DB2 2 Security

8/6/2019 DB2 2 Security

1/45

IBM DB2 9

2008 IBM Corporation

Govind Sidhu

Computer Engineer

[email protected]

Section -2) Security


2/45

IBM DB2 9

2

Section 2Section 2 -- Security (11%)Security (11%)

Knowledge of restricting data accessKnowledge of restricting data access

Knowledge of different authorities andKnowledge of different authorities and

privileges availableprivileges available

Knowledge of encryption options availableKnowledge of encryption options available

(data and network)(data and network)

Given a DCL SQL statement, ability to identifyGiven a DCL SQL statement, ability to identifyresults (GRANT, REVOKE, CONNECTresults (GRANT, REVOKE, CONNECT

statements)statements)


3/45

IBM DB2 9

3

Aspects of database security

A database security plan should define:

Who is allowed access to the instance and/or

database

Where and how a user's password is verified

What authority level a user is granted

What commands a user is allowed to run

What data a user is allowed to read and/or alter

What database objects a user is allowed to create,

alter, and/or drop


4/45

IBM DB2 9

4

Security - Authentication , Authorities and Privileges

DB2 Authentication controls the following aspects :

- Who is allowed access to the instance and/or DB

- Where and how a user'spassword will be verified

DB2 authoritiescontrol the following aspects of a database

security plan:-What authority level a user is granted

-What commands a user is allowed to run

-What data a user is allowed to read and/or alter

-What database objects a user is allowed to create, alter and/or drop

A privilege is the right to create or access a database object.

- Database-level privileges span all objects within the database

- Object-level privileges associated with a specific object


5/45

IBM DB2 9

5

Basic Client-Gateway-Host configuration

DB2server or

DB2 Connect Server

(Gateway)

Windows

AIX

Linux

DB2 on the host

DB2clients


6/45

IBM DB2 9

6

Security - Authentication

Verify user's identityDB2 will pass all user IDs and passwords to the operating

system or external security facility for verification.

Set the authentication parameter at both the DB2 server and

client to control where authentication takes place-At the DB2 server, authentication type is defined in the

database manager configuration file (DBM CFG) db2 "GET DBM CFG"

db2 "UPDATE DBM CFG USING AUTHENTICATION CLIENT"

-At the DB2 client, authentication type is specified when

cataloging a database db2 "CATALOG DATABASE sample AT NODE mynode

AUTHENTICATION SERVER"


7/45

IBM DB2 9

7

Authentication Types

Where DoesAuthentication Take Place?1. SERVER

2. SERVER_ENCRYPT

3. CLIENT4. KERBEROS

5. KRB_SERVER_ENCRYPT

6. DATA_ENCRYPT

7. DATA_ENCRYPT_CMP

8. GSSPLUGIN

9. GSS_SERVER_ENCRYPT

Authentication occurs

at the server workstation,

using the security facilityprovided by the server's

operating system.

By default, this is the

authentication type used

when an instance is first

created.

Same as SERVER

User Credentialsencrypted at the client

workstation before it is

sent to the server

workstation for validation.

Authentication occurs

at the client workstation,

using the security facility

provided by the client's

operating system.

Authentication occurs at the

server workstation, using a

security facility that supports theKerberos security protocol.

Supported only on clients and

servers that are using the

Windows 2000, Windows XP, orWindows .NET operating system.

Authentication occurs atthe server workstation, using

either the KERBEROS or the

SERVER_ENCRYPT

authentication method.

if the Kerberos

authentication service is

unavailable, the server acts

as if theSERVER_ENCRYPT was

specified

Same as

SERVER_ENCRYPT

authentication method.

In addition, all userdata is encrypted

before it is passed from

client to server and

from server to client.

Same as

DATA_ENCRYPTauthentication method.

In addition, this

authentication type provides

compatibility for down-levelproducts that do not support

the DATA_ENCRYPT

authentication type.

Authentication occurs at the serverworkstation, using a Generic Security

Service Application Program

Interface (GSS-API) plug-in.

If the client's authentication type isnot specified, the server returns a list

of server-supported plug-ins to the

client. If not supports any one then

use KERBEROS method

Authentication occurs at the server

workstation, using either the GSSPLUGIN

or the SERVER_ENCRYPT authentication

method.If the client does not support any of the

plug-ins found in the server-supported

plug-in list, then client tries KERBEROS

method. If its do not support then it useSERVER_ENCRYPT method.


