Set the security properties for trusted connections

WAS v8.5 > Secure applications > Secure Data access resources > Secure data sources > Enable trusted context for DB2 databases
Set the security properties for trusted connections

Trusted connections are a solution that can pass the requesting user identity to DB2 and also take full advantage of the connection pooling. Utilizing the DB2 trusted context object, the trusted connection is used to separate the identity used to establish the connection from the identity that accessed the DB2 server services. The connection is established by a user whose credentials are authorized by the DB2 server to open the connection and trusted by the DB2 server to assert the identity of the requesting users when accessing the DB2 server from the application.
To use the trusted connection functionality, you must be running at database server with DB2 Database for Linux, UNIX, and Windows Version 9.5 or later or DB2 Database Version 9.1 or later for z/OS . Trusted connections can be used if the application server is installed on iSeries systems, as long as a supported version of DB2 is installed on a platform other than iSeries systems, and the DB2 universal driver is used. See the list of list of supported software for the application server for more support information. An existing J2EE connector (J2C) data alias must exist for passing user credentials to the DB2 server when establishing a connection, meaning container authorization must be used.
Read about Enable trusted context for DB2 databases for steps to configure the application server to use trusted connections.
Trusted connections support client identity propagation while taking advantage of connection pooling to reduce the performance penalty of closing and reopening connections with a different identity. When you select Use trusted connection (one-to-one mapping) for the connection mapping, five custom properties are created. Review these properties to ensure the default values of these properties correspond with your intended settings.

Click Enterprise applications > application_name > Resource references > Resources panel in the dmgr console.
Select the correct enterprise bean, and click Mapping Properties to view the properties that are set by default when we configured the trusted connection.
Confirm the default values assigned to these properties are correct for the environment.
Security Properties. This table lists the security property values:

Property Default Value Information
com.ibm.mapping.authDataAlias none The value assigned for this property is the value selected from the menu list.
com.ibm.mapping.propagateSecAttrs false A false value for this property specifies the security attributes are not propagated. We can change this value to true to add the RunAs subject as an opaque token in the IdentityPrincipal object.
com.ibm.mapping.targetRealmName null If this value is not specified or null, the security run time process will use the current user realm name. This process assumes the Enterprise Information System (EIS) is using the current user realm. In this context, a realm is a logical representation of the user repository. If the application server and DB2 server are using different user repositories, the value of this property should be set to the realm name of the DB2 server. This enables a principal or credential mapping to be set at the target EIS.
com.ibm.mapping.unauthenticatedUser UNAUTHENTICATED This property is a user identity used by the EIS to indicate a user identity that is unauthenticated. This is defined at com.ibm.ISecurityUtilityImpl.SecConstants.java public final static String UnauthenticatedString = "UNAUTHENTICATED"
com.ibm.mapping.useCallerIdentityproperty false A false value for this property specifies the Run As identity is asserted in the IdentityPrincipal object. Change the value of this property to true to assert the caller identity in the IdentityPrincipal object instead of the Run As identity.

Click OK to confirm all the current values.

Click OK and Save on the Resource references panel to save your changes to the master configuration.

Results
After the completion of these steps and a restart of the application server, trusted connections will be used with the chosen mapping properties to connect with the DB2 database server.

Related concepts:

Trusted connections with DB2

Related

Enable trusted context for DB2 databases
Map resource manager connection factory references to resource factories

Reference:

Map properties for a custom login or trusted connection configuration
Map data sources for all 2.x CMP beans settings

+
Search Tips | Advanced Search

Property	Default Value	Information
com.ibm.mapping.authDataAlias	none	The value assigned for this property is the value selected from the menu list.
com.ibm.mapping.propagateSecAttrs	false	A false value for this property specifies the security attributes are not propagated. We can change this value to true to add the RunAs subject as an opaque token in the IdentityPrincipal object.
com.ibm.mapping.targetRealmName	null	If this value is not specified or null, the security run time process will use the current user realm name. This process assumes the Enterprise Information System (EIS) is using the current user realm. In this context, a realm is a logical representation of the user repository. If the application server and DB2 server are using different user repositories, the value of this property should be set to the realm name of the DB2 server. This enables a principal or credential mapping to be set at the target EIS.
com.ibm.mapping.unauthenticatedUser	UNAUTHENTICATED	This property is a user identity used by the EIS to indicate a user identity that is unauthenticated. This is defined at com.ibm.ISecurityUtilityImpl.SecConstants.java public final static String UnauthenticatedString = "UNAUTHENTICATED"
com.ibm.mapping.useCallerIdentityproperty	false	A false value for this property specifies the Run As identity is asserted in the IdentityPrincipal object. Change the value of this property to true to assert the caller identity in the IdentityPrincipal object instead of the Run As identity.