0

I am working on an security analysis for an DB2 setup which uses federated nicknames.

When setting up federated nicknames on DB2 a wrapper and user mappings must be created. For both a username and a password must be stored at the DB2.

CREATE SERVER V9SAMPLE TYPE DB2/UDB VERSION 9.1 WRAPPER DRDA 
  AUTHID "USERNAME" PASSWORD "PASSWORD" OPTIONS ( DBNAME 'SAMPLE' );
CREATE USER MAPPING FOR USER SERVER V9SAMPLE OPTIONS 
( REMOTE_AUTHID 'USERNAME' REMOTE_PASSWORD 'PASSWORD' );

Can anybody tell me how DB2 stores this credentials internally and if there is any way to read AUTHID and PASSWORD from the database? I would exprect that they must be stored in plaintext as they must be send to another Server as login credentials. But that could open attack vectors as Mallory could recover the credentials.

Are there any security measures that must be applied to protect the passwords saved for use with wrappers and user mappings?

mustaccio
  • 18,234
  • 16
  • 48
  • 57
SHA2048
  • 73
  • 3

2 Answers2

0

from this manual page https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.data.fluidquery.doc/topics/cfpint11.html

By default, the federated server stores user mapping in the SYSCAT.USEROPTIONS view in the global catalog and encrypts the remote passwords.

SYSCAT.USEROPTIONS is a view, and shows passwords as "********". Look at the underlying table to see the encrypted value. E.g.

db2 "select SUBSTR(SETTING,1,20) from SYSIBM.SYSUSEROPTIONS WHERE OPTION = 'REMOTE_PASSWORD'" 

1                   
--------------------
A����-�;YAS����

The page above also says

As an alternative, you can use an external repository, for example a file or an LDAP server, to store user mappings. To provide the interface between the federated server and the external repository, you create a user mapping plug-in.

and see the section "Security for federation" to read more details about the options for securing federated systems https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.data.fluidquery.doc/topics/iiyvfed_security_fed_sys_l1.html

Paul Vernon
  • 3,818
  • 1
  • 10
  • 23
0

Db2-LUW wrapper-password and user-mapping passwords are stored encrypted (not in plain text). The cipher can be version specific. You cannot view a plaintext at-rest password in the database.

As regards the federated passwords on the network, this depends on the target environment. Db2 has different options for this, from password-only encryption, to password and data encryption, to TLS - all of this depends on the chosen configuration items. So the federated-passwords on the LAN do not need to be in plaintext unless the target environment is unable to handle encryption or the relevant wrapper does not implement the required encryption.

mao
  • 11,321
  • 2
  • 13
  • 29