[z/OS]

z/OS security options

Use this page to determine which secure administration, applications, and infrastructure options to specify for the application server for z/OS.

To view this administrative console page, click Security > Secure administration, applications, and infrastructure > z/OS security options.

You also can view this administrative console page, by completing the following steps:
  1. Click Servers > Application servers > server_name.
  2. Under Security, click Server security.
  3. Under Additional properties, click z/OS security options.

If you are configuring security for the first time, complete the steps in the Configuring secure administration, applications, and infrastructure article prior to making changes. After security is configured, validate any changes to the user registry or authentication mechanism panels. Click Apply to validate the user registry settings. An attempt is made to authenticate the server ID to the configured user registry. Validating the user registry settings after enabling secure administration, applications, and infrastructure can reduce potential problems when you restart the server for the first time.

[This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.] Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.

Configuration tab

Remote identity

[This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.]

Specifies the System Authorization Facility (SAF) user ID that is assumed for the Internet Inter-ORB Protocol (IIOP) unauthenticated clients that make requests of this server from another system.

Specifies whether an application remote identity is permitted.

Note: This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.

Local identity

[This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.]

Specifies the SAF user ID that is assumed for the Internet Inter-ORB Protocol (IIOP) unauthenticated clients that make requests of this server from the same system.

Specifies whether an application local identity is permitted.

Note: This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.

Enable application server and z/OS thread identity synchronization

Indicates if an operating system thread identity is enabled for synchronization with the Java 2 Platform, Enterprise Edition (J2EE) identity that is used in the application server runtime if an application is coded to request this function.

Synchronizing the operating system identity to the J2EE identity causes the operating system identity to synchronize with the authenticated caller, or delegated RunAs identity in a servlet or Enterprise JavaBeans (EJB) file. This synchronization or association means that the caller or security role identity, rather than the server region identity, is used for z/OS system service requests such as access to files.

For this function to be active, the following conditions must all be true:
  • The Sync to OS thread allowed value is true.
  • An application includes within its deployment descriptor an env-entry of com.ibm.websphere.security.SyncToOSThread set to true.
  • The configured user account repository is the local operating system.

When these conditions are true, the OS thread identity is initially set to the authenticated caller identity of a Web or EJB request. The OS thread is modified each time the J2EE identity is modified. The J2EE identity can be modified either by a RunAs specification on the deployment descriptor or a programmatic WSSubject.doAs() request.

If the Sync to OS thread allowed value is false, which is the default setting, the ability to modify the identity on the operating system thread of the deployment descriptor setting in the deployment descriptor of the installed application is disabled. If the server is not configured to accept enable synchronization, and the application deployment descriptor, com.ibm.websphere.security.SyncToOSThread, is set to true, a BBOJ0080W warning stating that the EJB requests the SyncToOSThread option, but the server is not enabled for the SyncToOSThread option is issued.

Any J2EE Connector architecture (J2CA) connector that uses the thread identity support must support thread identity. Customer Information Control System (CICS), Information Management System (IMS), and DB2 support thread identity. CICS and IMS support thread identity only if the target CICS or IMS is configured on the same system as the application server for z/OS. DB2 always supports thread identity. If a connector does not support thread identity, the user identity that is associated with the connection is based on the default user identity that is supported by the particular connector.

Data type Boolean
Default Disabled
Range Enabled or Disabled

Important: This option significantly increases the number of SMF 80 records used for security auditing. If security auditing is turned on for SMF 80 records, then the amount of DASD used also increases significantly.

Enable the connection manager RunAs thread identity

Specifies that the connection manager SyncToOSThread method is supported for applications that specify this option.

When you enable this setting, the method can process a request that modifies the operating system identity to reflect the Java 2 Platform, Enterprise Edition (J2EE) identity. This function is required to take advantage of thread identity support. J2EE Connector architecture (J2CA) connectors that access local resources on a z/OS system can use the thread identity support. A set of J2CA connectors that accesses local z/OS resources defaults to the J2EE identity of the application if all of the following conditions are true:
  • Resource authorization is set to container-managed (res-auth=container).
  • An alias entry is not coded when deploying the application.
  • The connection manager Sync to OS thread setting is set to enabled.

For example, if you have a pre-existing DB2 for z/OS security policy that controls which users have access to each table, you want to have that policy enforced when users access WebSphere applications that also access DB2 for z/OS. The J2EE identity (the client identity by default) rather than the operating system identity (server identity) is used to establish connections to DB2 for z/OS when Connection Manager RunAs Identity Enabled is selected. DB2 for z/OS table access for the application is determined using your preexisting DB2 for z/OS security policy.

Any J2CA connector that uses the thread identity support must support thread identity. Customer Information Control System (CICS), Information Management System (IMS), and DATABASE 2 (DB2) support thread identity. CICS and IMS support thread identity only if the target CICS or IMS is configured on the same system as the application server for z/OS. DB2 always supports thread identity. If a connector does not support thread identity, the user identity that is associated with the connection is based on the default user identity that is supported by the particular connector.

Data type Boolean
Default Disabled
Range Enabled or Disabled



Related concepts
Java 2 Platform, Enterprise Edition identity and an operating system thread identity
Application Synch to OS Thread Allowed
Connection Manager RunAs Identity Enabled and system security
When to use application Synch to OS Thread Allowed
Considerations for setting the Synch to OS Thread Allowed option
Java thread identity and an operating system thread identity
Related tasks
Enabling security for the realm
Related reference
Administrative console buttons
Administrative console scope settings
Administrative console preference settings
Secure administration, applications, and infrastructure settings
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 4:28:44 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-mp&topic=useczosglobalsec
File name: usec_zos_globalsec.html