To enable syncToOSThread on Liberty, you use the
appSecurity-1.0 and zosSecurity-1.0 features with
additional configuration.
Before you begin
Enabling syncToOSThread support requires
the appSecurity-1.0 and zosSecurity-1.0 features. You must also define the syncToOSThread configuration element. In addition, you must use the SAF registry
for authentication, and authorized SAF services must be available.
Because syncToOSThread support requires authorized
SAF services, the angel process must be up and running and the server
must be connected to it. For more information about the angel process,
see Process types on z/OS.
Procedure
- Configure the application to use syncToOSThread by adding the following env-entry to the application's
deployment descriptor:
<env-entry>
<env-entry-name>com.ibm.websphere.security.SyncToOSThread</env-entry-name>
<env-entry-type>java.lang.Boolean</env-entry-type>
<env-entry-value>true</env-entry-value>
</env-entry>
- Configure the server to enable syncToOSThread for applications by adding the appSecurity-1.0 and zosSecurity-1.0 features, and defining
the syncToOSThread configuration element with
attribute appEnabled="true". Additionally, ensure
the SAF registry must be used for authentication:
<featureManager>
<feature>appSecurity-1.0</feature>
<feature>zosSecurity-1.0</feature>
</featureManager>
<safRegistry id="saf" />
<syncToOSThread appEnabled="true" />
- Grant the server permission to perform syncToOSThread operations by configuring your SAF product with either of the following
profiles:
- Grant the userid of the server CONTROL access to the BBG.SYNC.<profilePrefix> profile in the FACILITY class. This allows
the server to sync any RunAs identity with the OS identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(CONTROL) CLASS(FACILITY)
- Grant the userid of the server READ access to the BBG.SYNC.<profilePrefix> profile in
the FACILITY class. Additionally, grant the userid of the server
READ access to one or more BBG.SYNC.<runAsUserId> profiles in the SURROGATE class, one for each RunAs identity
to be synchronized with the OS identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(READ) CLASS(FACILITY)
PERMIT BBG.SYNC.<runAsUserId> ID(<serverUserId>) ACCESS(READ) CLASS(SURROGAT)
Note: The <profilePrefix> is by default "BBGZDFLT" and can be configured by using the <safCredentials
profilePrefix="xx"> element in your configuration file.
For more information about syncToOSThread, see Java™ thread
identity and an operating system thread identity