Enable trusted context with authentication
Enable trusted context in the applications to improve how the appserver interacts with DB2 database servers. Use trusted connections to preserve the identity records of clients that are connecting to a DB2 database through the applications; trusted connections can provide a more secure environment by granting access based on the identity of those users. DB2 provides an option for trusted connections in which a password is required when switching the user identity. Configure the appserver to use trusted connections with authentication, and plug-in our own code to take advantage of trusted context with authentication.
Refer to the topic on enabling trusted context for DB2 databases to ensure that trusted connections are properly configured for the appserver.
If the WITH AUTHENTICATION option is specified when the trusted context is created, the database requires that you provide an authentication token with the end user's identity. The database authenticates the end user and verifies the end user's authorization to access the database before the database allows any requests to be processed.
- Set useTrustedContextWithAuthentication custom property to true for the DB2 data source.
- Click JDBC > Data sources.
- Click the name of the data source to configure.
- Click Custom properties from the Additional Properties heading.
- Click New.
- Complete the required fields. Use the following information:
Table 1. Custom property panel
Name Value useTrustedContextWithAuthentication true
If the useTrustedContextWithAuthentication custom property is not set to true, the appserver will provide an implementation of reusing DB2 trusted connections without authentication at run time. In this case we are not required to provide anything to use the trusted context feature.
- Use the login configuration for TrustedConnectionMapping
- Extend the DataStoreHelper class, and provide the implementation for the getPasswordForUseWithTrustedContextWithAuthentication method
At run time, the appserver will call this method to return the password that the appserver is required to use to switch the trusted context identity when we have enabled trusted context with authentication.
The password that is returned by this method will be sent to the database when the appserver switches trusted context identities, and the password will not be stored by the appserver. This appserver only calls this method if the following is true:
The following is an example of the getPasswordForUseWithTrustedContextWithAuthentication method:
public String getPasswordForUseWithTrustedContextWithAuthentication(String identityname, String realm) throws SQLException { return customersOwnUtility().getPassword(identityname) // customers use their own // implementation to get the password
Avoid trouble: We cannot enable the useTrustedContextWithAuthentication custom property for the data source without overwriting the getPasswordForUseWithTrustedContextWithAuthentication method in the DataStoreHelper class to get the password for switching the identity for trusted connections. If we do not provide implementation for the getPasswordForUseWithTrustedContextWithAuthentication method, the appserver will throw an exception with the following message at run time:
TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR=DSRA7033E: We cannot enable the useTrustedContextWithAuthentication custom property for the data source without overwriting the getPasswordForUseWithTrustedContextWithAuthentication DataStoreHelper. TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR.explanation=The useTrustedContextWithAuthentication custom property is enabled, but the implementation code for the DataStoreHelper method that will return the password that the appserver will use to switch the identity is not provided. TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR.useraction=Overwrite the getPasswordForUseWithTrustedContextWithAuthentication DataStoreHelper method and provide the implementation code that will return the password, or set the useTrustedContextWithAuthentication custom property for the data source to false.