Enable trusted context in your applications to improve
how the application server interacts with DB2® database
servers. Use trusted connections to preserve the identity records
of clients that are connecting to a DB2 database
through your applications; trusted connections can provide a more
secure environment by granting access based on the identity of those
users.
Before you begin
Ensure that the following prerequisites are met before enabling
trusted connections:
- You are using a database server that is running DB2 Database for Linux, UNIX, and Windows Version 9.5 or later or DB2 Database
Version 9.1 or later for z/OS®. See the list of list of supported
software for the application server for more support information.
- You do not need to be connected to the database to configure trusted
context in the application server.
- Trusted context is enabled for the DB2 database.
- Global security is enabled. See the topic, Setting up, enabling
and migrating security, for more information on configuring security.
About this task
With trusted connections you can:
- Access the DB2 database with the caller identity, obviating
the need to create a new connection for every user.
- Preserve the identity of the end-user when the application server
is interacting with the database.
- Strengthen database security by avoiding granting all of the privileges
to a single user.
- Improve performance, as compared to the existing model of using
the resetConnection() method to take advantage of identity propagation.
Note: Non-trusted connections cannot be
used as trusted connections. If the connection pool contains only
non-trusted connections and a request comes in for a trusted connection,
a new request will be sent to the database for the trusted connection.
Procedure
Enable trusted context for your applications.- Enable trusted context when you are installing a new application.
- Perform a typical installation for the application until you reach Step
7: Map resource references to resources in the installation
wizard.
- In Step 7: Map resource references to resources,
select Use trusted connections (one-to-one mapping) in
the Specify authentication method section.
- Select an authentication alias from the list that matches an alias
that is already defined in the DB2 data
source. If you do not have an alias defined that is suitable, continue
with the installation, and enable trusted context after the application
is installed.
Note: You can specify
a default user (UNAUTHENTICATED) to be used if no client identity
is available, but that default ID (UNAUTHENTICATED) must also exist
in the DB2 database. If the com.ibm.mapping.unauthenticatedUser
is set to null or an empty string, then the application server will
use the default user (UNAUTHENTICATED). For more information, see
the information about setting the security properties for trusted
connections.
- Select a data source from the table that has trusted context enabled.
- Click Apply.
- Edit the properties of the custom login configuration. Read the
topic, Setting the security properties for trusted connections.
Note: Ensure
that all of the authentication values are set to
none for
the trusted connections to work. For example, if you used a trusted
connection to connect to DB2, the
Test connection button
will not work and the operation will fail:
The test connection operation failed for data source jdbcTestDB on server server1
at node wasvm04Node02 with the following exception: java.sql.SQLException:
[jcc][t4][10205][11234][3.59.81] Null userid is not supported. ERRORCODE=-4461,
SQLSTATE=42815 DSRA0010E: SQL State = 42815, Error Code = -4,461.
View JVM logs for further details.
- Finish the installation wizard.
- Enable trusted context on an application that is already installed.
Note: Remove the propagateClientIdentityUsingTrustedContext
custom property for the DB2 data source, if it is present.
If the propagateClientIdentityUsingTrustedContext is enabled, the
application server will issue the following warning at run time:
IDENTITY_PROPAGATION_PROP_WARNING=DSRA7029W: The propagateClientIdentityUsingTrustedContext
custom property for the Datasource is no longer used, value will be ignored.
The
application server will determine at run time if the request is using
trusted context, and the application server will enable trusted context
based on that information. Therefore, the same data source in the
application server can be used for both trusted and non-trusted access.
- Click Websphere enterprise applications > application_name.
- Click Resource references from the Resources heading.
- Select Use trusted connections (one-to-one mapping) in
the Specify authentication method section.
- Select an authentication alias from the list that matches an alias
that is already defined in the DB2 data
source. If you do not have an alias defined that is suitable, define
a new alias.
- Click JDBC > Data sources > data_source_name.
- Click JAAS - J2C authentication data from
the Related Items heading.
- Click New.
- Define the properties for the alias in General properties.
- Click OK.
Note: You can specify
a default user (UNAUTHENTICATED) to be used if no client identity
is available, but that default ID (UNAUTHENTICATED) must also exist
in the DB2 database. If the com.ibm.mapping.unauthenticatedUser
is set to null or an empty string, then the application server will
use the default user (UNAUTHENTICATED). For more information, see
the information about setting the security properties for trusted
connections.
- Select a data source from the table that has trusted context enabled.
- Click Apply.
- Edit the properties of the custom login configuration. Read the
topic, Setting the security properties for trusted connections.
What to do next
Be aware of the following error conditions that can occur
if trusted context is not configured properly:
- The application server will issue a warning if you use the TrustedConnectionMapping
login configuration and the database server does not support trusted
context. The application server will then return a normal, non-trusted
connection. If you are using a DB2 database
for the database server, and it doesn't support trusted connections,
then the DB2 database server will throw an exception.
- The application server will throw the following exception if you
use the TrustedConnectionMapping login configuration and ThreadIdentity
is specified:
IDENTITY_PROPAGATION_CONFLICT2_ERROR=DSRA7028E: You cannot use the TrustedConnectionMapping
login configuration when the ThreadIdentity property is enabled.
- The application server will throw the following exception if you
use the TrustedConnectionMapping login configuration and reauthentication
is specified:
IDENTITY_PROPAGATION_CONFLICT1_ERROR=DSRA7025E: The reauthentication custom property for
the Datasource cannot be enabled when you are using the TrustedConnectionMapping login configuration.