ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddp_5.4.0.1/rbal1drdasec.htm

75 lines
5.1 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Set up DRDA security" />
<meta name="abstract" content="Distributed Relational Database Architecture (DRDA) security is covered in the Security topic, but for the sake of completeness, it is mentioned here as a consideration before using DRDA, or in converting your network from the use of Advanced Program-to-Program Communication (APPC) to TCP/IP." />
<meta name="description" content="Distributed Relational Database Architecture (DRDA) security is covered in the Security topic, but for the sake of completeness, it is mentioned here as a consideration before using DRDA, or in converting your network from the use of Advanced Program-to-Program Communication (APPC) to TCP/IP." />
<meta name="DC.subject" content="TCP/IP, security, setting up, Kerberos, authentication" />
<meta name="keywords" content="TCP/IP, security, setting up, Kerberos, authentication" />
<meta name="DC.Relation" scheme="URI" content="rbal1setup.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/chgddmtcpa.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconfig.htm" />
<meta name="DC.Relation" scheme="URI" content="../rbam6/rbam6clmain.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbal1drdasec" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Set up DRDA security</title>
</head>
<body id="rbal1drdasec"><a name="rbal1drdasec"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Set up DRDA security</h1>
<div><p>Distributed
Relational Database Architecture™ (DRDA<sup>®</sup>) security is covered in the Security
topic, but for the sake of completeness, it is mentioned here as a consideration
before using DRDA,
or in converting your network from the use of Advanced Program-to-Program
Communication (APPC) to TCP/IP.</p>
<p>Security setup for TCP/IP is quite different from what is required for
APPC. One thing to be aware of is the lack of the secure location concept
that APPC has. Because a TCP/IP server cannot fully trust that a client server
is who it says it is, the use of passwords on connection requests is more
important. To make it easier to send passwords on connection requests, the
use of server authorization lists associated with specific user profiles has
been introduced with TCP/IP support. Entries in server authorization lists
can be maintained by use of the xxxSVRAUTHE commands (where xxx represents
ADD, CHG, and RMV) described in <a href="rbal1secure.htm#rbal1secure">Security</a>.
An alternative to the use of server authorization entries is to use the USER/USING
form of the SQL CONNECT statement to send passwords on connection requests.</p>
<p>Kerberos support provides another security option if you are using TCP/IP.
Network authentication service supports Kerberos protocols and can be used
to configure for Kerberos.</p>
<p>Setup at the server side includes deciding and specifying what level of
security is required for inbound connection requests. For example, should
unencrypted passwords be accepted? The default setting is that they are. The
default setting can be changed by use of the Change DDM TCP/IP Attributes
(CHGDDMTCPA) command.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1setup.htm" title="The runtime support for an iSeries distributed relational database is provided by the operating system. Therefore, when the operating system is installed, distributed relational database support is installed.">Initial setup</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="../rzakh/rzakhconfig.htm">Configure network authentication service</a></div>
<div><a href="../rbam6/rbam6clmain.htm">Control language</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../cl/chgddmtcpa.htm">Change DDM TCP/IP Attributes (CHGDDMTCPA) command</a></div>
</div>
</div>
</body>
</html>