IBM DB2 User Impersonation Configuration

To find the appropriate database user credentials for CICS transactions or batch jobs, the IBM DB2 XA switch module uses trusted connections, calling the CLI function SQLSetConnectAttr () with the parameter SQL_ATTR_TRUSTED_CONTEXT_USERID. For this call to work properly, you must also create a TRUSTED CONTEXT. This enables the xa_open user ID to impersonate the appropriate database user ID.

The following is provided as a simple example. Your security and database environment might dictate a different implementation. Please review the IBM documentation on trusted connections and other related topics before implementing your solution.

  1. Create the user cited in the xa_open string
  2. Create the user FRITZ to execute CICS or JCL
  3. Grant database privileges to FRITZ
  4. Because the trusted context works exclusively with TCPIP client-server communication, set up a TCPIP client-server communication environment by cataloging a TCPIP node to use with the database, if one doesn't already exist:
    db2 catalog tcpip node tcpnode remote OOH-CHRISLE-701 server 50000
  5. Catalog database access using an alias:
    db2 catalog db sample as tcpsamp at node tcpnode
  6. Specify the alias created (tcpsamp) as the DB parameter in your xa_open string.
  7. Grant impersonate privileges to the xa_open string user so it can impersonate FRITZ:
    CREATE TRUSTED CONTEXT ctx1 BASED UPON CONNECTION USING SYSTEM AUTHID  XAOPENUSER  ATTRIBUTES (ADDRESS 'OOH-CHRISLE-701' ) ENABLE  
    ALTER TRUSTED CONTEXT ctx1 ADD USE FOR FRITZ WITHOUT AUTHENTICATION