Login user exit scenarios
You can log in to the library server by using login user exit routines.
The following scenarios depend on whether you are an IBM® Content Manager administrator or nonadministrative user who is logging in to the library server. In addition, there are scenarios when Allow trusted logon is selected for user authentication.
- Type of IBM Content Manager user
- IBM Content Manager administrator
- This user is defined in IBM Content Manager and in the operating system. In addition, this user must be part of the database administrator group. For example, the default is ICMADMIN.
- Non-administrative user
- This user is defined only in IBM Content Manager, that is the user is not defined in the operating system.
- Server connection
- SERVERREPTYPE
- SERVERREPTYPE is a parameter in the cmbicmsrvs.ini file. This file is on the same workstation as your client. One of the following values indicates how the client connects to
the IBM Content Manager library server.
- Db2®
- Tells the API to use the user ID and password that is entered in the login window to connect to Db2 on the server. If the DB2 connection fails, the shared connection ID and password are used in a second attempt to connect.
- DB2CON
- Tells the API to use the shared client ID and password on the first connection. Therefore, the user is a nonadministrative user and can connect only through the shared connection ID.
- Login User Exit
- The action that is used by the IBM Content Manager library server to authenticate a user varies depending on whether a login user exit routine is configured.
- Trusted logon
- Trusted logon allows IBM Content Manager users to have access to the library server without prompting for an additional password.
The following scenarios apply to a configuration where trusted logon is not enabled.
IBM Content Manager user type | Is a logon user exit routine in place? | API logic | Server logic |
---|---|---|---|
Administrator | N | The API connects to the database using the user ID and password entered on the login window. Login succeeds. | DB2 allows the connection because this user has authority to connect to Db2. IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID. It does not perform password authentication because that analysis was already done by DB2. |
Administrator | Y | The API connects to the database using the user ID and password entered on the login window. Login succeeds. | DB2 allows the connection because this ID is the administrator who has authority to connect to Db2. The user exit is loaded. The user logs on successfully because
either of the following conditions are true:
|
IBM Content Manager user (nonadministrator) | N |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user ID are different. IBM Content Manager uses its own logic to authenticate the IBM Content Manager user password. |
IBM Content Manager user (nonadministrator) | Y |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit is in place and invokes the login user exit to authenticate the IBM Content Manager user ID. If the exit fails to authenticate the user, IBM Content Manager performs its own authentication by using the user's IBM Content Manager password. |
IBM Content Manager user with the privilege SystemSuperDomainAdmin and with a null password in IBM Content Manager (nonadministrator) | N |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager password authentication fails with exception ICM7172: The password provided is invalid for this user or it is NULL. Users with the administrative privilege SystemSuperDomainAdmin are required to have a password to log on to IBM Content Manager. |
IBM Content Manager user with the privilege SystemSuperDomainAdmin and with a null password in IBM Content Manager (nonadministrator) | Y |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit routine is in place and invokes it to authenticate the IBM Content Manager user ID. If the user exit routine fails to authenticate the user, IBM Content Manager performs its own password authentication by using the user's IBM Content Manager password. IBM Content Manager password authentication fails with the exception ICM7172: The password provided is invalid for this user or it is NULL. |
The following scenarios describe when the SERVERTYPE parameter is set to DB2CON.
IBM Content Manager user type | Is a logon user exit routine in place? | API logic | Server logic |
---|---|---|---|
Administrator | N |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager does not allow IBM Content Manager administrators to log in with the shared connection ID and returns an error code of 7271. On the second login call, IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID and bypasses password authentication. |
Administrator | Y |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager does not allow IBM Content Manager administrators to log in with the shared connection ID, and returns an error code of 7271. On the second login call, IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID and bypasses password authentication, regardless of the presence of the login user exit routine. |
IBM Content Manager user (nonadministrator) | N | The API connects to the database with the shared
connection user ID because the SERVERREPTYPE is DB2CON. Tip: The initial attempt with the user ID and password from the logon
window is skipped.
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user ID are different, and uses its own logic to authenticate the IBM Content Manager user password. |
IBM Content Manager user (nonadministrator) | Y | The API connects to the database with the shared
connection user ID because the SERVERREPTYPE is DB2CON. Tip: The initial attempt with the user ID and password from the login
window is skipped.
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user ID are different. IBM Content Manager also confirms that a login user exit is in place and invokes it to authenticate the IBM Content Manager user ID. If the exit fails to authenticate the user, IBM Content Manager performs its own authentication by using the user's IBM Content Manager password. |
- Enable the Shared Connection ID for trusted log on:
- Open the system administration client.
- Click .
- Clear the check box Password is required for all users.
- Enable the library server configuration flag Allow trusted logon. From the system administration client, click . Ensure that Allow trusted logon is selected.
- Include the AllowTrustedLogon privilege in the IBM Content Manager users' privilege set. To verify, go to the system administration client and open the user's properties panel. Ensure that the privilege set for the user contains the AllowTrustedLogon privilege.
IBM Content Manager user type | Is a logon user exit routine in place? | API logic | Server logic |
---|---|---|---|
Administrator | Y or N | The API connects to the database by using the user ID and password entered on the login window. Login succeeds. | DB2 allows the connection because this user has authority to connect to Db2. IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID. It does not perform password authentication because that analysis has already been done by Db2. |
IBM Content Manager user (nonadministrator) | N |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. If all trusted log on is enabled, IBM Content Manager bypasses any password authentication. |
IBM Content Manager user (nonadministrator) | Y |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit is in place and invokes it to authenticate the IBM Content Manager user ID. If the user exit routine authenticates the user, log on is successful. If the user exit routine fails to authenticate the user, but trusted log on is enabled, log on is successful. |
IBM Content Manager user with a null password and the privilege SystemSuperDomainAdmin (nonadministrator) | N |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager password authentication fails with exception ICM7172: The password provided is invalid for this user or it is NULL. Users with the administrative privilege SystemSuperDomainAdmin are required to have a password to log on to IBM Content Manager. Trusted log on does not apply to users with a null password and the IBM Content Manager administrative privilege. |
IBM Content Manager user with a null password and the privilege SystemSuperDomainAdmin (nonadministrator) | Y |
|
DB2 allows the connection because the shared connection ID has the authority to connect to Db2. IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit routine is in place and invokes it to authenticate the IBM Content Manager user ID. If the user exit routine fails to authenticate the user, IBM Content Manager performs its own password authentication by using the user's IBM Content Manager password. IBM Content Manager password authentication fails with the exception ICM7172: The password provided is invalid for this user or it is NULL. Users with the administrative privilege SystemSuperDomainAdmin are required to have a password to log on to IBM Content Manager. Trusted log on does not apply to users with a null password and the IBM Content Manager administrative privilege. |