(iseries)Configure data access security
Safeguard access to the enterprise data by designating credentials that WAS uses to authenticate database connections.
Review the history and roles of the database tables in our environment; this information helps you determine the best approach for securing each table. We can either rely on the default authentication mechanism of a user profile, or override it by configuring a security scheme for the individual application component that requires access to the database. Generally, consider overriding the default profile security if the database tables were created prior to the Application Server installation, or if programs outside of Application Server also access the tables.
To authenticate database connections with user profile credentials, use an existing profile from any of three scopes in the application serving environment. Otherwise, consult the following Application component authentication table for methods of overriding user profile settings.
- System-level scope option: Change the default user profile of WAS to an existing profile in the IBM i system that has authority to access the database tables.
- WebSphere Application Server instance scope option: Add authority for accessing the tables to the default Application Server user profile.
- Individual application server scope option: If we designated a user profile for an individual application server that is different from the profile of the entire WebSphere Application Server instance, add database authority to that new user profile.
For database tables created by WebSphere Application Server and are used only within the Application Server environment, you generally do not need to change or override the default security. We can simply add authority for accessing the database to the WAS user profile.
- Overriding user profile credentials: In the following table, locate the type of application component for which create authentication credentials. Choose a method from the Authentication strategies column.
authentication. Consult the following application component
Type of object that requires access to backend data The data is created by: Library Authentication strategies Servlet session WebSphere Application Server By default, QWAS6SN. Specify a different library by editing the libraries custom property in the Session Manager persistence panel. By default, the user profile under which the application server runs. Specify a different library by editing the libraries custom property in the Session Manager persistence panel. Entity enterprise beans that use container managed persistence (CMP) WebSphere Application Server or already exists User-defined By default, the user profile under which the application server runs. Specify a different user profile by creating a JAAS alias for the enterprise bean data source. See the topic "Creating JAAS aliases" note that follows this table for more information. User-written data access code in servlets, session beans, and entity beans with bean-managed persistence (BMP), which might use connection pooling WebSphere Application Server, user code, or already exists User-defined By default, the user profile under which the application server runs. Specify a different user profile by modifying the user code to explicitly use a user ID and password with the database connection. Alternatively, we can create a JAAS alias for the data source configured for the servlet or enterprise bean. See the "Creating JAAS aliases" note that follows this table for more information. Create JAAS aliases:
- Consult the topic, Managing Java 2 Connector Architecture authentication data entries, article for instruction on creating a JAAS alias.
- After following those steps, navigate to the relevant data source properties page in the console: Resources > Data sources > my_data_source.
- Designate the new JAAS credentials as the component-managed alias for the data source.
- Restart the application server for the new security configuration to take effect.
Hierarchy of authentication strategies: If we use component-specific authentication, be aware that some authentication strategies take precedence over others:
- Enterprise bean
- We can specify a data source for the enterprise bean and create a JAAS alias for association with that data source. The user ID and password properties of the alias control which user ID can access the tables defined by the data source. The JAAS alias that you associate with the enterprise bean data source takes precedence over both the application server user ID and the ID of the EJB container data source. If we specify a data source for the enterprise bean but do not specify a JAAS alias for it, the IBM i system uses the application server ID. The application server ID is the default, regardless of whether specified a data source for the EJB container.
- EJB container
- We can specify a data source for the EJB container and create a JAAS alias for association with that data source. The user ID and password properties of the alias control which user ID can access the tables defined by the data source. The JAAS alias that you associate with the EJB container data source takes precedence over the application server user ID. However, if we do not specify a JAAS alias for the EJB container data source, the IBM i system uses the application server ID to authenticate access to the database tables.
- Application server
- The application server runs under the user ID specified in the USER ID property for the application server. Any database tables that are accessed should allow access to the specified user ID. By default, the application server runs under the QEJBSVR user profile. Therefore, the database tables must allow access to the QEJBSVR user profile.
Related concepts
Java EE connector security
Related tasks
Manage Java 2 Connector Architecture authentication data entries for JAAS
Data source settings