IBM i DB2 allows a connection with no user ID or password - How to change this

Follow

Issue

When making a DB2 connection using the db2_connect() or db2_pconnect() function, if the username and password arguments are left empty, the connection will succeed anyway.  Starting with Zend Server 7.0.0, the new version of the ibm_db2 extension provides the ibm_db2.i5_blank_userid directive that can be used to disable this feature.

Environment

Zend Server for IBM i version 7 or later, running on any supported version of IBM i.

Resolution

Here is how to change the configuration to disallow connections without user and password.

Note: This directive is not available in the UI for version 7 of Zend Server
If you have an older version of Zend Server that does not provide this directive for editing, please use the Alternative Method described below.

This procedure requires a restart of Apache, so please schedule this activity for a time when it is acceptable to have the web site down for a couple of minutes.

Please access the Zend Server User Interface and navigate to PHP -> Extensions.  Find ibm_db2 on the table that lists the extensions.  Give it one single click to expand the directives.  In the directives, find the ibm_db2.i5_blank_userid directive.  This directive value appears as a switch, which can be clicked to toggle on or off.  Please click the switch to set it to off.  Then, click the Save button just above the table, on the left.

After saving, you will receive a notification that the value is saved and a a restart is required.  Click the restart icon (circular arrow) at the top right of the page to perform the restart.  Again, this will make your site unavailable for a short while, so please plan accordingly.

This simple script can be used to verify the setting:

<?php  
$library = "QGPL";
$i5 = db2_connect("", "", "", array("i5_lib"=>"qsys2"));
if (!$i5) die(db2_conn_errormsg());
$result = db2_exec($i5,
"select * from systables where table_schema = '$library'");
if (!$result) die(db2_stmt_errormsg());
while ($row = db2_fetch_both($result)) {
    echo $row['TABLE_NAME']."<br />";
}
db2_close($i5);
?>

If ibm_db2.i5_blank_userid=1, the script will display a list of tables from library QGPL. If ibm_db2.i5_blank_userid=0, the script will display this message:

SQLSTATE=08001 SQLCODE=-30082 Authorization failure on distributed database connection attempt. 

Alternative method for older versions

If the ibm_db2.i5_blank_userid directive is not available for editing in the Zend Server User Interface, this procedure may be used to edit the configuration file.  This should only be done if you have an older version of the software that does not show the directive in the User Interface.  As always when making a direct change to any configuration file, BACK UP the file before changing it, and use a Linux-safe editor like Zend Studio to make the changes.

The file to change is:

/usr/local/zendsvr6/etc/conf.d/ibm_db2.ini 

In the file, find this:

ibm_db2.i5_blank_userid=1 

and change it to this:

ibm_db2.i5_blank_userid=0 

(Just change the '1' to '0'.)

Save the change. Restart PHP (Apache) for the change to take effect.

Details

Prior to Zend Server 7.0.0, this is the designed behavior of db2_connect(). If no user or password is entered, the connection is for the Apache user QTMHHTTP. This could provide a performance boost by not using the QSQSRVR prestart job to process the DB2 queries. Security can be maintained by setting authorities for user QTMHHTTP on DB2 tables. Typically QTMHHTTP does not have access to anything not available to *PUBLIC, unless specifically granted. Access can be further restricted by explicitly excluding QTMHHTTP from any tables not appropriate for viewing via the web applications.

Starting with the Zend Server for IBM i 7.0.0 distribution, there is a new configuration directive for the ibm_db2 extension that controls whether db2_connect() will work with a blank user and password. By default, the ibm_db2.i5_blank_userid directive is set on to allow the connection. This maintains backward compatibility with older applications that may rely on this behavior.

Have more questions? Submit a request

Comments

Powered by Zendesk