Login user exit scenarios

You can log in to the library server by using login user exit routines.

The following scenarios depend on whether you are an IBM® Content Manager administrator or nonadministrative user who is logging in to the library server. In addition, there are scenarios when Allow trusted logon is selected for user authentication.

The following list defines the variables in these scenarios:
Type of IBM Content Manager user
IBM Content Manager administrator
This user is defined in IBM Content Manager and in the operating system. In addition, this user must be part of the database administrator group. For example, the default is ICMADMIN.
Non-administrative user
This user is defined only in IBM Content Manager, that is the user is not defined in the operating system.
Server connection
SERVERREPTYPE
SERVERREPTYPE is a parameter in the cmbicmsrvs.ini file. This file is on the same workstation as your client. One of the following values indicates how the client connects to the IBM Content Manager library server.
Db2®
Tells the API to use the user ID and password that is entered in the login window to connect to Db2 on the server. If the DB2 connection fails, the shared connection ID and password are used in a second attempt to connect.
DB2CON
Tells the API to use the shared client ID and password on the first connection. Therefore, the user is a nonadministrative user and can connect only through the shared connection ID.
Login User Exit
The action that is used by the IBM Content Manager library server to authenticate a user varies depending on whether a login user exit routine is configured.
Trusted logon
Trusted logon allows IBM Content Manager users to have access to the library server without prompting for an additional password.

The following scenarios apply to a configuration where trusted logon is not enabled.

Table 1. Logon scenarios. IBM Content Manager Version 8 logon scenarios. SERVERREPTYPE is Db2
IBM Content Manager user type Is a logon user exit routine in place? API logic Server logic
Administrator N The API connects to the database using the user ID and password entered on the login window. Login succeeds.

DB2 allows the connection because this user has authority to connect to Db2.

IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID. It does not perform password authentication because that analysis was already done by DB2.

Administrator Y The API connects to the database using the user ID and password entered on the login window. Login succeeds.

DB2 allows the connection because this ID is the administrator who has authority to connect to Db2.

The user exit is loaded.

The user logs on successfully because either of the following conditions are true:
  • The user exit routine authenticated the user thus bypassing the IBM Content Manager password authentication.
  • The user exit routine did not authenticate the user, but because the password authentication was already performed by Db2, the user logs on successfully.
IBM Content Manager user (nonadministrator) N
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user ID are different. IBM Content Manager uses its own logic to authenticate the IBM Content Manager user password.
IBM Content Manager user (nonadministrator) Y
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit is in place and invokes the login user exit to authenticate the IBM Content Manager user ID. If the exit fails to authenticate the user, IBM Content Manager performs its own authentication by using the user's IBM Content Manager password.
IBM Content Manager user with the privilege SystemSuperDomainAdmin and with a null password in IBM Content Manager (nonadministrator) N
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager password authentication fails with exception ICM7172: The password provided is invalid for this user or it is NULL.

Users with the administrative privilege SystemSuperDomainAdmin are required to have a password to log on to IBM Content Manager.
IBM Content Manager user with the privilege SystemSuperDomainAdmin and with a null password in IBM Content Manager (nonadministrator) Y
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit routine is in place and invokes it to authenticate the IBM Content Manager user ID.

If the user exit routine fails to authenticate the user, IBM Content Manager performs its own password authentication by using the user's IBM Content Manager password. IBM Content Manager password authentication fails with the exception ICM7172: The password provided is invalid for this user or it is NULL.

The following scenarios describe when the SERVERTYPE parameter is set to DB2CON.

