I'd like to get clear -- does USRSSBPWD require certificates on the
client and server?
Thanks,
David
Francois Orsini (JIRA) wrote:
Support for DRDA Strong User ID and Password Substitute Authentication
(USRSSBPWD) scheme
-----------------------------------------------------------------------------------------
Key: DERBY-528
URL: http://issues.apache.org/jira/browse/DERBY-528
Project: Derby
Type: New Feature
Components: Security
Versions: 10.1.1.0
Reporter: Francois Orsini
Assigned to: Francois Orsini
Fix For: 10.1.1.1
This JIRA will add support for (DRDA) Strong User ID and Password Substitute
Authentication (USRSSBPWD) scheme in the network client/server driver layers.
Current Derby DRDA network client driver supports encrypted userid/password
(EUSRIDPWD) via the use of DH key-agreement protocol - however current Open
Group DRDA specifications imposes small prime and base generator values (256
bits) that prevents other JCE's to be used as java cryptography providers -
typical minimum security requirements is usually of 1024 bits (512-bit absolute
minimum) when using DH key-agreement protocol to generate a session key.
Strong User ID and Password Substitute Authentication (USRSSBPWD) is part of
DRDA specifications as another alternative to provide ciphered passwords across
the wire.
Support of USRSSBPWD authentication scheme will enable additional JCE's to be
used when encrypted passwords are required across the wire.
USRSSBPWD authentication scheme will be specified by a Derby network client
user via the securityMechanism property on the connection UR - A new property
value such as ENCRYPTED_PASSWORD_SECURITY will be defined in order to support
this new (DRDA) authentication scheme.
begin:vcard
fn:David Van Couvering
n:Van Couvering;David
org:Sun Microsystems, Inc.;Database Technology Group
email;internet:[EMAIL PROTECTED]
title:Senior Staff Software Engineer
tel;work:510-550-6819
tel;cell:510-684-7281
x-mozilla-html:TRUE
version:2.1
end:vcard
