Enabling trusted context with authentication for DB2 databases

Enable trusted context in your applications to improve how the application server interacts with DB2® database servers. Use trusted connections to preserve the identity records of clients that are connecting to a DB2 database through your applications; trusted connections can provide a more secure environment by granting access based on the identity of those users. DB2 provides an option for trusted connections in which a password is required when switching the user identity. You can configure the application server to use trusted connections with authentication, and plug-in your own code to take advantage of trusted context with authentication.

Before you begin

Refer to the topic on enabling trusted context for DB2 databases to ensure that trusted connections are properly configured for the application server.

About this task

If the WITH AUTHENTICATION option is specified when the trusted context is created, the database requires that you provide an authentication token with the end user's identity. The database authenticates the end user and verifies the end user's authorization to access the database before the database allows any requests to be processed.

[z/OS]The end user's identity must be the RACF® ID.

Procedure

  1. Set useTrustedContextWithAuthentication custom property to true for the DB2 data source.
    1. Click JDBC > Data sources.
    2. Click the name of the data source that you want to configure.
    3. Click Custom properties from the Additional Properties heading.
    4. Click New.
    5. Complete the required fields.
      Use the following information:
      Name Value
      useTrustedContextWithAuthentication true
    If the useTrustedContextWithAuthentication custom property is not set to true, the application server will provide an implementation of reusing DB2 trusted connections without authentication at run time. In this case you are not required to provide anything to use the trusted context feature.
  2. Use the login configuration for TrustedConnectionMapping, as described in the topic on enabling trusted context for DB2 databases.
  3. Extend the DataStoreHelper class, and provide the implementation for the getPasswordForUseWithTrustedContextWithAuthentication method as described in the topic on developing a custom DataStoreHelper class.
    At run time, the application server will call this method to return the password that the application server is required to use to switch the trusted context identity when you have enabled trusted context with authentication. The password that is returned by this method will be sent to the database when the application server switches trusted context identities, and the password will not be stored by the application server.
    This application server only calls this method if the following is true:
    • You set the useTrustedContextWithAuthentication data source custom property to true.
    • You use the TrustedConnectionMapping login configuration.
    The following is an example of the getPasswordForUseWithTrustedContextWithAuthentication method:
    public String getPasswordForUseWithTrustedContextWithAuthentication(String identityname, String realm)
                  throws SQLException
   {
      return customersOwnUtility().getPassword(identityname)   // customers use their own
                                                               // implementation to get the password
   }
    Avoid trouble: You cannot enable the useTrustedContextWithAuthentication custom property for the data source without overwriting the getPasswordForUseWithTrustedContextWithAuthentication method in the DataStoreHelper class to get the password for switching the identity for trusted connections. If you do not provide implementation for the getPasswordForUseWithTrustedContextWithAuthentication method, the application server will throw an exception with the following message at run time:

    TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR=DSRA7033E: You cannot enable the useTrustedContextWithAuthentication custom property for the data source without overwriting the getPasswordForUseWithTrustedContextWithAuthentication DataStoreHelper. TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR.explanation=The useTrustedContextWithAuthentication custom property is enabled, but the implementation code for the DataStoreHelper method that will return the password that the application server will use to switch the identity is not provided. TRUSTED_WITH_AUTHENTICATION_IMPLEMENTATION_ERROR.useraction=Overwrite the getPasswordForUseWithTrustedContextWithAuthentication DataStoreHelper method and provide the implementation code that will return the password, or set the useTrustedContextWithAuthentication custom property for the data source to false.