WebSphere Extended Deployment, Version 6.0.x
             Operating Systems: AIX, HP-UX, Linux, Solaris, Windows, z/OS


Running jobs under user credentials

This articles explains how to allow jobs to run under a user's credentials when WebSphere security is enabled.

About this task

[Version 6.0.2 and later] WebSphere Extended Deployment Version 6.0.2 introduced a feature that, by default, allows jobs to run under a user's credentials when WebSphere security is enabled. When the job is dispatched to the endpoint, the LREE will switch the server's credential, which is in the job step thread, to the user's credential. If you want to change the default behavior, apply IFIX PK35827, create a dynamic cluster custom property called RunUnderUserCredential, then set its value to true. After applying IFIX PK35827, the default behavior will be changed to NOT run under the user's credential, unless the custom property is created and set to true.

When Java 2 Security is enabled, your business grid applications must grant the following two permissions in the application's WebSphere Application Server.policy file:
  • permission com.ibm.websphere.security.WebSphereRuntimePermission "SecOwnCredentials"
  • permission com.ibm.websphere.security.WebSphereRuntimePermission "ContextManager.getServerCredential"

The following steps describe how to create the custom property to enable or disable jobs to run under user's credential after logging in to the administrative console:

Procedure

  1. Click Servers > Dynamic cluster
  2. Select the dynamic cluster where the LREE is installed.
  3. Click Additional Properties > Customer Properties
  4. Click New
  5. Type RunUnderUserCredential in the name field.
  6. Type true or false in the Value field to enable or disable jobs to run under the user's credential.
  7. Click OK, then Save to configuration.
  8. [For z/OS operating system] Save the configuration and restart the server. To run jobs under user's credentials on the z/OS platform, follow these steps: [For z/OS operating system]
    1. Navigate to the security administration pane and click z/OS security options.
    2. Enable application server and z/OS thread identity synchronization. This option specifies that application servers can process the syncToOSThread option for application components that specify it. Local JCA connectors may honor the MVS identity for authentication and authorization when an application requests a connection.
    3. Enable the connection manager RunAs thread identity. This option sets the MVS identity associated with the Java 2 Platform Enterprise Edition (J2EE) identity on the execution thread.
    4. Click OK.
    5. Save the configuration and restart the server.

What to do next

Stop and start the server where the LREE is installed.



Related concepts
The command line interface
Roles and privileges for securing the long-running scheduler
Related tasks
Securing the long-running scheduler
Task topic    

Terms of Use | Feedback

Last updated: Oct 16, 2009 11:08:29 AM EDT
http://publib.boulder.ibm.com/infocenter/wxdinfo/v6r0/index.jsp?topic=/com.ibm.websphere.xd.doc/info/scheduler/tbgcred.html