Skip Headers
Oracle® Transparent Gateway for DRDA Installation and User's Guide
10g Release 2 (10.2) for UNIX

Part Number B16217-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

14 Security Considerations

The gateway architecture involves multiple computer setups that have distinct security capabilities and limitations. This chapter provides information for planning and implementing your security system.

The chapter provides information that is specific to the 10.2 release of the Oracle Transparent Gateway for DRDA. It contains the following sections:

Security Overview

When you connect several different systems, generally the system with the strictest security requirements dictates and rules the system.

gateway security involves two groups:

You can control access in the gateway architecture at several points. Control over database object access is provided by each DRDA database server with GRANTs and related native authorization mechanisms based on user ID.

When the gateway is involved in a SQL request, security mechanisms are in effect for each DRDA system component encountered by the gateway. The first system component encountered is the application tool or 3GL program. The last system component encountered is the DRDA database.

Authenticating Application Logons

An application must connect to an Oracle integrating server before using the gateway. The type of logon authentication that you use determines the resulting Oracle user ID and can affect gateway operation. There are two basic types of authentication:

For more information about authenticating application logons, refer to the Oracle Database Reference.

Defining and Controlling Database Links

The information here is specific to the gateway. For additional information on database links, refer to the Oracle Database Reference.

Link Accessibility

The database link should be accessible to a given user. A public database link can be used by any user ID. A private database link can be used only by the user who created it. The server makes no distinction regarding the type of use (such as read-only versus update or write) or accessibility of remote objects. The DRDA database, which is accessed, is responsible for these distinctions.

Links and CONNECT Clauses

The CONNECT clause is another security-related attribute of a database link. You can use the CONNECT clause to specify an explicit user ID and password, which can differ from the user's Oracle Database user ID and password. This CONNECT user ID and password combination is sent to the gateway when the database link connection is first opened. Depending on gateway options, the gateway might send that user ID and password to the DRDA Server for validation.

If a database link is created without a CONNECT clause, then the user's Oracle Database user ID and password are sent to the gateway when the connection is opened. If the user logs into the Oracle integrating server with operating system authentication, then the gateway does not receive any user ID or password from the Oracle Integrating Server. In this case, user ID mapping facilities at the DRDA Server can be used to make such a connection possible if all users on the same host can use the same DRDA database user ID.

TCP/IP Security

TCP/IP does not have any additional configurable security mechanism. The gateway supports a validation mechanism which requires a user ID and a valid password. The security information is passed to the DRDA Server for validation. This type of validation is equivalent to the "SNA Security Option SECURITY=PROGRAM". Refer to the discussion of this option in Chapter 6, Chapter 7, or Chapter 8. The difference between the two methods is that in the SNA configuration, the security validation is performed by the SNA network facilities, and in the TCP/IP configuration, the DRDA Server manually performs the validation.

Processing Inbound Connections

Current DRDA Servers provide options for manipulating the security conduct of an inbound (client) DRDA session request. Refer to "Documentation Requirements", for a list of IBM documentation.

User ID Mapping

The most useful DRDA Server security capability is user ID mapping. User ID mapping refers to changing the user ID associated with an incoming DRDA request to some other user ID known to that server. This is a useful feature if your Oracle Transparent Gateway installation does not have a uniform user ID structure across all systems and databases.

DB2/OS390

The DB2 DDF Communication Database (CDB) stores inbound DRDA session security options.

These tables, pertinent to inbound sessions, have a role in security processing:

  • SYSIBM.LUNAMES table

    The SYSIBM.LUNAMES table controls inbound security conduct on an SNA Logical Unit basis, affecting all DRDA connections from a particular host system. This table also controls whether inbound connection user IDs are subject to translation or mapping.

  • SYSIBM.SYSUSERNAMES table

    When translation is used, rows in the SYSIBM.SYSUSERNAMES table specify translated user IDs by (Logical Unit)LU name and inbound user ID. Default entries that pertain to all LUs and to all inbound user IDs can be made in both tables. The mapping table can also be used simply to indicate which inbound user IDs are permitted from a particular LU or from all LUs, whether or not they are mapped.

