Set Up IBM DB2 Authentication

Create records to allow the service to authenticate to a DB2 instance. During scanning the service will authenticate to one or more DB2 instances on a single host using the DB2 records in your account. When there are multiple DB2 instances, you create a separate authentication record for each instance.

 

For a vulnerability scan, an instance is defined uniquely by an IP address and port. For a compliance scan, an instance is defined uniquely by an IP address, port and database name.

Let's say you want to define these DB2 records in your account. In the table below, PC Only=Yes indicates that the check box “Use this record for Policy Compliance scans only” is selected in the record.

  IP Address Port Database Name PC Only
Record 1 10.10.31.178 50000 SAMPLE No
Record 2 10.10.30.159 50000 TOOLS No
Record 3 10.10.30.159 50000 SAMPLE Yes

 

Record 1 and Record 2 will be used for both vulnerability scans and compliance scans. Record 3 will be used for compliance scans only. You’ll notice that Record 2 and Record 3 have the same IP address and port but different database names - this is allowed because Record 3 is used for compliance scans only.

By default, DB2 records will be used for both vulnerability and compliance scans. You can select the check box "Use this record for Policy Compliance scans only" if you want this record to only be used for compliance scans.

 

- Go to Scans > Authentication.

- Check that you already have a record defined for each host running database instances.

- Create a IBM DB2 record for the database instance. Go to New > Databases > IBM DB2.

You'll need to supply a user name and password, the database name you want to authenticate to and the port the database is on. It is strongly recommended that you create one or more dedicated user accounts to be used solely by the scanning engine to authenticate to DB2 instances.

Select the target hosts (IPs) to authenticate to.

We support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record and select your vault name. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

Provide details about your IBM DB2 installation to allow the scanning engine to gather DB2 compliance data at the Windows operating system level.

Windows ParametersWindows Parameters

Enter parameters for your IBM DB2 installation. All fields are required and have a limit of 255 characters. These special characters are not allowed: ; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ /

Parameters:

DB2 Installation Directory. Specify the path to the DB2 runtime library if you want the service to perform OS-dependent compliance checks. This is the location where DB2 has been installed on the server.

Primary Archive Location. Specify the path to the primary archive location if you want the service to perform OS-dependent compliance checks. This is the directory where the primary log files are located.

Secondary Archive Location. Specify the path to the secondary archive location if you want the service to perform OS-dependent compliance checks. This parameter specifies the number of secondary log files that are created and used for recovery log files (only as needed).  It is set by the DB2 logsecond parameter.

Tertiary Archive Location. Specify the path to the tertiary archive location if you want the service to perform OS-dependent compliance checks. This parameter specifies a path to which DB2 will try to archive log files if the log files cannot be archived to either the primary or the secondary (if set) archive destinations because of a media problem affecting those destinations. It is set by the DB2 fairarchpath parameter.

Mirror Archive Location. Specify the path to the mirror archive location if you want the service to perform OS-dependent compliance checks. If mirrorlogpath is configured, DB2 will create active log files in both the log path and the mirror log path. All log data will be written to both paths. The mirror log path has a duplicate set of active log files. If the active log files are destroyed by a disk error or human error, the database can still function.

 

Windows Authentication RequiredWindows Authentication Required

Windows authentication to target hosts is required to gather compliance data from a DB2 installation running on Windows. For this reason the same hosts defined in this DB2 record must also be defined in Windows record(s) in your account.

 

Provide details about your IBM DB2 installation to allow the scanning engine to gather DB2 compliance data at the Unix operating system level.

Unix ParametersUnix Parameters

Enter parameters for your IBM DB2 installation. All fields are required and have a limit of 255 characters. These special characters are not allowed:  ; & | # % ? ! * ` ( ) [ ] ” ’ > < = ^ \

Parameters:

DB2 Installation Directory. Specify the path to the DB2 runtime library if you want the service to perform OS-dependent compliance checks. This is the location where DB2 has been installed on the server.

Primary Archive Location. Specify the path to the primary archive location if you want the service to perform OS-dependent compliance checks. This is the directory where the primary log files are located.

Secondary Archive Location. Specify the path to the secondary archive location if you want the service to perform OS-dependent compliance checks. This parameter specifies the number of secondary log files that are created and used for recovery log files (only as needed).  It is set by the DB2 logsecond parameter.

Tertiary Archive Location. Specify the path to the tertiary archive location if you want the service to perform OS-dependent compliance checks. This parameter specifies a path to which DB2 will try to archive log files if the log files cannot be archived to either the primary or the secondary (if set) archive destinations because of a media problem affecting those destinations. It is set by the DB2 fairarchpath parameter.

Mirror Archive Location. Specify the path to the mirror archive location if you want the service to perform OS-dependent compliance checks. If mirrorlogpath is configured, DB2 will create active log files in both the log path and the mirror log path. All log data will be written to both paths. The mirror log path has a duplicate set of active log files. If the active log files are destroyed by a disk error or human error, the database can still function.

 

Unix Authentication RequiredUnix Authentication Required

Unix authentication to target hosts is required to gather compliance data from a DB2 installation running on Unix. For this reason the same hosts defined in this DB2 record must also be defined in Unix record(s) in your account.

 

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.

 

 

Quick Links

Why use host authentication

Setup for IBM DB2 Auth Zip File Icon

Setup for IBM DB2 for z/OS Auth Zip File Icon