Trusted connections are a solution that can pass the requesting
user identity to DB2 and also take full advantage of the connection pooling.
Utilizing the DB2 trusted context object, the trusted connection is used to
separate the identity used to establish the connection from the identity that
accessed the DB2 server services. The connection is established by a user
whose credentials are authorized by the DB2 server to open the connection
and trusted by the DB2 server to assert the identity of the requesting users
when accessing the DB2 server from the application..
Before you begin
To use the trusted connection functionality, the application server
must be connecting to a database server that is running DB2 Version 9.5 or
later for AIX, HP-UX, Linux, Solaris, or Windows operating systems or DB2
Version 9.1 or later for z/OS. You can use trusted connections if the application
server is installed on iSeries systems, as long as a supported version of
DB2 is installed on a platform other than iSeries systems, and you are using
the DB2 universal driver. See the list of list of supported software
for the application server for more support information. An existing J2EE
connector (J2C) data alias must exist for passing user credentials to the
DB2 server when establishing a connection, meaning container authorization
must be used.
Read about Enabling trusted context for DB2 databases for
steps to configure the application server to use trusted connections.
About this task
Trusted connections support client identity propagation while taking
advantage of connection pooling to reduce the performance penalty of closing
and reopening connections with a different identity. When you select Use
trusted connection (one-to-one mapping) for the connection mapping,
five custom properties are created. Review these properties to ensure that
the default values of these properties correspond with your intended settings.
Procedure
- Click panel
in the administrative console.
- Select the correct enterprise bean, and click Mapping
Properties to view the properties that are set by default when
you configured the trusted connection.
- Confirm that the default values assigned to these properties are
correct for your environment.
Table 1. Security Properties
Property |
Default Value |
Information |
com.ibm.mapping.authDataAlias |
none |
The value that is assigned for this property is the
value that you selected from the menu list. |
com.ibm.mapping.propagateSecAttrs |
false |
A false value for this property specifies that the security
attributes are not propagated. You can change this value to true to add the
RunAs subject as an opaque token in the IdentityPrincipal object. |
com.ibm.mapping.targetRealmName |
null |
If this value is not specified or null, the security
runtime will use the current user realm name. This process assumes that the
Enterprise Information System (EIS) is using the current user realm. In this
context, a realm is a logical representation of the user repository. If the
application server and DB2 server are using different user repositories, the
value of this property should be set to the realm name of the DB2 server.
This enables a principal or credential mapping to be set at the target EIS. |
com.ibm.mapping.unauthenticatedUser |
UNAUTHENTICATED |
This property is a user identity that is used by the
EIS to indicate a user identity that is unauthenticated. This is defined at
com.ibm.ISecurityUtilityImpl.SecConstants.java public final static String
UnauthenticatedString = "UNAUTHENTICATED" |
com.ibm.mapping.useCallerIdentityproperty |
false |
A false value for this property specifies the Run As
identity is asserted in the IdentityPrincipal object. Change the value of
this property to true if you want to assert the caller identity in the IdentityPrincipal
object instead of the Run As identity. |
- Click OK to confirm all the current values.
- Click OK and Save on
the Resource references panel to save your changes to the master configuration.
Results
After the completion of these steps and a restart of the application
server, trusted connections will be used with the chosen mapping properties
to connect with the DB2 database server.