5

I tried to set the JDBC driver's securityMechanism property with the TLS_CLIENT_CERTIFICATE_SECURITY option on Websphere Liberty® referring to the following IBM® Knowledge Center, but got a CWWKG0032W warning message when I started Websphere Liberty (beta for July 2015).

Can you show me how to set the JDBC driver's securityMechanism property with the TLS_CLIENT_CERTIFICATE_SECURITY option on Websphere Liberty?

IBM Data Server Driver for JDBC and SQLJ support for certificate authentication

The IBM® Data Server Driver for JDBC and SQLJ provides support for client support for certificate authentication for connections to DB2® for z/OS® Version 10 or later data servers.

console.log when the Websphere Liberty Server started

CWWKG0032W: Unexpected value specified for property
            [securityMechanism], value = [18]. >Expected value(s) are:
            [3][4][7][9][11][12][13][15][16].

securityMechanism="18" is TLS_CLIENT_CERTIFICATE_SECURITY, I confirmed the value by the following:

\>javac -classpath .;db2jcc4.jar; JDBCCheck
\>java -classpath .;db2jcc4.jar; JDBCCheck
  TLS_CLIENT_CERTIFICATE_SECURITY: 18

JDBCCheck class:

class JDBCCheck{
  public static void main(String args[]){
    com.ibm.db2.jcc.DB2SimpleDataSource dataSource =
                                   new com.ibm.db2.jcc.DB2SimpleDataSource();
    System.out.println( "TLS_CLIENT_CERTIFICATE_SECURITY: "
                        + dataSource.TLS_CLIENT_CERTIFICATE_SECURITY);
  }
}

server.xml:

<library id="db2-library">
  <fileset dir="lib" id="db2-fileset" includes="db2jcc4.jar db2jcc_license_cu.jar"/>
</library>

<dataSource id="db2" jndiName="jdbc/sampledb">
  <jdbcDriver libraryRef="db2-library"/>
  <properties.db2.jcc databaseName="SAMPLEDB" password="password" portNumber="10443"
              serverName="XX.XX.XX.XX" user="db2inst1" sslConnection="true"
              sslTrustStoreLocation="ssld/defaultTrustStore"
              sslTrustStorePassword="trustpassword" securityMechanism="18"/>
</dataSource>

Update 01:

  • db2jcc4.jar level/version is DB2 10.5FP1.
  • Websphere Liberty started without the CWWKG0032W warning when I used the generic JDBC driver properties properties instead of DB2® JCC properties properties.db2.jcc
M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
shimac-jp
  • 233
  • 3
  • 11
  • If the client uses the default JSSE settings, you might be able to pass in a keystore using the `javax.net.ssl.*` properties, although this might affect other default connections made by the VM (that's not necessarily a problem depending on what your application does). – Bruno Jun 30 '15 at 14:12

3 Answers3

2

Based on this topic in IBM® Knowledge Center: Java EE Full Platform 7.0 section: transaction > dataSource > properties.db2.jcc

Currently WebSphere Liberty only supports the following values for securityMechanism:

  • value="3" name="CLEAR_TEXT_PASSWORD_SECURITY"
  • value="4" name="USER_ONLY_SECURITY"
  • value="7" name="ENCRYPTED_PASSWORD_SECURITY"
  • value="9" name="ENCRYPTED_USER_AND_PASSWORD_SECURITY"
  • value="11" name="KERBEROS_SECURITY"
  • value="12" name="ENCRYPTED_USER_AND_DATA_SECURITY"
  • value="13" name="ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY"
  • value="15" name="PLUGIN_SECURITY"
  • value="16" name="ENCRYPTED_USER_ONLY_SECURITY"

If you would like to have TLS_CLIENT_CERTIFICATE_SECURITY added as a securityMechanism in Liberty, I would recommend opening an RFE so that Liberty development is aware of the demand for supporting this.

Update:
To work around this, you can still specify securityMechanism="18", but just do so in a generic <properties> element as opposed to the db2 specific <properties.db2.jcc> element (which it looks like you have figured out already).

M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
Andy Guibert
  • 41,446
  • 8
  • 38
  • 61
  • 1
    Thank you for your update. I have already figured out the work-around. I think it is just a work-around, so I created an RFE for db2 specific element. – shimac-jp Jun 30 '15 at 19:24
  • Yea sorry, I missed that you had already figured out the workaround in your original post. – Andy Guibert Jun 30 '15 at 19:35
1

Another way of setting TLS_CLIENT_CERTIFICATE_SECURITY is:

com.ibm.db2.jcc.DB2SimpleDataSource dataSource = new 
                                    com.ibm.db2.jcc.DB2SimpleDataSource();
dataSource.setSecurityMechanism 
           (com.ibm.db2.jcc.DB2BaseDataSource.TLS_CLIENT_CERTIFICATE_SECURITY);

Check this IBM® Knowledge Center for more info:

IBM Data Server Driver for JDBC and SQLJ support for certificate authentication

This should work with both Websphere Full Profile and Websphere Liberty Profile.

Community
  • 1
  • 1
M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
  • I suspect that TLS_CLIENT_CERTIFICATE_SECURITY is only supported on Full Profile. The following KnowledgeCenter's guide shows that Liberty doesn't supportTLS_CLIENT_CERTIFICATE_SECURITY. ----> Liberty features>Java EE Full Platform 7.0 http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/rwlp_feature_javaee-7.0.html?lang=en – shimac-jp Jul 15 '15 at 07:44
  • @shimac-jp Not really, because it's at the driver Datasource level, so it should be supported on both Websphere Full Profile and Websphere Liberty Profile as well. – M. A. Kishawy Jul 15 '15 at 16:05
  • @Kishawy-san, Yes, I think so, too ( I'm sorry I don't try fullprofile). But Knowledgecenter shows that properties.db2.jcc doesn't support "TLS_CLIENT_CERTIFICATE_SECURITY(18)" on Liberty and in reality Liberty showed warning with "TLS_CLIENT_CERTIFICATE_SECURITY(18)" . As I showed in my question, TLS_CLIENT_CERTIFICATE_SECURITY's value is 18. It seems to be like document bug or something, so I created RFE requesting support for "TLS_CLIENT_CERTIFICATE_SECURITY(18)" . Please refer it. https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=73455 – shimac-jp Jul 16 '15 at 01:15
  • @shimac-jp You will get the warning only if you try setting TLS_CLIENT_CERTIFICATE_SECURITY (value "18") on the datasource in the server.xml. However you will not get the warning if you try setting it in your Java class useing com.ibm.db2.jcc.DB2SimpleDataSource because this is an API provided by db2jcc4.jar which is independent of the Websphere Server. In another word, if you have db2jcc4.jar you can set the TLS_CLIENT_CERTIFICATE_SECURITY value regardless of what server you are using. – M. A. Kishawy Jul 16 '15 at 14:52
1

Here is the code to set the security mechanism with user id and encrypted password to make DB2 connection. pass the user name, password and url string.

Properties properties = new Properties(); // Create a Properties object
    properties.put("user", user);          // Set user ID for the connection
    properties.put("password", password);      // Set password for the connection
    properties.put("securityMechanism", 
      new String("" + 
      DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY +
      ""));
                                              // Set security mechanism to 
                                              // user ID and encrypted password
    properties.put("encryptionAlgorithm", "2");

    Connection connection = DriverManager.getConnection("jdbc:db2://" + url, properties);
Abhishek Jha
  • 111
  • 1
  • 3