older client versions?
(in response to Pete Suhner)

Re “...drop the respective packages for old client versions...”

...as I understood it, db2 static SQL when bound result in generating packages - always the case. You’re quite right, db2 Packages if available are tangible and identifiable objects that can be easily dropped. But dynamic SQL (non static), the likes of db2 data server provider 9.x for .NET are mainly dynamic SQL - no packages are generated. They rely on the supplied db2clpcs.lst to generate their DBRMs.
As previously suggested, upgrade all clients to current product version. Bam! Problem is resolved
Hope this helps.
Thx!
Charles

Sent from my iPad

> On Jan 31, 2020, at 5:50 AM, Pete Suhner <[login to unmask email]> wrote:
>
> Hi Greg,
> haven't tried, but I think it should be possible to simply drop the respective packages for old client versions.
>
> Package names are documented per version (example for Db2 v10.5) - they might also change with specific FixPacks I'd say.
>
> While this will still allow them to connect, they won't be able to access data and therefore will most likely be forced to upgrade their clients.
>
> Possible for clients only, though. JDBC will use the more generic SYSSH / SYSLH packages.
>
> Best regards,
>
> Pete Suhner
>
>
> Site Links: View post online View mailing list online Start new thread via email Unsubscribe from this mailing list Manage your subscription
>
> This email has been sent to: [login to unmask email]
> Try BCV5, the BCV5 Masking Tool, & XDM a rapid Refresh/Clone/TDM Suite for Db2 z & distributed.
> DBARS -Audit,record,& block Db2 accesses to sensitive data real-time, NO audit trace or log required
> http://www.ESAIGroup.com/IDUG
>
>
> Use of this email content is governed by the terms of service at:
> http://www.idug.org/p/cm/ld/fid=2
>

Greg Palgrave

RE: [DB2 LUW] Prevent connections from older client versions?
(in response to Charles Brown)

Thanks for the suggestions, greatly appreciated.

I think dropping the packages will probably be the best option once all the server client upgrades are completed.

We'll continue 'discussions' in the hope of getting everyone compliant, but I'll happily drop the hammer if they don't :D

Cheers

Greg