Use this task when you want to set up security for your optimized local adapters that perform outbound calls.
Run the WebSphere® Application Server for z/OS® servers with global security and activate the Sync-to-OS Thread option if you intend to use the optimized local adapter APIs with those servers. To read about global security, see the topic, Enabling security. To read more about activating the Sync-to-OS Thread option, see the topic, z/OS security options.
Alternatively,
the system administrator can provide a username and password on the
optimized local adapters connection factory, or the application developer
can provide a username and password on the ConnectionSpec object,
which is used to obtain a connection from the optimized local adapters
connection factory. A login is performed using this username and
password combination, and the MVS user
ID associated with the username is used when making optimized local
adapters requests from this connection. If there is no MVS user ID associated with this username, then
an MVS user ID is not used when
making optimized local adapters requests from this connection.
Local access to WebSphere Application Server for z/OS servers is protected by the System Authorization Facility (SAF) CBIND class. This class is defined during profile creation and is used to protect WebSphere Application Server for z/OS servers when Internet Inter-ORB Protocol (IIOP) local client connection requests are made, and optimized local adapters requests. Before running any application that uses the Register API, be sure to grant READ access for the user ID for the job, UNIX System Services (USS) process, or Customer Information Control System (CICS®) region to the CBIND class for the target server. this is set up with the BBOCBRAK job. For more information about the CBIND class, read the topic, Using CBIND to control access to clusters.
For calling from WebSphere Application Server to an application using either the optimized local adapters Host Service and Receive Request APIs, the identity on the thread that the API was called on is used. For environments other than CICS, there is no attempt by the optimized local adapters to assert the WebSphere Application Server application identity. This includes Information Management System (IMS) dependent regions. For these, transactions start under the ID of the user that started the transaction. This includes IMS dependent regions. For these regions, transactions start under the user ID that started the transaction.
For receiving requests in CICS and processing them with the optimized local adapter CICS Link server (BBO$ task), you can indicate when you start the Link server that you want to have Link server assert the propagated WebSphere Application Server thread-level identity to the CICS thread where the target program starts. This is done with a parameter on the optimized local adapters BBOC CICS transaction.
In this information ...Related concepts
Related tasks
Related reference
Related information
| IBM Redbooks, demos, education, and more(Index) |