DB2 Security Plugin

DB2_sys-auth installation guide

This document describes how to install the DB2 system authentication module for PAM/LAM database authentication.

This DB2 authentication module requires UDB version 8.2 or later, or UDB version 9.1 or later.

Installation example

In this example, DB2 has been installed on AIX 5.1 and the instance owner name is db2inst1. The DB2_sys-auth package has been downloaded into /tmp, and you want to install it so it authenticates using AIX's LAM (not PAM).

# cd /tmp
# gzip -d < DB2_AIX_51-52.tar.gz | tar fxv -
# cd DB2_sys-auth
# ./install.sh db2inst1 LAM

The install script copies the files, and sets the setuid bit on the lamAuth64 helper application so that local user authentication may work. The LAM argument should be omitted for PAM installations. LAM is only available on the AIX platform.

Once installed, the next step is to configure the database instance to use the plugin:

# su - db2inst1
$ db2stop
$ db2 update dbm cfg using SRVCON_PW_PLUGIN sys-auth
$ db2 update dbm cfg using GROUP_PLUGIN sys-auth
$ db2 update dbm cfg using CLNT_PW_PLUGIN sys-auth
$ db2start

If you are on AIX, and configuring for PAM, be aware that AIX 5.1 and 5.2 do not come with /etc/pam.conf by default. You can install the sample aix.pam.conf is in this package.

If you are running a 64-bit DB2 instance, you cannot use PAM authentication because AIX's pam_aix module is 32-bit only.

Upgrade example

When upgrading, unpack the distribution and run the upgrade script.

# cd /tmp
# gzip -d < DB2_AIX_51-52.tar.gz | tar fxv -
# cd DB2_sys-auth
# ./upgrade.sh db2inst1 LAM

The LAM argument is optional and should match what was specified during installation.

Before uninstalling, you may need to run db2 terminate.

Compiling from source

If the provided binary packages are not suitable for your platform, you can compile the authentication plugin directly.

Prerequisites:

(Previously, the DB2 application development client package was required, but this is no longer necessary.)

Download and unpack the source package. Change into the unpacked directory, and build with these commands:

$ ./configure
$ make

Read the file named TESTING to ensure the module is working.

Finally, run the install.sh script as described previously.

Known issues

Limitations

To Do

These will be done as time allows. If needed for customers, much sooner.

Contacting us

Please use the web forums to ask questions about the authentication plugin, or contact Quest support for urgent issues.

References

— Seth Ellsworth