IBM Data Server Driver for JDBC and SQLJ security plugin support
You can create your own authentication mechanisms in the form of loadable libraries, or plugins, that Db2® on Linux®, UNIX, and Windows systems loads to perform user authentication. To support development of security plugins in Java™, the IBM® Data Server Driver for JDBC and SQLJ provides security plugin support.
IBM Data Server Driver for JDBC and SQLJ security plugin support is available for IBM Data Server Driver for JDBC and SQLJ type 4 connectivity to Db2 on Linux, UNIX, and Windows systems servers only.
To use plugin security, you need a security plugin on the client and another plugin on the server.
- A class that extends the com.ibm.db2.jcc.DB2JCCPlugin abstract
class
The com.ibm.db2.jcc.DB2JCCPlugin abstract class is provided with the IBM Data Server Driver for JDBC and SQLJ.
- Within the com.ibm.db2.jcc.DB2JCCPlugin class,
a com.ibm.db2.jcc.DB2JCCPlugin.getTicket method
This method retrieves a Kerberos ticket for a user and returns security context information in a byte array. The information in the byte array is used by the IBM Data Server Driver for JDBC and SQLJ to access the data server.
- Implementations of several methods that are defined in the org.ietf.jgss.GSSContext and
org.ietf.jgss.GSSCredentialinterfacesThese method implementations need to follow the Generic Security Service Application Program Interface, Version 2 (IETF RFC2743) and Generic Security Service API Version 2: Java-Bindings (IETF RFC2853) specifications. The plugin must implement and call the following methods:- GSSContext.dispose
- Releases any system resources and cryptographic information that are stored in a context object, and invalidates the context.
- GSSContext.getCredDelegState
- Determines whether credential delegation is enabled on a context.
- GSSContext.getMutualAuthState
- Determines whether mutual authentication is enabled on the context.
- GSSContext.initSecContext
- Starts the context creation phase, and processes any tokens that are generated by the peer's acceptSecContext method.
- GSSContext.requestCredDeleg
- Requests that the credentials of the initiator are delegated to the acceptor when a context is established.
- GSSContext.requestMutualAuth
- Requests mutual authentication when a context is established.
- GSSCredential.dispose
- Releases any sensitive information that the GSSCredential object contains.
- >JCCSimpleGSSPlugin.java
- An implementation of a GSS-API plugin for the server, which performs user ID and password checking. This sample is a Java version of the C language sample program gssapi_simple.c.
- >JCCKerberosPlugin.java
- A Kerberos security plugin for the client. This sample is a Java version of the C language sample program IBMkrb5.c.
| Property | Setting |
|---|---|
| com.ibm.db2.jcc.DB2BaseDataSource.user | The user ID under which the Connection is to be obtained |
| com.ibm.db2.jcc.DB2BaseDataSource.password | The password for the user ID |
| com.ibm.db2.jcc.DB2BaseDataSource.securityMechanism | com.ibm.db2.jcc.DB2BaseDataSource.PLUGIN_SECURITY |
| com.ibm.db2.jcc.DB2BaseDataSource.pluginName | The name of the plugin module for a server-side security plugin |
| com.ibm.db2.jcc.DB2BaseDataSource.plugin | The plugin object for a client-side security plugin |
java.util.Properties properties = new java.util.Properties();
properties.put("user", "db2admin");
properties.put("password", "admindb2");
properties.put("pluginName", "gssapi_simple");
properties.put("securityMechanism",
new String(""+com.ibm.db2.jcc.DB2BaseDataSource.PLUGIN_SECURITY+""));
com.ibm.db2.jcc.DB2JCCPlugin plugin =
new com.ibm.db2.jcc.samples.plugins.JCCSimpleGSSplugin();
properties.put("plugin", plugin);
Connection con = java.sql.DriverManager.getConnection(url,
properties);