[Version 5.0.2 and later]Connection thread identity

WebSphere Application Server for z/OS allows you to assign a thread identifier as an owner of a connection, when you first obtain the connection. The thread identity function only applies to J2EE Connector Architecture (JCA) resource adapters and Relational Resource Adapter (RRA) wrappered Java Database Connectivity (JDBC) providers that support the use of thread identity for connection ownership.

[Version 5.0.2 and later]In this article the term thread identity refers to the J2EE Identity (such as the RunAs Identity), as opposed to the OS thread identity. Refer to Synchronizing a Java thread identity and an operating system thread identity and Understanding Connection Manager RunAs Identity Enabled and operating system security for more information.

The following table lists the JCA resource adapter, the JDBC provider, and the WebSphere MQ JMS Provider configurations that support thread identity and operating system (OS) thread security . It also provides the level of thread identity support:

Connectors Thread identity support thread security
IMS Connector - local ConnectionFactory configuration ALLOWED Does not use
IMS Connector - remote ConnectionFactory configuration NOTALLOWED Does not use
CTG CICSECIConnector - local ConnectionFactory configuration ALLOWED Does not use
CTG CICSECIConnector - remote ConnectionFactory configuration NOTALLOWED Does not use
IMS JDBC Connector - local ConnectionFactory configuration (By default, IMS JDBC only supports this type of configuration.) REQUIRED Uses
RRA DB2 for z/OS local JDBC provider - data sources configured to the local DB2 ALLOWED Uses
RRA DB2 Universal JDBC Driver Provider using Type 2 connectivity ALLOWED Uses
RRA DB2 Universal JDBC Driver Provider using Type 4 connectivity NOTALLOWED Does not use


WebSphere Application Server for z/OS allows resource adapters and JDBC providers to define the level of thread identity support for the defined connection factories or data sources. The level of support can be:

The thread identity function is only available in those server configurations where JCA connectors or JDBC providers access local z/OS resources through callable (not TCP/IP) interfaces. So, for example, CICS and IMS provide thread identity support only if the target CICS or IMS is configured on the same system as the z/OS WebSphere Application Server.

To use thread identity when getting connections to a connection factory or JDBC data source for your application, you must specify resauth=Container for the connection factory or JDBC data source. Use the the Application Assembly Tool (AAT) or WebSphere Studio Application Developer Integration Edition (WSADIE) to indicate the resauth=Container setting.

When the level of thread identity support provided by the connector configuration is ALLOWED, if you want to use thread identity for the connections, you cannot specify a Container-managed alias when you define the connection factory or JDBC data source. If you specify a Container-managed alias, the user ID defined by the alias is assigned as the owning user ID for the connections obtained by the application.

For resauth=Container ALLOWED and REQUIRED configurations where no container-managed alias is defined on the connection factory, the servant process identity is the connection owner.

When the JDBC provider supports thread identity, the thread identity function is only used when data sources configured for that provider are used by Version 2.0 EJB modules and Version 2.3 servlets.

WebSphere Application Server for z/OS also allows supported resource adapters and JDBC providers to enable OS thread security in conjunction with thread identity support. You can use OS thread security when:

[Version 5.0.2 and later]If:

then the current J2EE thread identity is synchronized with the OS thread identity. The J2EE thread identity becomes the owner of the connections obtained from the connection factory.

[Version 5.0.2 and later]Users of previous versions of WebSphere Application Server for z/OS will note that the instructions for enabling OS Thread Security have changed. Previously, OS Thread Security was enabled using a checkbox named Enable Synch to Thread. Users who wish to enable OS Thread Security must now use the checkbox named Connection Manager RunAs Identity Enabled


Related tasks
Using thread identity support
Related reference
Security states with thread identity support



Searchable topic ID:   conthid
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/cdat_conthid.html

Library | Support | Terms of Use | Feedback