8/45

IBM DB2 9

8

Trusted Clients versus Untrusted Clients

Clients that use an operating system that contains a tightlyintegrated security facility (for example, Windows NT,

Windows 2000, all supported versions of UNIX, MVS, OS/390,

VM, VSE, and AS/400) are classified as trusted clients.

Clients that use an operating system that does not provide an

integrated security facility (for example, Windows 95, Windows

98, and Windows Millennium Edition) are treated as untrusted

clients.

Whenever an untrusted client attempts to access an instance

or a database, user authentication always takes place at the

server. Iftrust_allclnts configuration parameter is setto DRDAONLY, only MVS, OS/390, VM, VSE, and OS/400

clients will be treated as trusted clients.


9/45

IBM DB2 9

9

Authorities


10/45

IBM DB2 9

10

System Administrator (SYSADM) authority

Highest level of administrative authority available.

Only SYSADM is allowed to perform these tasks:

-Migrate a database from a previous version to DB2 Ver 9.

-

Modify the parameter values of the DBM CFG fileassociated with an instance-including specifying which

groups have SYSDBA, SYSCTRL, SYSMAINT, and

SYSMON authority.

-Give (grant) / Revoke DBADM and SECADM authority to

individual users and/or groups.

Ex. Granting SYSADM authority to the group grp1:

-db2 "UPDATE DBM CFG USING SYSADM_GROUP grp1"


11/45

IBM DB2 9

11

System Control (SYSCTRL) authority

SYSCTRL users can perform all administrative andmaintenance commands within the instance.

Some tasks that only SYSCTRL & SYSADM can do

-Force users off the system.

-Create or destroy (drop) a database.

-Create, alter, or drop a table space.

Cannot access any data within the databases unless

they are granted the privileges.A SYSADM user can assign SYSCTRL to a group by:db2 "UPDATE DBM CFG USING SYSCTRL_GROUP grp2"


12/45

IBM DB2 9

12

System Maintenance (SYSMAINT) authority

SYSMAINT users can issue a subset of commands allowed forSYSCTRL authority tasks that are considered

maintenance related like::

-db2start/db2stop

-

db2 backup/restore/rollforward database-db2 runstats (against any table)

-db2 update db cfg for database dbname

Users with SYSMAINT cannot create or drop databases or

tablespaces.Cannot access any data within the databases.

A SYSADM user can assign SYSMAINT to a group by:

db2 "UPDATE DBM CFG USING SYSMAINT_GROUP grp3"


13/45

IBM DB2 9

13

Database Administrator (DBADM) authority

DBADM is a database-level authority and can beassigned by SYSADM to both users and groups.

-grant dbadm on database to useruser1

-grant dbadm on database to group group1

DBADM users have almost complete control over thedatabase but cannot perform maintenance or

administrative tasks

-drop database -- drop/create tablespace

-backup/restore database -- update db cfg for database

Can perform:

-create/drop table -- grant/revoke (any privilege)


14/45

IBM DB2 9

14

Load (LOAD) authority

LOAD authority is also considered a database-levelauthority, and can therefore be granted to both users

and groups.

LOAD authority allows users

-To issue the LOAD command against a table. The LOAD

command is typically used as a faster alternative to insert or

import commands when populating a table with large

amounts of data.

-Specific privileges on the table may also be required

Users with either SYSADM or DBADM authority can

grant or revoke LOAD authority to users or groups.


15/45

IBM DB2 9

15


16/45

IBM DB2 9

16

System Monitoring(SYSMON) authorityallow to take systemmonitor snapshots for ainstance and/or for one ormore databases that fall

under that instance's control.

It is designed to allow special

users to monitor theperformance of a databasethat contains sensitive datathat they most likely do nothave the right to view ormodify.

Security Administrator(SECADM) authorityallow special users toconfigure various label-basedaccess control (LBAC)

elements (rules, labels and

policies) to restrict access toone or more tables thatcontain data to which theymost likely do not haveaccess themselves.

No other authority provides auser with these abilities,including SYSADM


17/45

IBM DB2 9

17


18/45

IBM DB2 9

18

Privileges


19/45

IBM DB2 9

19

Database Privileges CONNECT: Users can connect to thedatabase.

QUIESCE_CONNECT: Users canaccess a database while it is in aquiesced state.

