Technique
Problem
How to connect using a Trusted Connection.
When using a Trusted Connection from the WebFOCUS Client to implement Single-Signon (SSO), it will only pass a user ID to the Reporting Server. This same ID is to be used to connect to Db2 so that the CURRENT USER reflects that of the ID the agent is connected with.
Solution
When using Single-Signon with the WebFOCUS Client, the connection to the Reporting Server will only be supplied with a user ID and its trusted groups so there is insufficient information to perform the Db2 connection since the Reporting Server Db2 adapter connection expects credentials to include both the user ID and password.
To accomplish this requirement, the following technique was used:
- Configured the Db2 adapter with EXPLICIT security and selected or enabled the Trusted Context box.
- Using the ID from that EXPLICIT connection, create a Trusted Context within Db2 with that ID as the authorization ID. This is a Db2 object/rule and needs to be defined via the CREATE TRUSTED CONTEXT command. For example, using EXPLICIT security for the Db2 adapter connection with an authorization db2admin ID, the following trusted context can be defined:
CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID db2admin
ATTRIBUTES (ADDRESS 'xxx.xx.xx.x')
ENABLE
WITH USE FOR PUBLIC WITHOUT AUTHENTICATION
- Users will now connect with their ids, but the connection will use the EXPLICIT credentials for the initial connection to Db2 only. The Trusted Context will perform a switch over to the user’s id as CURRENT USER.
When the above was configured on the Reporting Server, the following scenario was successful:
-
- Single-Signon to WebFOCUS
- Trusted connection from WF Client to the Reporting Server
- The Single-Signon ID that is sent Trusted to the Reporting Server is used as CURRENT USER in Db2.