On Nov 11, 11:08*pm, Troels Arvin <tro... (AT) arvin (DOT) dk> wrote:
To add to this discussion, I combat similar problems with db2set
DB2_GRP_LOOKUP=local on the client. I heard that creating a local user
with the same id as your network user also helps.

"Helmut Tessarek" <tessarek (AT) evermeet (DOT) cx> wrote

Do you mean if you get access to instance owner? If that happens, then you
can do anything you want anyway.

All of our sensitive data is encrypted by the application before it even
gets to the database. All connections to our databases occur only from app
servers inside our production firewall. Only instance owner and root can ssh
to the database servers.

Maybe I should be more concerned, but I am also concerned (paranoid) about
performance and high availability. Anyway, I am not claiming to be right (at
least this time) but a little nervous about changing anything.

I tried the new "restrictive" feature when creating a database, and that is
ridiculous since it does not even allow execute on system packages required
to run basic SQL commands. I also got burned (big time) when revoking all
public access to workload manager authority, since access is needed even if
one not even licensed to use workload manager.

If you still have this problem , let me know. It just happens I was
trying to play with db2 to allow database users.
I found this sample http://www.ibm.com/developerworks/da.../dm-0512chong/
so I downloaded it and compiled it
64 bit windows. Created the txtserver64.dll and it works, I can
connect to a database and do my own authentication.

DONT DO THIS on a production db2 !

So, what this has to do with your problem, you can compile this code
yourself ( I can send you the VS2005 project+sln ), activate this by

1-
Copy the generated txtserver64.dll to C:\Program Files\IBM\SQLLIB
\security\plugin\IBM\server\txtserver64.dll

2-
db2 update dbm cfg using srvcon_auth server srvcon_pw_plugin
txtserver


and LOG to C:\ProgramData\IBM\DB2\DB2COPY1\DB2\db2diag.log
the code even can use DB2 log facilities
EVERY TIME someone connect to a database and see what are the time
diif, this 50 sec doesn't make any sense.

-->

(logMessage_Fn)(DB2SEC_LOG_WARNING,
"db2secGroupPluginInit successful",
strlen("db2secGroupPluginInit successful"));

-->

(logMessage_Fn)(DB2SEC_LOG_WARNING,
"someone is logging now",
strlen("someone is logging now"));

I was reading my db2diag.log and found this trace with time and
everything, 2010-11-14-21.33.18.493000-300
This can give you an idea of the 50 sec.

2010-11-14-21.33.18.493000-300 I1571584F366 LEVEL: Info
PID : 6716 TID : 5104 PROC : db2syscs.exe
INSTANCE: DB2 NODE : 000
EDUID : 5104 EDUNAME: db2sysc 0
FUNCTION: DB2 UDB, bsu security, sqlexLogPluginMessage, probe:20
DATA #1 : String with size, 32 bytes
db2secGroupPluginInit successful
----
----
at some point I will tweak this security plugin to allow, just like
postgres or mysql, connect as a database user ( md5 encrypted
password)
and not as an OS user. Create a database with a user table just for
that purpuse and connect to it using the db2 cli interface, to verify/
authenticate database users.

---
---
I am impress with db2, but still I need to put it under some test.

Hello,

On Nov 12, 2010, I wrote (in response to Mark A):
It seems I'm not the only one being hit by this. So to make things clear
for others which google themselves to this thread:

When you have cataloged the database, in DB2 Control Center, right-click
on it and choose "Change". Then, in the resulting "Change Database -
<dbname>" dialog box, adjust the value of the "Type" drop-down widget -
most likely from "Value in server's DBM configuration" to "SERVER
ENCRYPT".

See
http://troels.arvin.dk/misc/db2/chan...atalogization/
for screenshots.

--
Troels