To enable syncToOSThread for J2C connections on Liberty, you use the
appSecurity-1.0 and zosSecurity-1.0 features with
additional configuration.
Before you begin
Enabling syncToOSThread support for J2C connections requires the
appSecurity-1.0 and zosSecurity-1.0 features. You must
also define the syncToOSThread configuration element. In addition, you must use
the SAF registry for authentication, and authorized SAF services must be available.
Because syncToOSThread support requires authorized SAF services the angel
process must be up and running and the server must be connected to it. For more information about
the angel process, see Process types on z/OS.
Procedure
- Configure the server to enable syncToOSThread for J2C connections by
adding the appSecurity-1.0 and zosSecurity-1.0 features
and defining the syncToOSThread configuration element with attribute
j2cEnabled="true". Additionally, ensure the SAF registry must be used for
authentication:
<featureManager>
<feature>appSecurity-1.0</feature>
<feature>zosSecurity-1.0</feature>
</featureManager>
<safRegistry id="saf" />
<syncToOSThread j2cEnabled="true" />
Note: - For connections that use a resource that specifies res-auth=container, setting
j2cEnabled=true enables syncToOSThread for type-2 J2C
connections. Enablement of syncToOSThread synchronizes the Java™ RunAs identity with the OS identity during the establishment of the
connection. The connection is thereby associated with the OS identity and is assigned the same
permissions and privileges as the OS identity.
- Do not specify a JAAS alias for the data source if you wish to use
syncToOSThread. The JAAS alias, if defined, will override the OS identity.
- Grant the server permission to perform syncToOSThread operations by
configuring your SAF product with either of the following profiles:
- Grant the userid of the server CONTROL access to the
BBG.SYNC.<profilePrefix> profile in the FACILITY class. This allows the server
to sync any RunAs identity with the OS
identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(CONTROL) CLASS(FACILITY)
- Grant the userid of the server READ access to the
BBG.SYNC.<profilePrefix> profile in the FACILITY class.
Additionally, grant the userid of the server READ access to one or more
BBG.SYNC.<runAsUserId> profiles in the SURROGATE class, one
for each RunAs identity to be synchronized with the OS
identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(READ) CLASS(FACILITY)
PERMIT BBG.SYNC.<runAsUserId> ID(<serverUserId>) ACCESS(READ) CLASS(SURROGAT)
Note: The <profilePrefix> is by default "BBGZDFLT" and can be configured
by using the <safCredentials profilePrefix="xx"> in your configuration
file.
For more information about syncToOSThread, see information about Java thread
identity and operating system thread identity in the WebSphere Application Server for z/OS
documentation.