Personalize the table of contents and search results
Enabling trusted context for DB2 databases
Enable trusted context in your applications to improve how the
application server interacts with DB2 database servers. Use trusted connections
to preserve the identity records of clients that are connecting to a DB2 database
through your applications; trusted connections can provide a more secure environment
by granting access based on the identity of those users.
Before you begin
Ensure that the following prerequisites are met before enabling trusted
connections:
- Application Server is running at Version 6.1.0.11 or later.
- The database server is running DB2 Version 9.5 or later for AIX, HP-UX,
Linux, Solaris, or Windows operating systems or DB2 Version 9.1 or later for
z/OS. See the list of list of supported software for the application server
for more support information.
- You do not need to be connected to the database to configure trusted context
in the application server.
- Trusted context is enabled for the DB2 database.
- Global security is enabled. Read about Setting up and enabling security for
more information on configuring security.
About this task
With trusted connections you can:
- Access the DB2 database with the caller identity, obviating the need to
create a new connection for every user.
- Preserve the identity of the end-user when the application server is interacting
with the database.
- Strengthen database security by avoiding granting all of the privileges
to a single user.
- Improve performance, as compared to the existing model of using the resetConnection()
method to take advantage of identity propagation.
Supported configurations: Non-trusted connections cannot be used as trusted
connections. If the connection pool contains only non-trusted connections
and a request comes in for a trusted connection, a new request will be sent
to the database for the non-trusted connection.
sptcfg
Procedure
- Run the addTrustedConnection.jacl script or the addTrustedConnection.py
script in the profile_root/bin directory.
Run this script one time only.
For example, from the
profile_root/bin directory,
run the following command from a command prompt:
wsadmin -conntype NONE -f addTrustedConnection.jacl
There
is also a removeTrustedConnection.jacl script and a removeTrustedConnection.py
script that is available for removing the trusted context functionality.
- Add the propagateClientIdentityUsingTrustedContext custom property
for the DB2 data source.
- Click JDBC > Data sources
- Click the name of the data source that you want to configure.
- Click Custom properties from the Additional
Properties heading.
- Click New.
- Complete the required fields. Use the following information:
Table 1. Custom property panel
Name |
Value |
propagateClientIdentityUsingTrustedContext |
true |
- Enable trusted context for your applications.
- Enable trusted context when you are installing a new application.
- Perform a typical installation for the application until you reach Step
7: Map resource references to resources in the installation wizard.
- In Step 7: Map resource references to resources,
select Use trusted connections (one-to-one mapping) in
the Specify authentication method section.
- Select an authentication alias from the list that matches an alias that
is already defined in the DB2 data source. If you do not have an alias defined
that is suitable, continue with the installation, and enable trusted context
after the application is installed.
Supported configurations: You
can specify a default user (UNAUTHENTICATED) to be used if no client identity
is available, but that default ID (UNAUTHENTICATED) must also exist in the
DB2 database. If the com.ibm.mapping.unauthenticatedUser is set to null or
an empty string, then the application server will use the default user (UNAUTHENTICATED).
Read about
setting
the com.ibm.mapping.unauthenticatedUser property.
sptcfg
- Select a data source from the table that has trusted context enabled.
- Click Apply.
- Edit the properties of the custom login configuration. Read Setting the security properties for trusted connections.
- Finish the installation wizard.
- Enable trusted context on an application that is already installed.
- Click Enterprise Applications > application_name.
- Click Resource references from the Resources heading.
- Select Use trusted connections (one-to-one mapping) in
the Specify authentication method section.
- Select an authentication alias from the list that matches an alias that
is already defined in the DB2 data source. If you do not have an alias defined
that is suitable, define a new alias.
- Click JDBC > Data sources > data_source_name.
- Click JAAS - J2C authentication data from the Related
Items heading.
- Click New.
- Define the properties for the alias in General properties.
- Click OK.
Supported configurations: You
can specify a default user (UNAUTHENTICATED) to be used if no client identity
is available, but that default ID (UNAUTHENTICATED) must also exist in the
DB2 database. If the com.ibm.mapping.unauthenticatedUser is set to null or
an empty string, then the application server will use the default user (UNAUTHENTICATED).
Read about
setting
the com.ibm.mapping.unauthenticatedUser property.
sptcfg
- Select a data source from the table that has trusted context enabled.
- Click Apply.
- Edit the properties of the custom login configuration. Read Setting the security properties for trusted connections.
What to do next
Be aware of the following error conditions that can occur if trusted
context is not configured properly:
- The application server will issue a warning if you use the TrustedConnectionMapping
login configuration and the database server does not support trusted context.
The application server will then return a normal, non-trusted connection.
If you are using a DB2 database for the database server, and it doesn't support
trusted connections, then the DB2 database server will throw an exception.
- The application server will throw the following exception if you use the
TrustedConnectionMapping login configuration and ThreadIdentity is specified:
IDENTITY_PROPAGATION_CONFLICT2_ERROR=DSRA7028E: You cannot use the TrustedConnectionMapping login configuration when the ThreadIdentity property is enabled.
- The application server will throw the following exception if you use the
TrustedConnectionMapping login configuration and reauthentication is specified:
IDENTITY_PROPAGATION_CONFLICT1_ERROR=DSRA7025E: The reauthentication custom property for the Datasource cannot be enabled when you are using the TrustedConnectionMapping login configuration.
In this information ...
| IBM Redbooks, demos, education, and more
Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.
This feature requires Internet access.
Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof.
|
|
