The document „Extended DB2 DRDA Security Aspects“ provides an in-depth overview of the security mechanisms and configurations necessary for securing DB2 for z/OS subsystems using DRDA (Distributed Relational Database Architecture). Although the document is from 2013-2014, its descriptions and guidance on security practices remain accurate and relevant.

Key Points:

1. Authentication and User Credentials:
   • DB2 for z/OS subsystems that receive connection requests over TCP/IP must authenticate USERID credentials using SAF (System Authorization Facility). Unlike SNA communications, TCP/IP requires both USERID and password for authentication since specific TCP/IP locations cannot be trusted to provide already-verified USERIDs.
2. Managing TCP/IP-Based Connections:
   • To secure TCP/IP connections, it is recommended to use z/OS Communications Server IP Application Transparent Transport Layer Security (AT-TLS). The TCPALVER subsystem parameter should be set to SERVER_ENCRYPT to ensure strong encryption and authentication.
3. Configuration of IPNAMES and USERNAMES Tables:
   • The SYSIBM.IPNAMES table is used to manage outbound requests using TCP/IP. Various security options (A, R, D, E, P) determine how authorization IDs and passwords are handled and encrypted.
   • The SYSIBM.USERNAMES table is used for outbound translation of authorization IDs and passwords. The document explains how to use DSNLEUSR stored procedures to store encrypted credentials.
4. Using PassTickets:
   • PassTickets provide a way to authenticate without storing passwords in the communications database. RACF PassTickets are generated and validated by SAF (RACF), ensuring secure authentication for remote connections.
5. Encrypted Passwords:
   • DB2 for z/OS supports encryption of passwords using RACF PassTickets or DRDA encryption. It is crucial to use encryption methods like AES to secure sensitive data over the network.
6. Handling Errors and Troubleshooting:
   • The document details common errors like 00D31059 and 00F30085, related to PassTickets, and provides troubleshooting steps to resolve these issues.
7. Surrogate User Job Submission:
   • For protected USERIDs that cannot use PassTickets, surrogate user job submission is an alternative. This allows one user to submit jobs on behalf of another without exposing passwords.

Useful IBM Documentation Links:

For further detailed and up-to-date information, you can refer to the following IBM documentation:

• Security mechanisms for DRDA and SNA​ (IBM – United States)​
• Encrypting passwords​ (IBM – United States)​
• Securing Db2​ (IBM – United States)​
• Db2 Connect and DRDA​ (IBM – United States)​
• Sending encrypted passwords from workstation clients​ (IBM – United States)​

These resources will provide additional context and detailed steps to implement and manage DB2 for z/OS security effectively.