Enable trusted context with authentication for DB2 databases
Enable trusted context in the applications to improve how the application server interacts with DB2 database servers. Use trusted connections to preserve the identity records of clients that are connecting to a DB2 database through the applications; trusted connections can provide a more secure environment by granting access based on the identity of those users. DB2 provides an option for trusted connections in which a password is required when switching the user identity. We can configure the application server to use trusted connections with authentication, and plug-in our own code to take advantage of trusted context with authentication.
Refer to the topic on enabling trusted context for DB2 databases to ensure that trusted connections are properly configured for the application server.
If the WITH AUTHENTICATION option is specified when the trusted context is created, the database requires that we provide an authentication token with the end user's identity. The database authenticates the end user and verifies the end user's authorization to access the database before the database allows any requests to be processed.
(ZOS) The end user's identity must be the RACF ID.
Tasks
- Set useTrustedContextWithAuthentication custom property to true for the DB2 data source.
- Click JDBC > Data sources.
- Click the name of the data source to configure.
- Click Custom properties from the Additional Properties heading.
- Click New.
- Complete the required fields. Use the following information:
Name Value useTrustedContextWithAuthentication true If the useTrustedContextWithAuthentication custom property is not set to true, the application server will provide an implementation of reusing DB2 trusted connections without authentication at run time. In this case we are not required to provide anything to use the trusted context feature.
- Use the login configuration for TrustedConnectionMapping, as described in the topic on enabling trusted context for DB2 databases.
- Extend the DataStoreHelper class, and provide the implementation for the getPasswordForUseWithTrustedContextWithAuthentication method as described in the topic on developing a custom DataStoreHelper class. At run time, the application server will call this method to return the password that the application server is required to use to switch the trusted context identity when we have enabled trusted context with authentication. The password that is returned by this method will be sent to the database when the application server switches trusted context identities, and the password will not be stored by the application server.
This application server only calls this method if the following is true:
- You set the useTrustedContextWithAuthentication data source custom property to true.
- We use the TrustedConnectionMapping login configuration.
The following is an example of the getPasswordForUseWithTrustedContextWithAuthentication method:
public String getPasswordForUseWithTrustedContextWithAuthentication(String identityname, String realm) throws SQLException { return customersOwnUtility().getPassword(identityname) // customers use their own // implementation to get the password }We cannot enable the useTrustedContextWithAuthentication custom property for the data source without overwriting the getPasswordForUseWithTrustedContextWithAuthentication method in the DataStoreHelper class to get the password for switching the identity for trusted connections. If we do not provide implementation for the getPasswordForUseWithTrustedContextWithAuthentication method, the application server will throw an exception with the following message at run time:
TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR=DSRA7033E: We cannot enable the useTrustedContextWithAuthentication custom property for the data source without overwriting the getPasswordForUseWithTrustedContextWithAuthentication DataStoreHelper. TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR.explanation=The useTrustedContextWithAuthentication custom property is enabled, but the implementation code for the DataStoreHelper method that will return the password that the application server will use to switch the identity is not provided. TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR.useraction=Overwrite the getPasswordForUseWithTrustedContextWithAuthentication DataStoreHelper method and provide the implementation code that will return the password, or set the useTrustedContextWithAuthentication custom property for the data source to false.
Related:
Trusted connections with DB2 Data sources JDBC providers Developing a custom DataStoreHelper class Set the security properties for trusted connections (ZOS) Use thread identity support Use the DB2 Universal JDBC Driver to access DB2 for z/OS