We have recently enabled the SECPORT in all our Db2 subsystem. And now it is possible for a distributed client to use the SECPORT (instead of TCPPORT) and establish a secure SSL/TLS connection to the Db2.
Ideally, I would like to shut down the unsecure TCPPORT in the future. It would make some auditor or security people happy.
I would imagine that many Db2 shops in the world are beginning to have the requirement for all clients to exclusively use TLS/SSL and the SECPORT. This seems very likely to me. And therefore,, IBM and Db2 should make it easier for us to make this transition!
Of course, I will do my best to give client config updates and instructions to all known client computers of Db2. This is my first step.
But some people will not receive instructions or not follow instructions.
I would like some assistance from Db2 in knowing who is using a secure or regular connection to Db2!
I have learned that some IFCIDS like 180 exist and give the Db2 port (thanks to Norbert Jenninger via IDUG-listserv). But this is an expensive trace to run and a hassle to effectively report.
I think it is reasonable for the Db2 accounting trace to include some new field/indicator to indicate if the distributed/DRDA connection was secure or not.
Or give me some information in the accounting trace that will help me easily identify who is using a secure connection.
With this new accounting information, I should be able to automate a search of my client computers and how they connect. This will help me reach the end-users who do not update their client config and then go encourage them to update their computer.
Of course, after this new information is available in accounting trace … then I want the OMEGAMON XE for DB2 performance database (db2pmfacct_general) to be updated to accept this new information.
The benefit of this idea is that it will help me more quickly identify all clients who do not update their config. Otherwise, there is a risk, when I turn off TCPPORT, that some important client (who ignored me) breaks and we have problem.
|Who would benefit from this IDEA?||This will benefit all customers who are attempting to migrate all their DRDA client computers to use secure communication with Db2.|
How should it work?
My requirement is to easily identify the distributed/DRDA clients and who is using a secure connection.
I imagine that updating the accounting trace is the best way to fulfill that requirement. But if you have another idea of how to achieve this goal then go ahead
I don't care what IFCIDs are involved. I just expect the info to show up in my accounting trace and later show in my OMEGAMON performance db (db2pmfacct_general)
I imagine a new accounting trace field of "DRDA_PORT" to indicate the DRDA port number. Or a new "secure communication flag" of y/n. OR "TLS_SSL_version" field with TLS/SSL version number of blank or 1.2.
I don't care about the name of the field.
You might have other idea or options.
|Priority Justification||I rank this idea as Medium because it would help me QUICKLY identify and re-config all clients who use the unsecure communication with Db2. Otherwise, there will be stragglers and the switch to turn off TCPPORT has risk of breaking something important.|
|Client Name||Manulife Financial|
|IBM's success depends on gathering feedback from customers like yourself. Aha Ideas Portal is the third party tool through which IBM Offering Managers gather feedback from customers such as yourself.|
|IBM is a global organization with business processes, management structures, technical systems and service provider networks that cross borders. As such, the information collected through Aha Ideas Portal (Customer Name, Customer Email Address) will be stored by them in the United States, and handled only as per IBM's instructions and policies. Your data (Name and Email Address) will NOT be shared with other IBM customers.|
|In order to safeguard your information in Aha, do not leave your workstation unattended while using this application, log off after using it, and print only if necessary. If you need to make a hardcopy, remember to pick up the print-out immediately, keep it under lock, and destroy it immediately when no longer needed.|
|NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "firstname.lastname@example.org" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions|