The thread identity function allows you to assign a thread
identifier as an owner of a connection when you first obtain the connection.
This function only applies to J2EE Connector Architecture (JCA) resource
adapters and Relational Resource Adapter (RRA) wrappered Java Database
Connectivity (JDBC) providers that support the use of thread identity
for connection ownership.
- Define resauth=Container for the application
resource. See the Connection thread identity article for
details.
- Ensure the JCA resource adapters or JDBC providers support
the thread identity function.
Review the supported
resource adapters and data source providers, and the level of support:
REQUIRED, ALLOWED, and NOTALLOWED. The article Connection thread identity contains a table of the JCA resource
adapter processes and the JDBC provider processes that support thread
identity and thread security.
If the adapter or provider is
not listed, then thread identity support is NOTALLOWED, by default.
- Set the Container-managed authentication alias to
NULL, if you configure the connector locally.
When the
connector is configured locally, the resource adapter determines the
level of thread identity support as ALLOWED. If
thread identity support is allowed and you specify Container-managed
authentication alias as NULL, the connector uses the current
thread identity as the owner for each connection that is created.
When
the resource adapter or JDBC provider determines that the level of
thread identity support is REQUIRED, any specification
for the Container-managed authentication alias
is ignored. Thread identity support in this case always applies.
- Determine connector behavior when global security is a factor. See
the article Security states with thread identity support for more information.
If you want the thread identity associated with a connection
to be the thread identity, then you must enable global security. In the case
of JDBC providers that support the thread identity function and require
the thread to be pushed to the z/OS thread of execution, you must set the server Connection Manager
RunAs Identity Enabled property to true.
Note: With
Bean Managed Persistence (BMP) beans, if you obtain a connection under
the ejbLoad() or ejbStore() functions during pre-invoke
or post-invoke method processing, your thread identity support
does not become the RunAs identity
because the container during this processing is running under server
identity. With BMP beans, instead of using thread identity, specify
a Container-managed alias to associate the user with the connection.
- Set the security.zOS.session.OMVSSRV custom
property to true. When the thread identity support
is used, a security credential that is based on the current thread
identity encapsulates the security information for the user that is
associated with the connection. By default, the session type associated
with the user is TSO. If you have WebSphere Application Server for
z/OS users that use the thread identity support, you must define the
users as TSO users. If you prefer not to define the users as TSO users,
you can use the security.zOS.session.OMVSSRV custom property, which
changes the session type for the user identity in the security credential
from TSO to OMVSSRV. However, if you use the user information for
authentication at the target EIS, such as IMS, the user must be an
authorized OMVSSRV user.
To specify the custom property, complete
the following steps:
- Click Security
> Global Security > Custom Properties.
- Click New.
- In the Name field, type security.zOS.session.OMVSSRV
Important: This custom property name is case sensitive.
- In the value field, type true
- Click Apply and Save.