The thread identity function allows you to assign a thread identifier
as an owner of a connection when you first obtain the connection. This function
only applies to J2EE Connector Architecture (JCA) resource adapters and Relational
Resource Adapter (RRA) wrappered Java Database Connectivity (JDBC) providers
that support the use of thread identity for connection ownership.
- Define resauth=Container for the application resource.
See the Connection thread identity article for details.
- Ensure the JCA resource adapters or JDBC providers support the
thread identity function.
Review the supported resource adapters
and data source providers, and the level of support: REQUIRED, ALLOWED,
and NOTALLOWED. The article Connection thread identity contains
a table of the JCA resource adapter processes and the JDBC provider processes
that support thread identity and thread security.
If the adapter or
provider is not listed, then thread identity support is NOTALLOWED, by default.
- Set the Container-managed authentication alias to
NULL, if you configure the connector locally.
When the connector
is configured locally, the resource adapter determines the level of thread
identity support as ALLOWED. If thread identity support is
allowed and you specify Container-managed authentication alias as
NULL, the connector uses the current thread identity as the owner for each
connection that is created.
When the resource adapter or JDBC provider
determines that the level of thread identity support is REQUIRED,
any specification for the Container-managed authentication alias
is ignored. Thread identity support in this case always applies.
- Determine connector behavior when Java 2 security is
a factor. See the article Security states with thread identity support for more
information.
If you want the thread identity associated with
a connection to be the thread identity, then you must enable Java 2 security.
In the case of JDBC providers that support the thread identity function and
require the thread to be pushed to the z/OS thread of execution, you must set the server Connection Manager RunAs Identity
Enabled property to true.
Note: With
Bean Managed Persistence (BMP) beans, if you obtain a connection under the ejbLoad() or ejbStore() functions
during pre-invoke or post-invoke method processing, your thread identity
support does not become the RunAs identity
because the container during this processing is running under server identity.
With BMP beans, instead of using thread identity, specify a Container-managed
alias to associate the user with the connection.
- Set the security.zOS.session.OMVSSRV custom property to true.
When the thread identity support is used, a security credential that
is based on the current thread identity encapsulates the security information
for the user that is associated with the connection. By default, the session
type associated with the user is TSO. If you have WebSphere Application Server
for z/OS users that use the thread identity support, you must define the users
as TSO users. If you prefer not to define the users as TSO users, you can
use the security.zOS.session.OMVSSRV custom property, which changes the session
type for the user identity in the security credential from TSO to OMVSSRV.
However, if you use the user information for authentication at the target
EIS, such as IMS, the user must be an authorized OMVSSRV user.
To specify
the custom property, complete the following steps:
- Click Security > Secure administration,
applications, and infrastructure > Custom Properties.
- Click New.
- In the Name field, type security.zOS.session.OMVSSRV
Important: This custom property name is case sensitive.
- In the value field, type true
- Click Apply and Save.