DB2 LUW Security – DB2 Whisperings

DB2 Configuration Parameters – What They Whisper About Security Behind Your Back.

I’ve always wondered what DB2 would say about security IF it could talk. Maybe the conversation would be something like this…..

DBM DISCOVER: “So, today she set me to DISABLE. I know…I know…it’s for my own good, but I feel SO lonely now.”

DBM DISCOVER_INST: “Yes, DISCOVER she’s just trying to protect us all. You know the harder we are to find, the better our protection, right? She set me to DISABLE too you know. You don’t hear me complaining do you? At least this way, we don’t have to worry so much about strangers trying to take advantage of us just to get to all the wonderful data in our databases. I want friends too, but not the kind that just want to take advantage of my easy nature.”

DBM AUTHENTICATION (in a deep authoritative voice): “Well, I for one am glad you two have joined the security ranks to provide the greatest possible protection for these databases we are in charge of, even if you aren’t as important as I am. I am a great general in this battle, you know. I work to verify a user’s identity, so my settings are of utmost importance. Our DBA is happy to see me set up correctly. I have a lot of options, but she likes the ones that also provide encryption. She also seems to be pretty happy with this SSL thing.”

DBM SSL SETTINGS (SSL_SVR_KEYDB, SSL_SVR_STASH, SSL_SVR_LABEL, SSL_SVCENAME, SSL_CIPHERSPECS, SSL_VERSIONS, SSL_CLNT_KEYDB, SSL_CLNT_STASH), (cheerfully, in unison): “That’s great news! So is she planning on setting up SSL now that there is additional support for non-java based clients? That would certainly make us happy!”

DBM SYSADM_GROUP: “SSL, just speaking for those of us in the SYSADM group, we hope you’ll find a home here and stay for a while. The SYSADMs are mostly invisible to you since we gain our high level powers due to our userid/group affiliation, but we’re here and we support security strength just like the other DBM CFG parameters that you’ve already met.”

DBM DIAGLEVEL: “Well, I guess you are all pretty important and I’m sure I don’t look like much to you, but hey, I COULD be important too you know. As a matter of fact, the db2locksmith wrote a blog all about me and how someone could take an unfair advantage If they manipulated me in the wrong way. If someone set me to zero, and then tried intentionally to do something really bad, well, let’s just say it might not be easy for you SYSADM types to figure out what they were up to. That’s right, I control what gets written to the db2diag.log. I may be tiny and insignificant in your eyes, but treating me badly can have its consequences. I represent all those configuration settings that seem to be innocuous, but that could be turned against security given the right circumstances. The DBA says she’s happy she finally figured me out. She said I was quite a puzzle for a while.”

At this point, I walk in and turn on the light. The whispers immediately silence as I retrieve my reading glasses before I head home for the evening.

DBM SYSADM_GROUP: “That was a close call. I almost thought she had caught us talking about her behind her back.”

DB CFG: “You don’t know her like we do. She’s always forgetting something and coming back in to work. One day it’s her glasses, one day it’s her coffee cup. Guess she’s absent minded, except about security, of course. Have you heard what she’s been changing on the DB CFG lately?”

DBM CFG: “No, tell us, what?”

DB CFG: “Well, she disabled DISCOVER_DB, but then you probably already knew that. Then she did all this work on our log settings to make sure that redundancy was built in. She said that she wanted to protect those transaction logs since they held a lot of good information about the data. Then she made copies of all of our DB CFG settings, one copy for every database partition, and saved the copies in some super secret location, which, knowing her, was probably encrypted. Lately, all she talks about is encryption.”

DBM CFG: “Oh yes, we hear that a lot too. Come to think of it, she copied all of our settings too and did something with them. I wonder if they’re in some secret place as well. She was muttering something like, “If anyone dares to change any of your security settings now, I will know about it.’ I guess she’s using that secret stash of files as some sort of control mechanism?”

SQLLIB: “You guys didn’t know that? Why here at SQLLIB, we know all about her control issues. She has even taken screen captures of our permissions settings and has them secretly stored, just in case someone ever tried to harm us. Truthfully, we think she’s a little paranoid, but in a good way. Her information certainly came in handy when someone tried to chmod us all to 777.”

OS: “Will all of you be quiet, it’s time for the night shift batch cycle to start and you all are keeping me from my beauty sleep.”

And so we come to the close of this episode of the “Whispers of DB2”. It’s time now for all secure DB2 databases to have sweet data dreams until tomorrow.

Online Resources for DB2 Security

Rebecca Bond’s website:

https://www.securedb2.com

Rebecca’s guest Blog on DBI:

https://www.dbisoftware.com/blog/db2_security.php

V9.7 Information Center:

https://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp

DB2 9.7 Security Guide:

https://www-01.ibm.com/support/docview.wss?rs=71&uid=swg27015148

DB2 Security Redbook (LUW):

https://www.redbooks.ibm.com/abstracts/sg247555.html?Open

DB2 Security Redbook (z/OS):