Authenticating by using a database identity store

You can use the @DatabaseIdentityStoreDefinition interface to retrieve user credentials from a database for authentication.

1. Add the appSecurity-3.0 feature to server.xml before you start the server.
2. Ensure that CDI annotation file scanning is enabled. CICS disables it by default in server.xml.
   You can ensure CDI annotation file scanning is enabled by checking the following line is not present in server.xml: <cdi12 enableImplicitBeanArchives="false"/>.
3. Create a table in the database and set up server.xml.
   For example, to create a Db2 table using SQL:

   CREATE TABLE PXX.USR (
       USERNAME      VARCHAR ( 256 ) NOT NULL,
       PASSWORD      VARCHAR ( 256 ) NOT NULL,
       UGROUP        VARCHAR ( 256 ) NOT NULL
   ) IN SECU.TSSE;
   CREATE UNIQUE INDEX INDXUSRS ON PXX.USR (USERNAME);
   

   The password in the database must be encrypted. An example of inserting an encrypted password into a database can be found here: Database Setup
   1. Add the jdbc-4.2 feature in server.xml:

      <feature>jdbc-4.2</feature>

   2. Set jndiName in server.xml, for example:

      <dataSource id="DefaultDataSource" jndiName="jdbc/sec">
          <jdbcDriver libraryRef=“<xxx>"/>
          ...
      </dataSource>

4. Determine whether to use SAF for the CICS task userid.
   1. If you do not want to push the database identity onto the CICS task, you can remove the default safRegistry setting in server.xml. This makes the CICS task run under the default CICS userid.
   2. If you want CICS tasks to run under specific SAF users mapped from your database identity store, you need to take the following steps:
      1. Configure SAF in server.xml by setting the following SAF elements.

         <safCredentials mapDistributedIdentities="true" profilePrefix=“<xxx>"/>
         <safAuthorization id="saf"/>
         <safRoleMapperprofilePattern=“<xxx>.%resource%.%role%" toUpperCase="false�/>

      2. Issue the RACMAP command. The general RACMAP command of mapping a distributed userid to a SAF userid is in the format of:

         RACMAP ID(userid)
         MAP
         WITHLABEL('label-name')
         USERDIDFILTER(NAME('distributed-identity-user-name'))
         REGISTRY(NAME('distributed-identity-registry-name'))

         Use “defaultRealm� in REGISTRY(NAME(‘<nnn>’)), and use “<username_in_DBIS>� in USERDIDFILTER(NAME(‘<nnn>’)), for example:

         RACMAP ID(JATM12) MAP WITHLABEL('authorisedUser:JATM12') USERDIDFILTER(NAME('authorisedUser')) REGISTRY(NAME('defaultRealm'))

      Note: If you deploy the application in a CICS bundle, the security role "cicsAllAuthenticated" is automatically set in the installedApps.xml as follows:

      <application ...>
          <application-bnd> 
              <security-role name="cicsAllAuthenticated">
                  <special-subject type="ALL_AUTHENTICATED_USERS"/>
              </security-role>
          </application-bnd>
      </application>

      The security role "cicsAllAuthenticated" takes precedence over the group name that is stored in the database identity store and an HTTP 403 error occurs. There are two options you take:

      1. Deploy your database identity store application with a direct <application> element in server.xml.
      2. Deploy within a CICS bundle, but use safAuthorization to bypass the CICS-generated <application-bnd> which overrides the group information stored in the Custom Identity Store.