Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Top 10 DB2 SupportTop 10 DB2 SupportTop 10 DB2 SupportTop 10 DB2 Support
Nightmares & How toNightmares & How toNightmares ...
Part 10 – Beware of over-federating
The situation
Image of a junior DBA
During a DB2-LDAP configuration at a client
site w...
Using any DB2 client tool, it was possible to
connect to the database as any user without
having to get the password right...
Image of a junior DBA
In short, they had SYSADM authority which could potentially lead to a major security
exposure.
SECUR...
How did it happen?
In a desperate attempt to get federated technology to
work, in addition to enabling the FEDERATED datab...
The moral of the story
You do NOT need FED_NOAUTH enabled
to implement federation in DB2!
If in doubt, call the experts!
www.triton.co.uk
Upcoming SlideShare
Loading in …5
×

Top 10 DB2 Support Nightmares #10

2,919 views

Published on

Welcome to the final instalment in our Top 10 DB2 Support Nightmares series.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Top 10 DB2 Support Nightmares #10

  1. 1. Top 10 DB2 SupportTop 10 DB2 SupportTop 10 DB2 SupportTop 10 DB2 Support Nightmares & How toNightmares & How toNightmares & How toNightmares & How to Avoid ThemAvoid ThemAvoid ThemAvoid Them #10#10#10#10
  2. 2. Part 10 – Beware of over-federating The situation Image of a junior DBA During a DB2-LDAP configuration at a client site we stumbled upon a bizarre security exposure……
  3. 3. Using any DB2 client tool, it was possible to connect to the database as any user without having to get the password right! Once connected to the database, you only had access to the tables that the user had access to. However, this meant if anyone got the right username for the DB2 instance owner then they could select/add/delete any data they liked!
  4. 4. Image of a junior DBA In short, they had SYSADM authority which could potentially lead to a major security exposure. SECURITY BREACH!
  5. 5. How did it happen? In a desperate attempt to get federated technology to work, in addition to enabling the FEDERATED database manager parameter, the FED_NOAUTH (bypass federated authentication) parameter had also been enabled (set to YES). This was the problem. When FED_NOAUTH is set to YES, FEDERATED is set to YES and authentication is set to SERVER or SERVER_ENCRYPT, then authentication at the instance is bypassed. It is assumed that authentication will happen at the data source. The Moral
  6. 6. The moral of the story You do NOT need FED_NOAUTH enabled to implement federation in DB2!
  7. 7. If in doubt, call the experts!
  8. 8. www.triton.co.uk

×