Distributed Relational Database Architecture™ (DRDA®) security is covered in the Security topic, but for the sake of completeness, it is mentioned here as a consideration before using DRDA, or in converting your network from the use of Advanced Program-to-Program Communication (APPC) to TCP/IP.
Security setup for TCP/IP is quite different from what is required for APPC. One thing to be aware of is the lack of the secure location concept that APPC has. Because a TCP/IP server cannot fully trust that a client server is who it says it is, the use of passwords on connection requests is more important. To make it easier to send passwords on connection requests, the use of server authorization lists associated with specific user profiles has been introduced with TCP/IP support. Entries in server authorization lists can be maintained by use of the xxxSVRAUTHE commands (where xxx represents ADD, CHG, and RMV) described in Security. An alternative to the use of server authorization entries is to use the USER/USING form of the SQL CONNECT statement to send passwords on connection requests.
Kerberos support provides another security option if you are using TCP/IP. Network authentication service supports Kerberos protocols and can be used to configure for Kerberos.
Setup at the server side includes deciding and specifying what level of security is required for inbound connection requests. For example, should unencrypted passwords be accepted? The default setting is that they are. The default setting can be changed by use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command.