This implementation provides a flexible mapping structure. You can specify that all connections from a particular LU use a single DB2 user ID, or that a particular inbound user ID always be mapped to a particular DB2 user ID regardless of origin. A SYSUSERNAMES entry with blank LU name and inbound user ID can designate a single default DB2 user ID for all connections unless a more specific entry, by LU name, user ID, or both, exists.

The CDB tables can be updated by a user with update privilege using a SQL tool such as the DB2 SPUFI utility. For example, most database administrators, systems programmers, and security officers can update CDB tables. The DB2 DDF component must be stopped and restarted for CDB changes to take effect.

The DB2 non-DRDA-specific security features are also involved in DRDA connections. User IDs are subject to normal DB2 or SAF/RACF validation in addition to connection or sign-on exit processing. Passwords are also subject to validation. After the connection is established, all normal authorizations or GRANTs associated with the user ID are in effect. The user ID must have execute privilege on the gateway DRDA package to process any SQL statements.

DB2/VM

Under a Virtual Machine (VM), DRDA sessions are managed by APPC VTAM Support (AVS), which runs as a disconnected GCS virtual machine. AVS receives incoming APPC connection requests (both DRDA and non-DRDA) and routes the connection to an appropriate server virtual machine.

AVS user ID mapping is controlled by internal AVS data structures that are updated with the AGW ADD USERID and AGW DELETE USERID commands.

A user ID mapping entry converts the inbound user ID before making the DB2/VM connection. The user ID mapping consists of:

  • Originating LU name

  • Inbound user ID

  • The new user ID

You can create default entries that apply to any LU name and to any inbound user ID, and an entry can indicate that the inbound user ID is to be used without mapping.

AVS user ID mapping is functionally similar to the DB2 user ID translation mechanism and can be used to work around a variety of incongruities among user IDs on different systems and databases.

After any indicated user ID mapping has been done, inbound DRDA connection requests are forwarded to the specified DB2/VM server machine. DB2/VM confirms only that the user ID has CONNECT authority and, if so, that the connection is complete. At this point, the applications access to DB2/VM objects is controlled by the normal authorities and GRANTs for the connected user ID. The user ID must have execute authority on the gateway DRDA package to process any SQL statements.

DB2/400

DB2/400 does not provide a user ID mapping capability comparable to that in DB2/OS390 and DB2/VM. Normally, the user ID in an incoming DRDA connection request must be a valid user ID on that DB2/400.

The DB2/400 subsystem communications entry for the gateway should specify that the gateway is not a secure location and should include a default user ID of *NONE.

After the application has completed the DRDA connection to the DB2/400, it is subject to all authorities and GRANTs associated with the user ID in use.

The user ID must have execute authority on the gateway DRDA package to execute any SQL statements.

DB2/Universal Database

DB2/Universal Database (DB2/UDB) does not provide a user ID mapping capability comparable to that in DB2/OS390 and DB2/VM. Normally, the user ID in an incoming DRDA connection request must be a valid user ID on the DB2/UDB host.

After the application has completed the DRDA connection to the DB2 host, it is subject to all authorities and GRANTs associated with the user ID in use. The user ID must have execute authority on the gateway DRDA package to execute any SQL statements.

Passwords in the Gateway Initialization File

The gateway uses userids and passwords to access the information in the remote database on the DRDA Server. Some userids and passwords must be defined in the Gateway Initialization File to handle functions such as resource recovery. In the current security conscious environment, having plain-text passwords that are accessible in the Initialization File is deemed insecure. An encryption feature has been added as part of Hetergeneous Services' generic connectivity to help make this more secure. This feature is accessible by this gateway. With it Initialization parameters which contain sensitive values might be stored in an encrypted form. Refer to the manual Oracle Database Hetergeneous Connectivity Administrator's Guide, Chapter 4, "Encrypting Initialization Parameters" for information about how to use the feature.


See Also:

the parameters DRDA_RECOVERY_USERID and DRDA_RECOVERY_PASSWORD in Appendix C as examples, for more information.