Summary Prerequisites and limitations Architecture Tools Epics Related resources Additional information

Secure and streamline user access in a Db2 federation database on AWS by using trusted contexts

Created by Sai Parthasaradhi (AWS)

Environment: PoC or pilot	Technologies: Databases; Security, identity, compliance	Workload: IBM
AWS services: Amazon EC2

Summary

Many companies are migrating their legacy mainframe workloads to Amazon Web Services (AWS). This migration includes shifting IBM Db2 for z/OS databases to Db2 for Linux, Unix, and Windows (LUW) on Amazon Elastic Compute Cloud (Amazon EC2). During a phased migration from on premises to AWS, users might need to access data in IBM Db2 z/OS and in Db2 LUW on Amazon EC2 until all applications and databases are fully migrated to Db2 LUW. In such remote data-access scenarios, user authentication can be challenging because different platforms use different authentication mechanisms.

This pattern covers how to set up a federation server on Db2 for LUW with Db2 for z/OS as a remote database. The pattern uses a trusted context to propagate a user’s identity from Db2 LUW to Db2 z/OS without re-authenticating on the remote database. For more information about trusted contexts, see the Additional information section.

Prerequisites and limitations

Prerequisites

An active AWS account
A Db2 instance running on an Amazon EC2 instance
A remote Db2 for z/OS database running on premises
The on-premises network connected to AWS through AWS Site-to-Site VPN or AWS Direct Connect

Architecture

Target architecture

The on-premises mainframe connects through an on-premises Db2 server and AWS Site-to-Site VPN to the Db2 DB on EC2.

Tools

AWS services

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.
AWS Site-to-Site VPN helps you pass traffic between instances that you launch on AWS and your own remote network.

Other services

db2cli is the Db2 interactive command line interface (CLI) command.

Epics

Task Description Skills required

Task	Description	Skills required
Enable federation on the DB2 LUW DB.	To enable federation on DB2 LUW, run the following command. `update dbm cfg using federated YES`	DBA
Restart the database.	To restart the database, run the following command. `db2stop force; db2start;`	DBA

Enable federation on the DB2 LUW DB.

To enable federation on DB2 LUW, run the following command.


update dbm cfg using federated YES

DBA

Restart the database.

To restart the database, run the following command.


db2stop force;
db2start;

DBA

Task Description Skills required

Task	Description	Skills required
Catalog the remote Db2 z/OS subsystem.	To catalog the remote Db2 z/OS database on Db2 LUW running on AWS, use the following example command. `catalog TCPIP NODE tcpnode REMOTE mainframehost SERVER mainframeport`	DBA
Catalog the remote database.	To catalog the remote database, use the following example command. `catalog db dbnam1 as ndbnam1 at node tcpnode`	DBA

Catalog the remote Db2 z/OS subsystem.

To catalog the remote Db2 z/OS database on Db2 LUW running on AWS, use the following example command.


catalog TCPIP NODE tcpnode REMOTE mainframehost SERVER mainframeport

DBA

Catalog the remote database.

To catalog the remote database, use the following example command.


