Understanding Connection Manager RunAs Identity Enabled and operating
system security
Operating system thread security: Under certain configurations
of J2EE Connector Architecture (JCA), Java Message Service (JMS), or Java
database connectivity (JDBC) connectors on WebSphere Application Server for
z/OS, the OS thread identity is the identity used to create the enterprise
information systems (EIS) connection. Refer to Connection thread identity for more information on which configurations
support OS thread security.
We introduce a new term when saying that these connector configurations
"use OS thread security". By enabling Connection Manager Synch to OS Thread
support, the J2EE identity (the RunAs identity, for example) can be used to
obtain the EIS connection for connector configurations that use OS thread
security. The Connection Manager Synch to OS Thread support is enabled by
selecting the Connection Manager RunAs Identity Enabled checkbox. If the Connection
Manager RunAs Identity Enabled setting is not enabled, the connection to a
resource manager under a connector configuration that uses OS thread security
is obtained using the server identity if the thread identity is REQUIRED (which
serves as a default in this case). If the thread identity is not REQUIRED,
the container-managed or application-managed alias can be used to establish
the identity. See WebSphere Application Server for z/OS global security options for more information.
The WebSphere Connection Manager performs the operating system thread security-related
functions. The Connection Manager synchronizes the Java thread identity with
the OS thread identity (this Java thread identity corresponds to the J2EE
identity) before obtaining the EIS connection.
Refer to Synchronizing a Java thread identity and an operating system thread identity for
more information.
After the Connection Manager performs the synchronization, the OS thread
identity is temporarily replaced with the Java thread identity, and the Java
thread identity is the identity used to obtain the EIS connection. This means
that Connection Manager Synch to OS Thread support provides a way to obtain
an EIS connection using the Java thread identity (the RunAs identity, for
example). After obtaining the connection the Connection Manager restores the
previous OS thread identity.
Note:
- The application Synch to OS Thread Allowed setting is not relevant to
determining which identity is used to create a connection under a connector
configuration that supports OS thread security. Using thread identity support explains
which identity is used to create a connection in which the configuration is
unchanged by the application Synch to OS Thread Allowed support. In particular,
for connector configurations that use OS thread security (but in which Connection
Manager RunAs Identity Enabled is disabled), the servant process identity
is used to create the connection regardless of the application Synch to OS
Thread Allowed setting or the current RunAs identity.
- Connection Manager Synch to OS Thread support is only relevant to obtaining
EIS Connections managed by WebSphere Connection Management. For example Connection
Manager Synch to OS Thread support might be relevant to Java database connectivity
(JDBC) Connections obtained from application requests on DataSource objects
configured via WAS Admin and then looked up in Java Naming and Directory Interface
(JNDI). (This would depend on whether or not a specific DataSource instance
under a specific JDBC provider used OS thread security or not). However, Connection
Manager Synch to OS Thread support would not be pertinent for JDBC Connections
obtained using the unmanaged DriverManager.getConnection(...) API.
Access to such unmanaged resources for which the authorization is performed
against the OS thread identity might be affected by the application Synch
to OS Thread Allowed support, however.
- Connection Manager Synch to OS Thread support is used (or not used) for
connection requests made by user-written code (such as JMS or JDBC calls from
a stateless session bean), connection requests made by certain components
of the WebSphere Application Server (such as the Message Driven Beans (MDB)
Listener), or connection requests made by tooling-generated code (such as
container-managed persistence (CMP) beans).
- Some (but not all) connector configurations that use the J2EE identity
also use OS Thread Security. Connector configurations such as the Customer
Information Control System (CICS) CTG Connector in local mode allow use of
the J2EE identity using a different Connection Manager mechanism to create
the EIS connection. This configuration does not use operating system thread
security.
Refer to Connection thread identity for information for details of connector configurations
that use operating system thread security. You can also refer to Using thread identity support.
Refer to Understanding Java 2 Platform, Enterprise Edition identities and operating system thread identities for
more information about the identities discussed above.
Searchable topic ID:
csecunderstandconnectmgrsync
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_understandconnectmgrsync.html