Configure the DB2 instance

Enter the following commands to modify each DB2 instance’s configuration parameters to use the Authentication Service for IBM DB2 plug-ins for authentication and authorization.

All of the following commands should be executed as an instance user.

  • Case 1: Use the username/password plug-in only:
    db2 update dbm cfg using SRVCON_PW_PLUGIN centrifydc_db2userpass
    db2 update dbm cfg using SRVCON_AUTH NOT_SPECIFIED
    db2 update dbm cfg using AUTHENTICATION SERVER

    Note:   If you select the SRVCON_AUTH option, the user name and password are transmitted in the clear. This library also includes the following options to encrypt different parts of the message:

    • SERVER_ENCRYPT: The user name and password are encrypted in messages sent from DB2 client to DB2 server.
    • DATA_ENCRYPT: User data as well as the authentication data (user name and password) are encrypted in messages sent from DB2 client to DB2 server.

    • DATA_ENCRYPT_CMP: DATA_ENCRYPT with backwards compatibility to older versions of the DB2 client. (If you have an older version of the DB2 client that does not support the DATA_ENCRYPT option, only the authentication data is encrypted unless you select the DATA_ENCRYPT_CMP option.)

    For example, to set the username/password plug-in to encrypt all data going to the server you would use the following command:

    db2 update dbm cfg using SRVCON_AUTH DATA_ENCRYPT
  • Case 2: Use the GSSAPI plug-in only:

    db2 update dbm cfg using SRVCON_PW_PLUGIN NULL
    db2 update dbm cfg using SRVCON_GSSPLUGIN_LIST centrifydc_db2gsskrb5
    db2 update dbm cfg using LOCAL_GSSPLUGIN centrifydc_db2gsskrb5 
    db2 update dbm cfg using SRVCON_AUTH GSSPLUGIN
    db2 update dbm cfg using AUTHENTICATION SERVER
  • Case 3: Use the username/password plug-in and the GSSAPI plug-in together:

    db2 update dbm cfg using SRVCON_PW_PLUGIN centrifydc_db2userpass
    db2 update dbm cfg using SRVCON_GSSPLUGIN_LIST centrifydc_db2gsskrb5
    db2 update dbm cfg using LOCAL_GSSPLUGIN centrifydc_db2gsskrb5 
    db2 update dbm cfg using SRVCON_AUTH GSS_SERVER_ENCRYPT
    db2 update dbm cfg using AUTHENTICATION SERVER

For all cases: Run the following command as the DB2 instance user to configure the instance to use the Authentication Service for IBM DB2 group plug-in:

db2 update dbm cfg using GROUP_PLUGIN centrifydc_db2group

This completes the Authentication Service for IBM DB2 package manual installation and configuration. Next, verify that the configuration parameters are set properly.