 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion Groups Database Servers DB2InformixIngresMS SQLOraclePervasive.SQLPostgreSQLProgressSybaseDesktop Databases FileMakerFoxProMS AccessParadoxGeneral General DB TopicsDatabase TheoryRelated Topics Java Development.NET DevelopmentVB DevelopmentMore Topics ... |
Database Forum / DB2 Topics / April 2008Authorization from batch jobs on foreign hosts
Hello, Environment: Server side: DB2 v. 8.2 on AIX 5.3. Client side: AIX 5.3 LPARs, on a different physical server. I have some SAS batch jobs which need to connect to a DB2 server. The batch jobs and the database server are on different physical servers, due to licensing issues. How do I authorize the batch job users in a safe way? One way is to specify the password in the SAS code, but that is very difficult to manage, as several different people are collaborating about the code. In the SAS code, the database password may be specified as a SAS macro which grabs the password from an external file; however, the SAS logs may display such macro values in some cases. In other words, it's not very robust to have database passwords in plain text, neither in the code, nor in separate files. I've read about DB2's CLIENT authorization setting. But: How hard can it be to spoof? And it looks like this is an all-or-nothing setting: Either the DB2 server trusts all clients, or it doesn't. I.e., there doesn't seem to be a way to make DB2 trust selected hosts only (and require normal password access for other hosts)(?). I'm currently considering kerberos authorization: The batch jobs would initially use a command like Linux's "kinit" to initialize an authorization environment, probably based on passwords in plain text files separate from any SAS code. Afterwards, the batch job would call the relevant SAS scripts. However, setting up Kerberos seems very difficult with DB2 (has anyone actually done it?), and I fear that SAS' DB2 driver is able to make use of Kerberos(?). Does anyone have suggestions on how to solve this?  SignatureRegards, Troels Arvin <troels@arvin.dk> http://troels.arvin.dk/ > Hello, > [quoted text clipped - 34 lines] > Regards, > Troels Arvin <tro...@arvin.dk>http://troels.arvin.dk/ Hi Troels. Don't know if it is an option for you (and I know nothing about SAS), but here is a trick a use every now and then 1) Generate ssh keys on sas machine, and put them in .ssh/ authorized_keys2 on db machine. Of course this means that anyone that can log on as that user on the sas machine, can ssh into the db machine. 2) execute db2 commands over ssh as in: echo "db2 list applications" | ssh -o LogLevel=QUIET ${TARGET_HOST} bash --login > > Hello, > > [quoted text clipped - 47 lines] > echo "db2 list applications" | ssh -o LogLevel=QUIET ${TARGET_HOST} > bash --login I did wonder if SSH's port forwarding could be utilized to allow an implicit (username and passwordless) DB2 connection to be made on another machine, but failed when testing the idea (problem being that the connection is still considered "remote" by DB2 because it's a TCP connection, albeit to localhost, rather than a local IPC connection). That said, if there's a way to configure DB2 to treat connections via localhost as "local" (and perform auth by some method like querying identd on localhost) then I'd be interested. Cheers, Dave. On Apr 2, 9:58 pm, "Dave Hughes" [...] > > 1) Generate ssh keys on sas machine, and put them in .ssh/ > > authorized_keys2 on db machine. Of course this means that anyone that [quoted text clipped - 19 lines] > > Dave. Dave, did you specify username in the ssh part? I don't know why but my .ssh/config is ignored, thus I cant rely on Host/User in there. Anyhow, here is an example. I echo the sql as user ltjn on machine lelles over to another machine (faramir) and execute as db2inst1 on a local database. Note, that it has to be a local database. It wont work if it is a cataloged db (even if it is localhost). In case it matters I'm using db2 V8.2 [ltjn@lelles ~]$ echo "db2 connect to prod0311; db2 select \* from sysibm.sysdummy1" | ssh -o LogLevel=QUIET db2inst1@FARAMIR bash -- login Database Connection Information Database server = DB2/LINUX 8.2.7 SQL authorization ID = DB2INST1 Local database alias = PROD0311 IBMREQD ------- Y 1 record(s) selected. /Lennart |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.