catalog db dbnam1 as ndbnam1 at node tcpnode

DBA

Task Description Skills required

Task	Description	Skills required
Collect user credentials for the remote Db2 z/OS database.	Before proceeding with the next steps, gather the following information: Db2 z/OS subsystem name – The cataloged Db2 z/OS name on LUW from the previous step (for example, `ndbnam1`) Db2 z/OS version – The Db2 z/OS subsystem version (for example, `12`) Db2 z/OS user ID – The user with the BIND privilege, which is needed to create only the server definition (for example, `dbuser1`) Db2 z/OS password – The password for `dbuser1` (for example, `dbpasswd`) Db2 z/OS proxy user – The ID of the proxy user, which will be used to establish trusted connection (for example, `zproxy`) Db2 z/OS proxy password – The password for the `zproxy` user (for example, `zproxy`)	DBA
Create the DRDA wrapper.	To create the DRDA wrapper, run the following command. `CREATE WRAPPER DRDA;`	DBA
Create the server definition.	To create the server definition, run the following example command. `CREATE SERVER ndbserver TYPE DB2/ZOS VERSION 12 WRAPPER DRDA AUTHORIZATION "dbuser1" PASSWORD "dbpasswd" OPTIONS ( DBNAME 'ndbnam1',FED_PROXY_USER 'ZPROXY' );` In this definition, `FED_PROXY_USER` specifies the proxy user that will be used for establishing trusted connections to the Db2 z/OS database. The authorization user ID and password are required only for creating the remote server object in the Db2 LUW database. They won’t be used later during runtime.	DBA

Collect user credentials for the remote Db2 z/OS database.

Before proceeding with the next steps, gather the following information:

Db2 z/OS subsystem name – The cataloged Db2 z/OS name on LUW from the previous step (for example, ndbnam1)
Db2 z/OS version – The Db2 z/OS subsystem version (for example, 12)
Db2 z/OS user ID – The user with the BIND privilege, which is needed to create only the server definition (for example, dbuser1)
Db2 z/OS password – The password for dbuser1 (for example, dbpasswd)
Db2 z/OS proxy user – The ID of the proxy user, which will be used to establish trusted connection (for example, zproxy)
Db2 z/OS proxy password – The password for the zproxy user (for example, zproxy)

DBA

Create the DRDA wrapper.

To create the DRDA wrapper, run the following command.


CREATE WRAPPER DRDA;

DBA

Create the server definition.

To create the server definition, run the following example command.


CREATE SERVER ndbserver
TYPE DB2/ZOS VERSION 12
WRAPPER DRDA
AUTHORIZATION "dbuser1" PASSWORD "dbpasswd" OPTIONS ( DBNAME 'ndbnam1',FED_PROXY_USER 'ZPROXY' );

In this definition, FED_PROXY_USER specifies the proxy user that will be used for establishing trusted connections to the Db2 z/OS database. The authorization user ID and password are required only for creating the remote server object in the Db2 LUW database. They won’t be used later during runtime.

DBA

Task Description Skills required

Task	Description	Skills required
Create a user mapping for the proxy user.	To create a user mapping for proxy user, run the following command. `CREATE USER MAPPING FOR ZPROXY SERVER ndbserver OPTIONS (REMOTE_AUTHID 'ZPROXY', REMOTE_PASSWORD 'zproxy');`	DBA
Create user mappings for each user on Db2 LUW.	Create user mappings for all the users on the Db2 LUW database on AWS who need to access remote data through the proxy user. To create the user mappings, run the following command. `CREATE USER MAPPING FOR PERSON1 SERVER ndbserver OPTIONS (REMOTE_AUTHID 'USERZID', USE_TRUSTED_CONTEXT 'Y');` The statement specifies that a user on Db2 LUW (`PERSON1`) can establish a trusted connection to the remote Db2 z/OS database (`USE_TRUSTED_CONTEXT 'Y'`). After the connection is established through the proxy user, the user can access the data by using the Db2 z/OS user ID (`REMOTE_AUTHID 'USERZID'`).	DBA

Create a user mapping for the proxy user.

To create a user mapping for proxy user, run the following command.


CREATE USER MAPPING FOR ZPROXY SERVER ndbserver OPTIONS (REMOTE_AUTHID 'ZPROXY', REMOTE_PASSWORD 'zproxy');

DBA

Create user mappings for each user on Db2 LUW.

Create user mappings for all the users on the Db2 LUW database on AWS who need to access remote data through the proxy user. To create the user mappings, run the following command.


