How do I set the JDBC driver's securityMechanism property with TLS_CLIENT_CERTIFICATE_SECURITY option on Liberty?

Question

I tried to set the JDBC driver's securityMechanism property with the TLS_CLIENT_CERTIFICATE_SECURITY option on Websphere Liberty® referring to the following IBM® Knowledge Center, but got a CWWKG0032W warning message when I started Websphere Liberty (beta for July 2015).

Can you show me how to set the JDBC driver's securityMechanism property with the TLS_CLIENT_CERTIFICATE_SECURITY option on Websphere Liberty?

IBM Data Server Driver for JDBC and SQLJ support for certificate authentication

The IBM® Data Server Driver for JDBC and SQLJ provides support for client support for certificate authentication for connections to DB2® for z/OS® Version 10 or later data servers.

console.log when the Websphere Liberty Server started

CWWKG0032W: Unexpected value specified for property
            [securityMechanism], value = [18]. >Expected value(s) are:
            [3][4][7][9][11][12][13][15][16].

securityMechanism="18" is TLS_CLIENT_CERTIFICATE_SECURITY, I confirmed the value by the following:

\>javac -classpath .;db2jcc4.jar; JDBCCheck
\>java -classpath .;db2jcc4.jar; JDBCCheck
  TLS_CLIENT_CERTIFICATE_SECURITY: 18

JDBCCheck class:

class JDBCCheck{
  public static void main(String args[]){
    com.ibm.db2.jcc.DB2SimpleDataSource dataSource =
                                   new com.ibm.db2.jcc.DB2SimpleDataSource();
    System.out.println( "TLS_CLIENT_CERTIFICATE_SECURITY: "
                        + dataSource.TLS_CLIENT_CERTIFICATE_SECURITY);
  }
}

server.xml:

<library id="db2-library">
  <fileset dir="lib" id="db2-fileset" includes="db2jcc4.jar db2jcc_license_cu.jar"/>
</library>

<dataSource id="db2" jndiName="jdbc/sampledb">
  <jdbcDriver libraryRef="db2-library"/>
  <properties.db2.jcc databaseName="SAMPLEDB" password="password" portNumber="10443"
              serverName="XX.XX.XX.XX" user="db2inst1" sslConnection="true"
              sslTrustStoreLocation="ssld/defaultTrustStore"
              sslTrustStorePassword="trustpassword" securityMechanism="18"/>
</dataSource>

---

Update 01:

• db2jcc4.jar level/version is DB2 10.5FP1.
• Websphere Liberty started without the CWWKG0032W warning when I used the generic JDBC driver properties properties instead of DB2® JCC properties properties.db2.jcc

Answer 1

Here is the code to set the security mechanism with user id and encrypted password to make DB2 connection. pass the user name, password and url string.

Properties properties = new Properties(); // Create a Properties object
    properties.put("user", user);          // Set user ID for the connection
    properties.put("password", password);      // Set password for the connection
    properties.put("securityMechanism", 
      new String("" + 
      DB2BaseDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY +
      ""));
                                              // Set security mechanism to 
                                              // user ID and encrypted password
    properties.put("encryptionAlgorithm", "2");

    Connection connection = DriverManager.getConnection("jdbc:db2://" + url, properties);

Answer 2

Another way of setting TLS_CLIENT_CERTIFICATE_SECURITY is:

com.ibm.db2.jcc.DB2SimpleDataSource dataSource = new 
                                    com.ibm.db2.jcc.DB2SimpleDataSource();
dataSource.setSecurityMechanism 
           (com.ibm.db2.jcc.DB2BaseDataSource.TLS_CLIENT_CERTIFICATE_SECURITY);

Check this IBM® Knowledge Center for more info:

IBM Data Server Driver for JDBC and SQLJ support for certificate authentication

This should work with both Websphere Full Profile and Websphere Liberty Profile.

Answer 3

Based on this topic in IBM® Knowledge Center: Java EE Full Platform 7.0 section: transaction > dataSource > properties.db2.jcc

Currently WebSphere Liberty only supports the following values for securityMechanism:

• value="3" name="CLEAR_TEXT_PASSWORD_SECURITY"
• value="4" name="USER_ONLY_SECURITY"
• value="7" name="ENCRYPTED_PASSWORD_SECURITY"
• value="9" name="ENCRYPTED_USER_AND_PASSWORD_SECURITY"
• value="11" name="KERBEROS_SECURITY"
• value="12" name="ENCRYPTED_USER_AND_DATA_SECURITY"
• value="13" name="ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY"
• value="15" name="PLUGIN_SECURITY"
• value="16" name="ENCRYPTED_USER_ONLY_SECURITY"

If you would like to have TLS_CLIENT_CERTIFICATE_SECURITY added as a securityMechanism in Liberty, I would recommend opening an RFE so that Liberty development is aware of the demand for supporting this.

Update:
To work around this, you can still specify securityMechanism="18", but just do so in a generic <properties> element as opposed to the db2 specific <properties.db2.jcc> element (which it looks like you have figured out already).