DB2 Version 9.7 for Linux, UNIX, and Windows

IBM Data Server Driver for JDBC and SQLJ security plugin support

You can create your own authentication mechanisms in the form of loadable libraries, or plugins, that DB2® for Linux, UNIX, and Windows loads to perform user authentication. To support development of security plugins in Java™, the IBM® Data Server Driver for JDBC and SQLJ provides security plugin support.

IBM Data Server Driver for JDBC and SQLJ security plugin support is available for IBM Data Server Driver for JDBC and SQLJ type 4 connectivity to DB2 for Linux, UNIX, and Windows servers only.

To use plugin security, you need a security plugin on the client and another plugin on the server.

The security plugins need to include the following things:

A class that extends the com.ibm.db2.jcc.DB2JCCPlugin abstract class
The com.ibm.db2.jcc.DB2JCCPlugin abstract class is provided with the IBM Data Server Driver for JDBC and SQLJ.
Within the com.ibm.db2.jcc.DB2JCCPlugin class, a com.ibm.db2.jcc.DB2JCCPlugin.getTicket method
This method retrieves a Kerberos ticket for a user and returns security context information in a byte array. The information in the byte array is used by the IBM Data Server Driver for JDBC and SQLJ to access the data server.
Implementations of several methods that are defined in the org.ietf.jgss.GSSContext and org.ietf.jgss.GSSCredential interfaces
These method implementations need to follow the Generic Security Service Application Program Interface, Version 2 (IETF RFC2743) and Generic Security Service API Version 2: Java-Bindings (IETF RFC2853) specifications. The plugin must implement and call the following methods:
GSSContext.dispose

Releases any system resources and cryptographic information that are stored in a context object, and invalidates the context.

GSSContext.getCredDelegState

Determines whether credential delegation is enabled on a context.

GSSContext.getMutualAuthState

Determines whether mutual authentication is enabled on the context.

GSSContext.initSecContext

Starts the context creation phase, and processes any tokens that are generated by the peer's acceptSecContext method.

GSSContext.requestCredDeleg

Requests that the credentials of the initiator are delegated to the acceptor when a context is established.

GSSContext.requestMutualAuth

Requests mutual authentication when a context is established.

GSSCredential.dispose

Releases any sensitive information that the GSSCredential object contains.

Two Java plugin samples are provided in sqllib/samples/java/jdbc to help you write Java security plugins:

JCCSimpleGSSPlugin.java: An implementation of a GSS-API plugin for the server, which performs user ID and password checking. This sample is a Java version of the C language sample program gssapi_simple.c.
JCCKerberosPlugin.java: A Kerberos security plugin for the client. This sample is a Java version of the C language sample program IBMkrb5.c.

When an application program obtains a connection using JDBC plugin security, it needs to set the following Connection or DataSource properties:

Table 1. Connection or DataSource property settings for Java security plugin use
Property	Setting
com.ibm.db2.jcc.DB2BaseDataSource.user	The user ID under which the Connection is to be obtained
com.ibm.db2.jcc.DB2BaseDataSource.password	The password for the user ID
com.ibm.db2.jcc.DB2BaseDataSource.securityMechanism	com.ibm.db2.jcc.DB2BaseDataSource.PLUGIN_SECURITY
com.ibm.db2.jcc.DB2BaseDataSource.pluginName	The name of the plugin module for a server-side security plugin
com.ibm.db2.jcc.DB2BaseDataSource.plugin	The plugin object for a client-side security plugin

Example: The following code sets the properties for a connection that uses GSS-API plugin security. The connection uses the JCCSimpleGSSPlugin sample plugin on the client side, and the gssapi_simple sample plugin on the server side.

java.util.Properties properties = new java.util.Properties();
properties.put("user", "db2admin");
properties.put("password", "admindb2");
properties.put("pluginName", "gssapi_simple");
properties.put("securityMechanism",
  new String(""+com.ibm.db2.jcc.DB2BaseDataSource.PLUGIN_SECURITY+""));
com.ibm.db2.jcc.DB2JCCPlugin plugin = 
  new com.ibm.db2.jcc.samples.plugins.JCCSimpleGSSplugin();
properties.put("plugin", plugin);
Connection con = java.sql.DriverManager.getConnection(url, 
  properties);