PQ74697: USERS WITH WEBSPHERE MQ JMS CONNECTION FACTORY RESOURCES CREATEDIN BINDINGS MODE WILL NOT RUN WITH 'RUNAS' IDENTITY | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Options are currently limited when performing authentication and authorization from within WebSphere onto a WebSphere MQ JMS (i.e., external MQ) provider resource. It is not presently possible to use the current RunAs identity (also referred to as "Thread Identity") as the authentication ID for authorization to a WebSphere MQ JMS provider connection factory resource defined with a Transport Type of "Bindings". . Until the full support for the Thread Identity authentication option is added to WebSphere for z/OS V5, (via this apar) the server ID will be used in place of the RunAs identity.Local fix Users with WebSphere MQ JMS connection factory resources created in bindings mode (i.e. Transport Type set to "Bindings") should grant their WebSphere server ID authorization to the appropriate MQ resources.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: RunAs identity can not be used to * * perform authentication and * * authorization to an external WebSphere * * MQ JMS resource. The userid which the * * application server runs under is used * * instead of the RunAs id. Possible * * MQJMS2013 error code returned from * * WebSphere MQ if server id has not been * * granted authority to the MQ resource. * **************************************************************** * RECOMMENDATION: * **************************************************************** WebSphere V5.0 for z/OS provides a variety of options for selecting the userid to use to perform authentication and authorization to an EIS resource such as WebSphere MQ. This problem applies in the following scenario: * Application declares a resource reference to a JMS Connection Factory and chooses Resource Authentication of "Container" (and not "Application"). * The resource used to resolve this resource reference: * Is a WebSphere MQ JMS resource (not WebSphere JMS) * Is defined with Transport Type = "BINDINGS" * Does NOT have either a Container-managed or Component-managed authentication alias defined. In such a scenario, the "Thread Identity" authentication option should take precedence which is another way of saying that the RunAs identity will be used to perform authentication and authorization to the WebSphere MQ resource. Currently, though, the Thread Identity support is not functional and so the userid of the server will be used in place of the RunAs id. This problem could surface as a MQJMS2013 error code returned from WebSphere MQ if the server id has not been granted authority to the WebSphere MQ resource.Problem conclusion Thread Identity support is now fully functional. This APAR, which enables Thread Identity support for WebSphere MQ JMS resources has a prerequisite of PQ74701 (delivered in the same PTF as this APAR), which enables Thread Identity support on WebSphere V5.0 for z/OS for connecting to EIS Resources. APAR PQ74697 is associated with SERVICE LEVEL W500103 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ74697.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ74697
IBM Group: Software Group
Modified date: Aug 8, 2003
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.