Enable trusted context for DB2 databases

Enable trusted context in the applications to improve how the application server interacts with DB2 database servers. Use trusted connections to preserve the identity records of clients that are connecting to a DB2 database through the applications; trusted connections can provide a more secure environment by granting access based on the identity of those users.

Ensure that the following prerequisites are met before enabling trusted connections:

• We are using a database server running DB2 Database for Linux, UNIX, and Windows v9.5 or later or DB2 Database v9.1 or later for z/OS . See the list of list of supported software for the application server for more support information.

• We do not need to be connected to the database to configure trusted context in the application server.
• Trusted context is enabled for the DB2 database.
• Global security is enabled. See the topic, Setting up, enabling and migrating security, for more information on configuring security.

With trusted connections we can:

• Access the DB2 database with the caller identity, obviating the need to create a new connection for every user.
• Preserve the identity of the user when the application server is interacting with the database.
• Strengthen database security by avoiding granting all of the privileges to a single user.
• Improve performance, as compared to the existing model of using the resetConnection() method to take advantage of identity propagation.

Non-trusted connections cannot be used as trusted connections. If the connection pool contains only non-trusted connections and a request comes in for a trusted connection, a new request will be sent to the database for the trusted connection.

Tasks

Enable trusted context for the applications.

• Enable trusted context when we are installing a new application.

  1. Perform a typical installation for the application until you reach Step 7: Map resource references to resources in the installation wizard.
  2. In Step 7: Map resource references to resources, select Use trusted connections (one-to-one mapping) in the Specify authentication method section.

  3. Select an authentication alias from the list that matches an alias already defined in the DB2 data source. If we do not have an alias defined that is suitable, continue with the installation, and enable trusted context after the application is installed.

     We can specify a default user (UNAUTHENTICATED) to be used if no client identity is available, but that default ID (UNAUTHENTICATED) must also exist in the DB2 database. If the com.ibm.mapping.unauthenticatedUser is set to null or an empty string, then the application server will use the default user (UNAUTHENTICATED). See information about setting the security properties for trusted connections.

  4. Select a data source from the table that has trusted context enabled.

  5. Click Apply.

  6. Edit the properties of the custom login configuration. See, Setting the security properties for trusted connections.

     Ensure that all of the authentication values are set to none for the trusted connections to work. For example, if we used a trusted connection to connect to DB2, the Test connection button will not work and the operation will fail:

     The test connection operation failed for data source jdbcTestDB on server server1 
     at node wasvm04Node02 with the following exception: java.sql.SQLException: 
     [jcc][t4][10205][11234][3.59.81] Null userid is not supported. ERRORCODE=-4461, 
     SQLSTATE=42815 DSRA0010E: SQL State = 42815, Error Code = -4,461. 
     View JVM logs for further details.
     

  7. Finish the installation wizard.

• Enable trusted context on an application already installed.

  For transitioning users: Remove the propagateClientIdentityUsingTrustedContext custom property for the DB2 data source, if it is present. If the propagateClientIdentityUsingTrustedContext is enabled, the application server will issue the following warning at run time:

  IDENTITY_PROPAGATION_PROP_WARNING=DSRA7029W: The propagateClientIdentityUsingTrustedContext 
   custom property for the Datasource is no longer used, value will be ignored.
  

  The application server will determine at run time if the request is using trusted context, and the application server will enable trusted context based on that information. Therefore, the same data source in the application server can be used for both trusted and non-trusted access.trns

  1. Click WebSphere enterprise applications > application_name.

  2. Click Resource references from the Resources heading.

  3. Select Use trusted connections (one-to-one mapping) in the Specify authentication method section.

  4. Select an authentication alias from the list that matches an alias already defined in the DB2 data source. If we do not have an alias defined that is suitable, define a new alias.

     1. Click JDBC > Data sources > data_source_name.

     2. Click JAAS - J2C authentication data from the Related Items heading.

     3. Click New.

     4. Define the properties for the alias in General properties.

     5. Click OK.

     We can specify a default user (UNAUTHENTICATED) to be used if no client identity is available, but that default ID (UNAUTHENTICATED) must also exist in the DB2 database. If the com.ibm.mapping.unauthenticatedUser is set to null or an empty string, then the application server will use the default user (UNAUTHENTICATED). See information about setting the security properties for trusted connections.

  5. Select a data source from the table that has trusted context enabled.

  6. Click Apply.

  7. Edit the properties of the custom login configuration. See, Setting the security properties for trusted connections.

What to do next

Be aware of the following error conditions that can occur if trusted context is not configured properly:

• The application server will issue a warning if we use the TrustedConnectionMapping login configuration and the database server does not support trusted context. The application server will then return a normal, non-trusted connection. If we are using a DB2 database for the database server, and it doesn't support trusted connections, then the DB2 database server will throw an exception.

• The application server will throw the following exception if we use the TrustedConnectionMapping login configuration and ThreadIdentity is specified:

  IDENTITY_PROPAGATION_CONFLICT2_ERROR=DSRA7028E: We cannot use the TrustedConnectionMapping 
   login configuration when the ThreadIdentity property is enabled.
  

• The application server will throw the following exception if we use the TrustedConnectionMapping login configuration and reauthentication is specified:

  IDENTITY_PROPAGATION_CONFLICT1_ERROR=DSRA7025E: The reauthentication custom property for 
   the Datasource cannot be enabled when we are using the TrustedConnectionMapping login configuration.
  

Subtopics

• Setting the security properties for trusted connections
  Trusted connections are a solution that can pass the requesting user identity to DB2 and also take full advantage of the connection pooling. Utilizing the DB2 trusted context object, the trusted connection is used to separate the identity used to establish the connection from the identity that accessed the DB2 server services. The connection is established by a user whose credentials are authorized by the DB2 server to open the connection and trusted by the DB2 server to assert the identity of the requesting users when accessing the DB2 server from the application.
• Trusted connections with DB2
  Trusted connections allow for the application server to use DB2 Trusted Context objects to establish connections with a user whose credentials are trusted by the DB2 server to open the connection. By establishing a Trusted Context, this user is then trusted to assert other user identities on the DB2 server without the expense of reauthentication. This also enhances the security of our DB2 database by eliminating the need to assign all privileges to a single user. Implementing trusted connections results in client identity propagation while leveraging connection pooling to eliminate the performance penalty of closing and reopening connections with a different identity.
• Enable trusted context with authentication for DB2 databases
  Enable trusted context in the applications to improve how the application server interacts with DB2 database servers. Use trusted connections to preserve the identity records of clients that are connecting to a DB2 database through the applications; trusted connections can provide a more secure environment by granting access based on the identity of those users. DB2 provides an option for trusted connections in which a password is required when switching the user identity. We can configure the application server to use trusted connections with authentication, and plug-in our own code to take advantage of trusted context with authentication.

Related:

Data sources

JDBC providers

(ZOS) Use thread identity support

Use the DB2 Universal JDBC Driver to access DB2 for z/OS

Hardware and software requirements

Set up, enabling and migrating security