IMPLICIT_SCHEMA: Users canimplicitly create schemas within thedatabase without using the CREATESCHEMA command.

CREATETAB: Users can createtables within the database.

BINDADD: Users can createpackages in the database using the

BIND command. CREATE_EXTERNAL_ROUTINE: Users can create a procedure for use

by applications and other users of the database.

CREATE_NOT_FENCED: Users can create unfenced (UDFs).

LOAD: Users can load data into a table


20/45

IBM DB2 9

20

USE allows a user to create tables and

indexes in the table space. The owner

of a table space automatically receives

USE privilege for that table space.

The USE privilege cannot be used for

SYSCATSPACE table space or any

temporary table space that might exist.

CREATEIN allows users to create

objects within the schema.

ALTERIN allows users to modify

definitions of objects within theschema.

DROPINAllows users to drop objects

within the schema.


21/45

IBM DB2 9

21

Privileges - Tables & Views


22/45

IBM DB2 9

22

Privileges on other objects


23/45

IBM DB2 9

23


24/45

IBM DB2 9

24

Some Examples -

CONNECT TO sample USER Jane USING passwordGRANT SELECT ON TABLE inventory TOjohn_doe WITH GRANT OPTION

GRANT SELECT, INSERT, UPDATE, DELETE ON

deptview TO USERuser1, USERuser2GRANT REFERENCES (empid) ON TABLE employee

TO USERuser1, GROUP group1GRANT ALL ON TABLE payroll.employee TOPUBLIC

GRANT UPDATE (address, home_phone) ONTABLE emp_info TO PUBLICREVOKE ALL ON TABLE department FROMuser1,PUBLIC [Inaccessible views]


25/45

IBM DB2 9

25

Label-Based Access Control (LBAC)

Provides DBA the ability to restrict read / writeprivileges on the row or column level of a table.

LBAC is set up by the security administratorby

creating Security Policies. Each table may only be

subscribed to one security policy, but the system may

have as many security policies as you'd like.

To set up LBAC security to enable business rules:

-Define the security policies and labels and grant the securitylabels to the users

-Modify of the table including the security label column and

attaching the security policy to it


26/45

IBM DB2 9

26

LBAC query No LBAC LBAC ID SALARY255 60000

100 50000

50 70000

50 45000

60 30000

250 56000

102 82000

100 54000

75 33000

253 4600090 83000

200 78000

105 45000

SELECT * FROM EMPWHERE SALARY >= 50000

User Level = 100

Users with user level 100

can view the rows with ID = 50000

(indicated in green)

With no LBAC user level

imposed, users can viewrows that meet the salary >=

50000 qualifier

(shown in red)


27/45

IBM DB2 9

27

Example implementation of LBAC

Steps overview:

1. Define the security policies and labels

a. Define the security label component

b. Define the security policy

c. Define the security labels

2. Create the protected SALES table by including a column

that holds the security label and attaching the security policy

to the table.

3. Grant the appropriate security labels to users.

Requires SECADM authority to execute commands for

creating security policies and labels.


28/45

IBM DB2 9

28

Step 1. Create the security label component

CREATE SECURITY LABEL COMPONENT J_DEPT TREE (

- 'HR_EXECUTIVE' ROOT,

- 'MAN_D11_E21' UNDER 'HR_EXECUTIVE'

- 'A00' UNDER 'HR_EXECUTIVE',

-'B01' UNDER 'HR_EXECUTIVE',

- 'C01' UNDER 'HR_EXECUTIVE',

- 'D11' UNDER 'MAN_D11_E21',

- 'D21' UNDER 'HR_EXECUTIVE',

- 'E01' UNDER 'HR_EXECUTIVE',

- 'E11' UNDER 'HR_EXECUTIVE',

- 'E21' UNDER 'MAN_D11_E21 )


29/45


30/45

IBM DB2 9

30

Step4. Grant rights based on labels

db2 grant security labelJ_DEPT_POLICY.A00 to user Frank forread access

db2 grant security labelJ_DEPT_POLICY.MANAGE_D11_E21 to userJoe for all access

db2 gran

tsec

urity label

J_DEPT_POLICY.EXECUTIVE to user Janefor all access


31/45

IBM DB2 9

31

Step5. Modify the EMP table

When modifying the EMP table, you must create an extracolumn to store the security label. This is of type

"DB2SECURITYLABEL".

