You can create your own authentication mechanisms in the
form of loadable libraries, or plugins, that DB2® for Linux, UNIX, and Windows loads
to perform user authentication. To support development of security
plugins in Java™, the IBM® Data Server Driver for JDBC and SQLJ provides
security plugin support.
IBM Data Server Driver for JDBC and SQLJ security
plugin support is available for IBM Data Server Driver for JDBC and SQLJ type 4 connectivity to DB2 for Linux, UNIX, and Windows servers
only.
To use plugin security, you need a security plugin on the client
and another plugin on the server.
The security plugins need to include the following things:
- A class that extends the com.ibm.db2.jcc.DB2JCCPlugin abstract
class
The com.ibm.db2.jcc.DB2JCCPlugin abstract
class is provided with the IBM Data Server Driver for JDBC and SQLJ.
- Within the com.ibm.db2.jcc.DB2JCCPlugin class,
a com.ibm.db2.jcc.DB2JCCPlugin.getTicket method
This method retrieves a Kerberos ticket for a user and returns
security context information in a byte array. The information in the
byte array is used by the IBM Data Server Driver for JDBC and SQLJ to
access the data server.
- Implementations of several methods that are defined in the org.ietf.jgss.GSSContext and org.ietf.jgss.GSSCredential interfaces
These
method implementations need to follow the Generic Security Service
Application Program Interface, Version 2 (IETF RFC2743) and Generic
Security Service API Version 2: Java-Bindings (IETF RFC2853) specifications.
The plugin must implement and call the following methods:
- GSSContext.dispose
- Releases any system resources and cryptographic information that
are stored in a context object, and invalidates the context.
- GSSContext.getCredDelegState
- Determines whether credential delegation is enabled on a context.
- GSSContext.getMutualAuthState
- Determines whether mutual authentication is enabled on the context.
- GSSContext.initSecContext
- Starts the context creation phase, and processes any tokens that
are generated by the peer's acceptSecContext method.
- GSSContext.requestCredDeleg
- Requests that the credentials of the initiator are delegated to
the acceptor when a context is established.
- GSSContext.requestMutualAuth
- Requests mutual authentication when a context is established.
- GSSCredential.dispose
- Releases any sensitive information that the GSSCredential object
contains.
Two Java plugin samples are
provided in sqllib/samples/java/jdbc to help you write Java security plugins:
- JCCSimpleGSSPlugin.java
- An implementation of a GSS-API plugin for the server, which performs
user ID and password checking. This sample is a Java version of the C language sample program
gssapi_simple.c.
- JCCKerberosPlugin.java
- A Kerberos security plugin for the client. This sample is a Java version of the C language sample
program IBMkrb5.c.
When an application program obtains a connection using JDBC plugin
security, it needs to set the following
Connection or
DataSource properties:
Table 1. Connection or DataSource property settings for Java security plugin useProperty |
Setting |
com.ibm.db2.jcc.DB2BaseDataSource.user |
The user ID under which the Connection is
to be obtained |
com.ibm.db2.jcc.DB2BaseDataSource.password |
The password for the user ID |
com.ibm.db2.jcc.DB2BaseDataSource.securityMechanism |
com.ibm.db2.jcc.DB2BaseDataSource.PLUGIN_SECURITY |
com.ibm.db2.jcc.DB2BaseDataSource.pluginName |
The name of the plugin module for a server-side
security plugin |
com.ibm.db2.jcc.DB2BaseDataSource.plugin |
The plugin object for a client-side security
plugin |
Example: The following code sets the properties for a connection
that uses GSS-API plugin security. The connection uses the JCCSimpleGSSPlugin
sample plugin on the client side, and the gssapi_simple sample plugin
on the server side.
java.util.Properties properties = new java.util.Properties();
properties.put("user", "db2admin");
properties.put("password", "admindb2");
properties.put("pluginName", "gssapi_simple");
properties.put("securityMechanism",
new String(""+com.ibm.db2.jcc.DB2BaseDataSource.PLUGIN_SECURITY+""));
com.ibm.db2.jcc.DB2JCCPlugin plugin =
new com.ibm.db2.jcc.samples.plugins.JCCSimpleGSSplugin();
properties.put("plugin", plugin);
Connection con = java.sql.DriverManager.getConnection(url,
properties);