WebSphere Extended Deployment, Version 6.0.x
             Operating Systems: AIX, HP-UX, Linux, Solaris, Windows, z/OS


Running jobs under user's credentials

This articles explains how to allow jobs to run under a user's credentials when WebSphere security is enabled.

About this task

[Version 6.0.2 and later] WebSphere Extended Deployment V6.0.2 introduced a feature that, by default, allows jobs to run under a user's credentials when WebSphere security is enabled. When the job is dispatched to the endpoint, the LREE will switch the server's credential, which is in the job step thread, to the user's credential. If you want to change the default behavior, apply IFIX PK35827, create a dynamic cluster custom property called RunUnderUserCredential, then set its value to true. After applying IFIX PK35827, the default behavior will be changed to NOT run under the user's credential, unless the custom property is created and set to true.

When Java 2 Security is enabled, your Compute Grid applications must grant the following two permissions in the application's WebSphere Application Server.policy file:
  1. permission com.ibm.websphere.security.WebSphereRuntimePermission "SecOwnCredentials"
  2. permission com.ibm.websphere.security.WebSphereRuntimePermission "ContextManager.getServerCredential"

The following steps describe how to create the custom property to enable or disable jobs to run under user's credential after logging in to the administrative console:

Procedure

  1. Click Servers > Dynamic cluster
  2. Select the dynamic cluster where the LREE is installed.
  3. Click Additional Properties > Customer Properties
  4. Click New
  5. Type RunUnderUserCredential in the name field.
  6. Type true or false in the Value field to enable or disable jobs to run under the user's credential.
  7. Click OK, then Save to configuration.
  8. [For z/OS operating system] Navigate to the security administration pane and click z/OS security options.
  9. [For z/OS operating system] Enable application server and z/OS thread identity synchronization. This option specifies that application servers can process the syncToOSThread option for application components that specify it. Local JCA connectors may honor the MVS identity for authentication and authorization when an application requests a connection.
  10. [For z/OS operating system] Enable the connection manager RunAs thread identity. This option sets the MVS identity associated with the Java 2 Platform Enterprise Edition (J2EE) identity on the execution thread.
  11. [For z/OS operating system] Click OK.
  12. [For z/OS operating system] Save the configuration and restart the server.

What to do next

Stop and start the server where the LREE is installed.



Related concepts
The command line interface
Roles and privileges for securing the long-running scheduler
Related tasks
Securing the long-running scheduler
Task topic    

Terms of Use | Feedback

Last updated: Nov 30, 2007 4:00:35 PM EST
http://publib.boulder.ibm.com/infocenter/wxdinfo/v6r0/index.jsp?topic=/com.ibm.websphere.xd.doc/info/scheduler/tbgcred.html