WebSphere Application Server for z/OS allows you to assign a thread identifier as an owner of a connection, when you first obtain the connection. The thread identity function only applies to J2EE Connector Architecture (JCA) resource adapters and Relational Resource Adapter (RRA) wrappered Java Database Connectivity (JDBC) providers that support the use of thread identity for connection ownership.
In this article the term thread identity refers
to the J2EE Identity (such as the RunAs Identity), as opposed to the OS thread
identity. Refer to Synchronizing a Java thread identity and an operating system
thread identity and Understanding Connection
Manager RunAs Identity Enabled and operating system security for more
information.
The following table lists the JCA resource adapter, the JDBC provider, and the WebSphere MQ JMS Provider configurations that support thread identity and operating system (OS) thread security . It also provides the level of thread identity support:
Connectors | Thread identity support | thread security |
---|---|---|
IMS Connector - local ConnectionFactory configuration | ALLOWED | Does not use |
IMS Connector - remote ConnectionFactory configuration | NOTALLOWED | Does not use |
CTG CICSECIConnector - local ConnectionFactory configuration | ALLOWED | Does not use |
CTG CICSECIConnector - remote ConnectionFactory configuration | NOTALLOWED | Does not use |
IMS JDBC Connector - local ConnectionFactory configuration (By default, IMS JDBC only supports this type of configuration.) | REQUIRED | Uses |
RRA DB2 for z/OS local JDBC provider - data sources configured to the local DB2 | ALLOWED | Uses |
RRA DB2 Universal JDBC Driver Provider using Type 2 connectivity | ALLOWED | Uses |
RRA DB2 Universal JDBC Driver Provider using Type 4 connectivity | NOTALLOWED | Does not use |
WebSphere Application Server for z/OS allows resource adapters and JDBC providers to define the level of thread identity support for the defined connection factories or data sources. The level of support can be:
The thread identity function is only available in those server configurations where JCA connectors or JDBC providers access local z/OS resources through callable (not TCP/IP) interfaces. So, for example, CICS and IMS provide thread identity support only if the target CICS or IMS is configured on the same system as the z/OS WebSphere Application Server.
To use thread identity when getting connections to a connection factory or JDBC data source for your application, you must specify resauth=Container for the connection factory or JDBC data source. Use the the Application Assembly Tool (AAT) or WebSphere Studio Application Developer Integration Edition (WSADIE) to indicate the resauth=Container setting.
When the level of thread identity support provided by the connector configuration is ALLOWED, if you want to use thread identity for the connections, you cannot specify a Container-managed alias when you define the connection factory or JDBC data source. If you specify a Container-managed alias, the user ID defined by the alias is assigned as the owning user ID for the connections obtained by the application.
For resauth=Container ALLOWED and REQUIRED configurations where no container-managed alias is defined on the connection factory, the servant process identity is the connection owner.
When the JDBC provider supports thread identity, the thread identity function is only used when data sources configured for that provider are used by Version 2.0 EJB modules and Version 2.3 servlets.
WebSphere Application Server for z/OS also allows supported resource adapters and JDBC providers to enable OS thread security in conjunction with thread identity support. You can use OS thread security when:
You can configure the server to allow Connection Manager RunAs Identity Enabled support by navigating through the following panels in the administrative console:
Security > Global Security
On the Global Security panel, check the box entitled, Connection Manager RunAs Identity Enabled, and then select Apply.
If:
Users of previous versions of WebSphere Application
Server for z/OS will note that the instructions for enabling OS Thread Security
have changed. Previously, OS Thread Security was enabled using a checkbox
named Enable Synch to Thread. Users who wish to enable OS Thread Security
must now use the checkbox named Connection Manager RunAs Identity Enabled