New security feature in Db2 |
Db2 authentication and group cache
The new authentication cache in Db2 is used for authentication during CONNECT requests and only for those based on a password. The cache is available on every database member and its concept is simple, but effective: When a new authentication request during a CONNECT is received, the cache - when enabled - will compare the provided data against its cached successful requests. If found, the request is considered successful and the buffered data associated with that user ID is taken and post-processing begins. The cache stores external group associations for the user ID which were returned during the initial (successful) lookup.
Once the cache is enabled, it can have significant positive performance impact and relieve stress on a LDAP or Active Directory server. The downside is that Db2 is unaware of password or group membership changes as long as cache entries are valid.
Enable and configure the cache
The authentication cache introduces two new configuration parameters:
- authn_cache_users: It determines the cache size and can be configured online. It is 0 (zero) by default and hence the cache disabled. Up to 10000 user entries can be cached.
- authn_cache_duration: This value determines how many minutes a cache entry is considered valid and available for reuse. By default, it is set to 3 minutes and it can be increased up to 10000 minutes (not recommended).
The cache can be emptied using the FLUSH AUTHENTICATION CACHE statement (SECADM or DBADM authority needed). It could be used along user purge operations or when testing the effectiveness of the cache. The latter can be accomplished using the MON_GET_CONNECTION and MON_GET_DATABASE monitoring functions and new fields related to the authentication cache.
Summary
The new authentication cache in Db2 11.5.3 allows to relieve stress on backend user management systems. It can be easily enabled by change the number of cached users and you can monitor its effectiveness through new monitoring information.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.