Trusted connections are a solution that can pass the requesting
user identity to DB2® and also
take full advantage of the connection pooling. Utilizing the DB2 trusted context object, the
trusted connection is used to separate the identity used to establish
the connection from the identity that accessed the DB2 server services. The connection is established
by a user whose credentials are authorized by the DB2 server to open the connection and trusted
by the DB2 server to assert
the identity of the requesting users when accessing the DB2 server from the application..
Before you begin
To use the trusted connection functionality,
the application server must be connecting to a database server that
is running DB2 Database for Linux®, UNIX®, and Windows® Version
9.5 or later or DB2 Database
Version 9.1 or later for z/OS®. ![[Updated in September 2010]](../../deltaend.gif)
sep2010
You
can use trusted connections if the application server is installed
on iSeries
® systems, as long
as a supported version of DB2 is
installed on a platform other than iSeries systems,
and you are using the DB2 universal
driver. See the list of list of supported software for the application
server for more support information. An existing J2EE connector (J2C)
data alias must exist for passing user credentials to the DB2 server when establishing a connection,
meaning container authorization must be used.
Read about Enabling trusted context for DB2 databases for steps to configure the
application server to use trusted connections.
About this task
Trusted connections support client identity propagation while
taking advantage of connection pooling to reduce the performance penalty
of closing and reopening connections with a different identity. When
you select Use trusted connection (one-to-one mapping) for
the connection mapping, five custom properties are created. Review
these properties to ensure that the default values of these properties
correspond with your intended settings.
Procedure
- Click panel
in the administrative console.
- Select the correct enterprise bean, and click Mapping
Properties to view the properties that are set by default
when you configured the trusted connection.
- Confirm that the default values assigned to these properties
are correct for your environment.
Table 1. Security
Properties
Property |
Default Value |
Information |
com.ibm.mapping.authDataAlias |
none |
The value that is assigned for this property
is the value that you selected from the menu list. |
com.ibm.mapping.propagateSecAttrs |
false |
A false value for this property specifies that
the security attributes are not propagated. You can change this value
to true to add the RunAs subject as an opaque token in the IdentityPrincipal
object. |
com.ibm.mapping.targetRealmName |
null |
If this value is not specified or null, the
security runtime will use the current user realm name. This process
assumes that the Enterprise Information System (EIS) is using the
current user realm. In this context, a realm is a logical representation
of the user repository. If the application server and DB2 server are using different user repositories,
the value of this property should be set to the realm name of the DB2 server. This enables a principal
or credential mapping to be set at the target EIS. |
com.ibm.mapping.unauthenticatedUser |
UNAUTHENTICATED |
This property is a user identity that is used
by the EIS to indicate a user identity that is unauthenticated. This
is defined at com.ibm.ISecurityUtilityImpl.SecConstants.java public
final static String UnauthenticatedString = "UNAUTHENTICATED" |
com.ibm.mapping.useCallerIdentityproperty |
false |
A false value for this property specifies the
Run As identity is asserted in the IdentityPrincipal object. Change
the value of this property to true if you want to assert the caller
identity in the IdentityPrincipal object instead of the Run As identity. |
- Click OK to confirm all the current
values.
- Click OK and Save on
the Resource references panel to save your changes to the master configuration.
Results
After the completion of these steps and a restart of the application
server, trusted connections will be used with the chosen mapping properties
to connect with the DB2 database
server.