[Version 5.0.2 and later]Using thread identity support

Why and when to perform this task

[Version 5.0.2 and later]In this article the term thread identity refers to the J2EE Identity (such as the RunAs Identity), as opposed to the OS thread identity. Refer to Synchronizing a Java thread identity and an operating system thread identity and Understanding Connection Manager RunAs Identity Enabled and operating system security for more information.

Perform the following steps to enable the thread identity function for the connection factories or JDBC provider data sources created with the supported JCA resource adapters and JDBC providers:

Steps for this task

  1. Define resauth=Container for the application resource reference (the equivalent for CMPs is resourceAuthorization=Container)

  2. Ensure the JCA resource adapters, WebSphere MQ JMS Provider, or JDBC providers support the thread identity function.

    Review the supported resource adapters and datasource providers, and the level of support: REQUIRED, ALLOWED, and NOTALLOWED.

    If the adapter or provider is not listed, then thread identity support is NOTALLOWED, by default.

  3. Set the Container-managed authentication alias to NULL, if you configure the connector locally.

    When the connector is configured locally, the resource adapter determines the level of thread identity support as ALLOWED. If thread identity support is allowed and you specify Container-managed authentication alias as NULL, the connector uses the current thread identity as the owner for each connection that is created.

    When the resource adapter, WebSphere MQ JMS Provider, or JDBC provider determines that the level of thread identity support is REQUIRED, any specification for the Container-managed authentication alias is ignored. Thread identity support in this case always applies.

  4. Determine connector behavior when global security is a factor.

    [5.0 only][Version 5.0.1][Version 5.0.2]If you want the thread identity associated with a connection to be the identity, then you must enable global security. In the case of connectors that support the thread identity function and use operating system thread security, you must .

    Note: With Bean-Managed Persistence (BMP) beans, if you obtain a connection under the ejbLoad() or ejbStore() functions during pre-invoke or post-invoke method processing, your thread identity support does not become the RunAs identity because the container during this processing is running under server identity. With BMP beans, instead of using thread identity, specify a Container-managed alias to associate the user with the connection.

  5. (Optional)   [Version 5.0.2 and later]Set the security.zOS.session.OMVSSRV custom property to true.
    When the thread identity support is used, a security credential that is based on the current thread identity encapsulates the security information for the user that is associated with the connection. By default, the session type associated with the user is TSO. If you have WebSphere Application Server for z/OS users that use the thread identity support, you must define the users as TSO users. If you prefer not to define the users as TSO users, you can use the security.zOS.session.OMVSSRV custom property, which changes the session type for the user identity in the security credential from TSO to OMVSSRV. However, if you use the user information for authentication at the target EIS, such as IMS, the user must be an authorized OMVSSRV user.

    To specify the custom property, complete the following steps:

    1. Click Security > Global Security > Custom Properties.
    2. Click New.
    3. In the Name field, type security.zOS.session.OMVSSRV

      Note: This custom property name is case sensitive.

    4. In the value field, type true
    5. Click Apply and Save.

Related concepts
Connection thread identity
Related reference
Security states with thread identity support



Searchable topic ID:   conthidep
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tdat_conthidep.html

Library | Support | Terms of Use | Feedback