IBM InfoSphere Federation Server, Version 10.1

Federated trusted contexts and trusted connections

Enhance system performance and minimize or completely reduce the use and maintenance of user mappings.

A trusted context is a DB2® database object that defines a trust relationship between a client and a data source, for example, between an application server and a federated server or between a federated server and a remote database server. To define a trusted relationship, the trusted context specifies trust attributes. There are three types of trust attributes:

The system authorization ID that makes the initial database connection request
The IP address or domain name from which the connection is made
The encryption setting for data communications between the database server and the database client

A trusted connection is established when all of the attributes of a connection request match the trust attributes that are specified in any trusted context object that is defined on the server. After an explicit trusted connection is established, users can be switched on the same physical connection, with or without authentication. In addition, users can be granted roles that specify privileges that are for use only within the trusted connection.

This example creates a trusted context object for BOSS:

CREATE TRUSTED CONTEXT MYCTX
	BASED UPON CONNECTION USING SYSTEM AUTHID BOSS
	ATTRIBUTES (ADDRESS '9.26.111.111')
	WITH USE FOR MARY WITH AUTHENTICATION ROLE MANAGER,
		PUBLIC WITHOUT AUTHENTICATION
	DEFAULT ROLE AUDITOR
	ENABLE

In this example, only BOSS can initiate a trusted connection from IP address 9.26.111.111. Mary can reuse the connection, but she must first authenticate. Then she gains the additional role of MANAGER, which specifies the privileges that Mary can use within this trusted connection. Other users, specified as PUBLIC, can reuse the connection, and they do not need to authenticate. These other users gain the additional role of AUDITOR, which specifies privileges that they can use within this trusted connection. These additional privileges are available to users only while they are active users of the trusted connection.

A trusted connection is either explicit or implicit. The type of connection determines whether the connection can be reused and whether users can gain additional roles.

An implicit trusted connection is established when a trusted connection is not explicitly requested but the connection attributes match the trust attributes of a trusted context object on the server. After an implicit trusted connection is established, only the originator of the trusted connection can inherit roles that are not otherwise available to him. An implicit trusted connection cannot be reused by other users.

An explicit trusted connection is established when an application uses an API to request a trusted connection. If the connection attributes match the trust attributes of a trusted context, a trusted connection is established. Otherwise, a regular connection is established. After an explicit trusted connection is established, other users can reuse the connection; and both the connection originator and the connection users can inherit additional roles that are not otherwise available to them.

Feedback

Last updated: 2012-05-18