Table 2. Logon scenarios. Various IBM Content Manager Version 8 login scenarios. SERVERREPTYPE is DB2CON
IBM Content Manager user type Is a logon user exit routine in place? API logic Server logic
Administrator N
  • The API connects to the database with the shared connection user ID because the SERVERREPTYPE is DB2CON.
  • The API catches the 7271 login error and connects again to the database using the IBM Content Manager user ID and password entered on the logon window.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager does not allow IBM Content Manager administrators to log in with the shared connection ID and returns an error code of 7271. On the second login call, IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID and bypasses password authentication.
Administrator Y
  • The API connects to the database with the shared connection user ID because the SERVERREPTYPE is DB2CON.
  • The API catches the 7271 login error and connects again to the database using the IBM Content Manager user ID and password entered on the logon window.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager does not allow IBM Content Manager administrators to log in with the shared connection ID, and returns an error code of 7271. On the second login call, IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID and bypasses password authentication, regardless of the presence of the login user exit routine.
IBM Content Manager user (nonadministrator) N The API connects to the database with the shared connection user ID because the SERVERREPTYPE is DB2CON.
Tip: The initial attempt with the user ID and password from the logon window is skipped.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user ID are different, and uses its own logic to authenticate the IBM Content Manager user password.
IBM Content Manager user (nonadministrator) Y The API connects to the database with the shared connection user ID because the SERVERREPTYPE is DB2CON.
Tip: The initial attempt with the user ID and password from the login window is skipped.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user ID are different. IBM Content Manager also confirms that a login user exit is in place and invokes it to authenticate the IBM Content Manager user ID. If the exit fails to authenticate the user, IBM Content Manager performs its own authentication by using the user's IBM Content Manager password.
You can bypass password authentication for any IBM Content Manager user by configuring your system to allow trusted logon:
  1. Enable the Shared Connection ID for trusted log on:
    1. Open the system administration client.
    2. Click Tools > Manage Database Connection ID > Change Shared Database Connection ID and Password.
    3. Clear the check box Password is required for all users.
    By default, it is disabled.
  2. Enable the library server configuration flag Allow trusted logon. From the system administration client, click Library Server Parameters > Configurations > Library Server Configuration. Ensure that Allow trusted logon is selected.
  3. Include the AllowTrustedLogon privilege in the IBM Content Manager users' privilege set. To verify, go to the system administration client and open the user's properties panel. Ensure that the privilege set for the user contains the AllowTrustedLogon privilege.
If you are using the trusted logon configuration, the following login scenarios apply. The SERVERTYPE parameter for all scenarios can be Db2 or DB2CON.
Table 3. Logon Scenarios. IBM Content Manager Version 8 login scenarios with trusted logon enabled. SERVERREPTYPE is Db2 or DB2CON
IBM Content Manager user type Is a logon user exit routine in place? API logic Server logic
Administrator Y or N The API connects to the database by using the user ID and password entered on the login window. Login succeeds.

DB2 allows the connection because this user has authority to connect to Db2.

IBM Content Manager confirms that the connection ID is the same as the IBM Content Manager user ID. It does not perform password authentication because that analysis has already been done by Db2.

IBM Content Manager user (nonadministrator) N
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. If all trusted log on is enabled, IBM Content Manager bypasses any password authentication.
IBM Content Manager user (nonadministrator) Y
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit is in place and invokes it to authenticate the IBM Content Manager user ID.

If the user exit routine authenticates the user, log on is successful. If the user exit routine fails to authenticate the user, but trusted log on is enabled, log on is successful.
IBM Content Manager user with a null password and the privilege SystemSuperDomainAdmin (nonadministrator) N
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager password authentication fails with exception ICM7172: The password provided is invalid for this user or it is NULL.

Users with the administrative privilege SystemSuperDomainAdmin are required to have a password to log on to IBM Content Manager. Trusted log on does not apply to users with a null password and the IBM Content Manager administrative privilege.
IBM Content Manager user with a null password and the privilege SystemSuperDomainAdmin (nonadministrator) Y
  • The API connects to the database with the user ID and password entered on the login window and fails.
  • The API connects to the database with the shared connection ID and password and login succeeds.

DB2 allows the connection because the shared connection ID has the authority to connect to Db2.

IBM Content Manager confirms that the connection ID and IBM Content Manager user IDs are different. IBM Content Manager also confirms that a login user exit routine is in place and invokes it to authenticate the IBM Content Manager user ID.

If the user exit routine fails to authenticate the user, IBM Content Manager performs its own password authentication by using the user's IBM Content Manager password. IBM Content Manager password authentication fails with the exception ICM7172: The password provided is invalid for this user or it is NULL.

Users with the administrative privilege SystemSuperDomainAdmin are required to have a password to log on to IBM Content Manager. Trusted log on does not apply to users with a null password and the IBM Content Manager administrative privilege.