New performance and security feature in Db2: Authentication cache

New security feature in Db2

The recent release of Db2 11.5.3 (Db2 V11.5 Mod Pack 3) includes a small gem that impacts both performance and security. It is a cache for User ID and Password-based authentication. That feature is great when your system uses LDAP / Active Directory for authentication because lookup results can be cached by Db2. By default, that feature is not active and you need to configure it. In this post, I am going to discuss how to enable and configure it.

Db2 authentication and group cache

The new authentication cache in Db2 is used for authentication during CONNECT requests and only for those based on a password. The cache is available on every database member and its concept is simple, but effective: When a new authentication request during a CONNECT is received, the cache - when enabled - will compare the provided data against its cached successful requests. If found, the request is considered successful and the buffered data associated with that user ID is taken and post-processing begins. The cache stores external group associations for the user ID which were returned during the initial (successful) lookup.

Once the cache is enabled, it can have significant positive performance impact and relieve stress on a LDAP or Active Directory server. The downside is that Db2 is unaware of password or group membership changes as long as cache entries are valid.

Enable and configure the cache

The authentication cache introduces two new configuration parameters:

• authn_cache_users: It determines the cache size and can be configured online. It is 0 (zero) by default and hence the cache disabled. Up to 10000 user entries can be cached.
• authn_cache_duration: This value determines how many minutes a cache entry is considered valid and available for reuse. By default, it is set to 3 minutes and it can be increased up to 10000 minutes (not recommended).

The cache can be emptied using the FLUSH AUTHENTICATION CACHE statement (SECADM or DBADM authority needed). It could be used along user purge operations or when testing the effectiveness of the cache. The latter can be accomplished using the MON_GET_CONNECTION and MON_GET_DATABASE monitoring functions and new fields related to the authentication cache.

Summary

The new authentication cache in Db2 11.5.3 allows to relieve stress on backend user management systems. It can be easily enabled by change the number of cached users and you can monitor its effectiveness through new monitoring information.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.