CREATE USER MAPPING FOR PERSON1 SERVER ndbserver OPTIONS (REMOTE_AUTHID 'USERZID', USE_TRUSTED_CONTEXT 'Y');

The statement specifies that a user on Db2 LUW (PERSON1) can establish a trusted connection to the remote Db2 z/OS database (USE_TRUSTED_CONTEXT 'Y'). After the connection is established through the proxy user, the user can access the data by using the Db2 z/OS user ID (REMOTE_AUTHID 'USERZID').

DBA

Task Description Skills required

Task	Description	Skills required
Create the trusted context object.	To create the trusted context object on the remote Db2 z/OS database, use the following example command. `CREATE TRUSTED CONTEXT CTX_LUW_ZOS BASED UPON CONNECTION USING SYSTEM AUTHID ZPROXY ATTRIBUTES ( ADDRESS '10.10.10.10' ) NO DEFAULT ROLE ENABLE WITH USE FOR PUBLIC WITHOUT AUTHENTICATION;` In this definition, `CTX_LUW_ZOS` is an arbitrary name for the trusted context object. The object contains the proxy user ID and the IP address of the server from which the trusted connection must originate. In this example, the server the Db2 LUW database on AWS. You can use the domain name instead of the IP address. The clause `WITH USE FOR PUBLIC WITHOUT AUTHENTICATION` indicates that switching the user ID on a trusted connection is allowed for every user ID. A password doesn't need to be provided.	DBA

Create the trusted context object.

To create the trusted context object on the remote Db2 z/OS database, use the following example command.


CREATE TRUSTED CONTEXT CTX_LUW_ZOS
BASED UPON CONNECTION USING SYSTEM AUTHID ZPROXY
ATTRIBUTES (
ADDRESS '10.10.10.10'
)
NO DEFAULT ROLE
ENABLE
WITH USE FOR PUBLIC WITHOUT AUTHENTICATION;

In this definition, CTX_LUW_ZOS is an arbitrary name for the trusted context object. The object contains the proxy user ID and the IP address of the server from which the trusted connection must originate. In this example, the server the Db2 LUW database on AWS. You can use the domain name instead of the IP address. The clause WITH USE FOR PUBLIC WITHOUT AUTHENTICATION indicates that switching the user ID on a trusted connection is allowed for every user ID. A password doesn't need to be provided.

DBA

Related resources

Additional information

Db2 trusted contexts

A trusted context is a Db2 database object that defines a trust relationship between a federated server and a remote database server. To define a trusted relationship, the trusted context specifies trust attributes. There are three types of trust attributes:

The system authorization ID that makes the initial database connection request
The IP address or domain name from which the connection is made
The encryption setting for data communications between the database server and the database client

A trusted connection is established when all attributes of a connection request match the attributes specified in any trusted context object defined on the server. There are two types of trusted connections: implicit and explicit. After an implicit trusted connection is established, a user inherits a role that isn't available to them outside the scope of that trusted connection definition. After an explicit trusted connection is established, users can be switched on the same physical connection, with or without authentication. In addition, Db2 users can be granted roles that specify privileges that are for use only within the trusted connection. This pattern uses an explicit trusted connection.

Trusted context in this pattern

After the pattern is complete, PERSON1 on Db2 LUW accesses remote data from Db2 z/OS by using a federated trusted context. The connection for PERSON1 is established through a proxy user if the connection originates from the IP address or domain name that is specified in the trusted context definition. After the connection is established, PERSON1's corresponding Db2 z/OS user ID is switched without re-authentication, and the user can access the data or objects based on the Db2 privileges set up for that user.

Benefits of federated trusted contexts

This approach maintains the principle of least privilege by eliminating the use of a common user ID or application ID that would need a superset of all the privileges required by all users.
The real identity of the user who performs the transaction on both the federated and remote database is always known and can be audited.
Performance improves because the physical connection is being reused across the users without the need for the federated server to re-authenticate.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Schedule jobs for Amazon RDS and Aurora PostgreSQL

Send notifications for RDS for SQL Server using an on-premises SMTP server