Implementing Db2 support for enterprise identity mapping

Enterprise identity mapping (EIM) enables the mapping of user identities across servers that are integrated but that do not share user registries. Db2 supports the EIM capability by implementing the SAF user mapping plug-in callable service, which is part of the z/OS® Security Server (RACF®).

Before you begin

You can exploit the EIM support by using the IBM® WebSphere® Application Server 6.0.1, the IBM Db2 Driver for JDBC and SQLJ, and the IBM Db2 Driver for ODBC and CLI.

You must install the z/OS SAF user mapping plug-in service to implement the Db2 support for the EIM.

Results

If you enable Db2 support for EIM, Db2 can retrieve the mapped user ID from the SAF user mapping plug-in and specify the information in the ICTX structure. During the ENVIR=CREATE processing, Db2 passes the information to RACF through the RACROUTE REQUEST=VERIFY macro service. When RACF successfully authenticates the user, the ICTX structure is anchored in the ACEEICTX field.

Note: The SAF user identity mapping plug-in service will not be supported in the future release of Db2 for z/OS.