Securing database connections

Set up security for a database connection, whether it is required by the database provider or optional.

Before you begin

If you are using a JDBC provider, you must first set up the JDBC provider. See Set up your JDBC provider definition.
If you are using an ODBC connection, you must first connect to the database. See Enabling ODBC connections to the databases.

About this task

Some databases require that all access is associated with a known user ID, for others this association is optional. For example, IBM® DB2® requires a data source login name and password on all connections.

Use the mqsisetdbparms command to specify a user ID and password that the integration node can use to access each database. If a user ID and password have not been specified for database access using the mqsisetdbparms command, default values for user ID and password are used which are platform specific:

On Windows: The integration node service ID and password that you specified on the mqsicreatebroker command.
On Linux® and UNIX: The user ID mqsiUser and password ******** (these values are fixed).
On z/OS®: The user ID "" and password "", which causes the connection to be made with the broker started task user ID.

If you migrated your integration node from WebSphere® Message Broker Version 6.1, the integration node accessed a database for its own use. You might have defined the user ID and password used to access that database by specifying a database connection user ID and password with the -u and -p parameters on the mqsicreatebroker command. Alternatively, you might have used the integration node service user ID and its password (specified with the -i and -a parameters on the same command). When you migrate the integration node, these parameters are migrated and stored, and are used by the migrated integration node for access to databases that do not have specific ID access defined. If you want to check what user ID you set, or test that the password for a specific user ID is what you expect, you can use the mqsireportdbparms command.

Steps for setting up security are specific to the type of database connection that you are using. Choose your database connection type to see the steps:

ODBC connections
JDBC connections

ODBC connections

About this task

If your ODBC data source requires you to define secure access, or if you want to implement security where this is optional, complete the following steps:

Procedure

Identify the user IDs that you want to associate with the database connection, or create a user ID with a password, following the appropriate instructions for your operating system and database.
Define the user IDs and passwords that the integration node can use to access a particular data source.
Run the mqsisetdbparms command to create user IDs and passwords that can be used to access the data source from an integration node.
Use the following format:
```
mqsisetdbparms broker_name -n data_source_name -u database_userID -p database_userID_password
```
Optional: If you want to use the same user ID and password for more than one database as a default set of credentials, you can specify dsn::DSN in the -n parameter, as shown in the following example:
```
mqsisetdbparms broker_name -n dsn::DSN -u default_userID -p default_password
```

Results

You have secured access to your ODBC data source.

JDBC connections

About this task

If your database requires you to define secure access, or if you want to implement security where this is optional, complete the following steps:

Procedure

Identify the user ID that you want to associate with the database connection, or create a user ID with a password, following the appropriate instructions for your operating system and database.
Define the user IDs and passwords that the integration node can use for the JDBC connections:
- Use the following command format:
```
mqsisetdbparms broker_name -n jdbc::security_identity -u userID -p password
```
  For example, if you want a user ID myuserid with a password of secretpw to access a database on integration node INODE1, run the following command:
```
mqsisetdbparms INODE1 -n jdbc::mySecurityIdentity -u myuserid -p secretpw
```
  The jdbc:: prefix indicates that the security_identity is to be used for JDBC connections.
- If you want to use the same user ID and password for more than one database as a default set of credentials, you can specify dsn::DSN in the -n parameter, as shown in the following example:
```
mqsisetdbparms INODE1 -n jdbc::JDBC -u default_userID -p default default_password
```
- Update the corresponding securityIdentity property for the JDBC provider configurable service to associate the connection with the security identity that you have defined. Use the following command format:
```
mqsichangeproperties broker_name -c JDBCProviders -o service_name -n securityIdentity -v security_identity
```
  For example, if you are using the supplied JDBCProvider definition for Oracle:
```
mqsichangeproperties INODE1 -c JDBCProviders -o Oracle -n securityIdentity -v mySecurityIdentity
```

Results

You have secured access to your JDBC databases. If you need to define user credentials that can be shared across a business area or account, you can reuse the same security identity that you defined in the previous steps in different JDBCProviders configurable services.