ALTER TABLE EMP

ADD COLUMN DEPT_TAG DB2SECURITYLABELADD SECURITY POLICY J_DEPT_POLICY

After alter with a user defined on the EXECUTIVE level, all the

security tags will have been added as EXECUTIVE. To change

this, you need to updateupdate emp set DEPT_TAG =(SECLABEL_BY_NAME('J_DEPT_POLICY','E11'))

where WORKDEPT='E11'


32/45

IBM DB2 9

32


33/45

IBM DB2 9

33

1) Which of the following is NOT a

valid method of authentication that

can be used by DB2 9?

A. SERVERB. SERVER_ENCRYPT

C. CLIENTD. DCS


34/45

IBM DB2 9

34

2) In a client-server environment, which

two of the following can be used to verifypasswords?

A. System Catalog

B. User ID/password file

C. Client Operating System

D. Communications layerE. Application Server


35/45

IBM DB2 9

35

3 )A table named DEPARTMENT has the following columns:

- DEPT_ID

- DEPT_NAME

- MANAGER

-AVG_SALARY

Which of the following is the best way to prevent most users

from viewing AVG_SALARY data?

A. Encrypt the table's data

B. Create a view that does not contain the AVG_SALARY

column

C. Revoke SELECT access for the AVG_SALARY columnfrom users who should not see AVG_SALARY data

D. Store AVG_SALARY data in a separate table and grant

SELECT privilege for that table to the appropriate users


36/45

IBM DB2 9

36

4) Assuming USER1 has no authorities or

privileges, which of the following will allowUSER1 to create a view named VIEW1 that

references two tables named TAB1 and TAB2?

A. CREATEIN privilege on the database

B. REFERENCES privilege on TAB1 and

TAB2

C. CREATE_TAB privilege on the database

D. SELECT privilege on TAB1 and TAB2


37/45

IBM DB2 9

37

5. On which two of the following database

objects may the SELECT privilege becontrolled?

A. Sequence

B. Nickname

C. Schema

D. ViewE. Index


38/45

IBM DB2 9

38

6)After the following SQL statement is executed:

GRANT ALL PRIVILEGES ON TABLEemployee TO USERuser1

Assuming user USER1 has no other authorities or

privileges, which of the following actions is USER1

allowed to perform?

A. Drop an index on the EMPLOYEE table

B. Grant all privileges on the EMPLOYEE table to

other usersC. Alter the table definition

D. Drop the EMPLOYEE table


39/45

IBM DB2 9

39

7) A user wishing to invoke an SQL stored procedure

that queries a table must have which of the following

privileges?

A. CALL privilege on the procedure; SELECT

privilege on the table

B. CALL privilege on the procedure; REFERENCES

privilege on the table

C. EXECUTE privilege on the procedure; SELECT

privilege on the tableD. EXECUTE privilege on the procedure;

REFERENCES privilege on the table


40/45

IBM DB2 9

40

8) User USER1 wants to utilize an alias to

remove rows from a table. Assuming USER1has no authorities or privileges, which of the

following privileges are needed?

A. DELETE privilege on the table

B. DELETE privilege on the alias

C. DELETE privilege on the alias;

REFERENCES privilege on the tableD. REFERENCES privilege on the alias;

DELETE privilege on the table


41/45

IBM DB2 9

41

9) Which of the following statements allows user

USER1 to take the ability to create packages in a

database named SAMPLE away from user

USER2?

A. REVOKE CONNECT ON DATABASE FROM

user2

B. REVOKE CREATETAB ON DATABASE FROM

user2

C. REVOKE BIND ON DATABASE FROM user2

D. REVOKE BINDADD ON DATABASE FROM

user2


42/45

IBM DB2 9

42

10) Which of the following will allow user USER1 to

change the comment associated with a table namedTABLE1?

A. GRANT UPDATE ON TABLE table1 TO user1

B. GRANT CONTROL ON TABLE table1 TO user1

C. GRANT ALTER ON TABLE table1 TO user1

D. GRANT REFERENCES ON TABLE table1 TO

user1


43/45


44/45


45/45

IBM DB2 9

45

Japanese

Hebrew

ThankYou

English

MerciFrench

Russian

DankeGerman

GrazieItalian

GraciasSpanish

ObrigadoPortuguese

Arabic

Simplified Chinese

Traditional Chinese

Tamil

Thai

Korean

A. Encrypt the table's data

DB2 2 Security

Documents

Transcript of DB2 2 Security