To enable syncToOSThread on the Liberty
profile, you use the appSecurity-1.0 and zosSecurity-1.0 features
with additional configuration.
Before you begin
Enabling syncToOSThread support requires
the appSecurity-1.0 and zosSecurity-1.0 features.
You must also define the syncToOSThread configuration
element. In addition, you must use the SAF registry for authentication,
and authorized SAF services must be available.
Because syncToOSThread support
requires authorized SAF services, the angel process must be up and
running and the server must be connected to it. For more information
about the angel process, see Liberty profile: Process types on z/OS.
Procedure
- Configure the application to use syncToOSThread by
adding the following env-entry to the application's
deployment descriptor:
<env-entry>
<env-entry-name>com.ibm.websphere.security.SyncToOSThread</env-entry-name>
<env-entry-type>java.lang.Boolean</env-entry-type>
<env-entry-value>true</env-entry-value>
</env-entry>
- Configure the server to enable syncToOSThread for
applications by adding the appSecurity-1.0 and zosSecurity-1.0 features,
and defining the syncToOSThread configuration
element with attribute appEnabled="true". Additionally,
ensure the SAF registry must be used for authentication:
<featureManager>
<feature>appSecurity-1.0</feature>
<feature>zosSecurity-1.0</feature>
</featureManager>
<safRegistry id="saf" />
<syncToOSThread appEnabled="true" />
- Grant the server permission to perform syncToOSThread operations
by configuring your SAF product with either of the following profiles:
- Grant the userid of the server CONTROL access to the BBG.SYNC.<profilePrefix>
profile in the FACILITY class. This allows the server to sync any
RunAs identity with the OS identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(CONTROL) CLASS(FACILITY)
- Grant the userid of the server READ access to the BBG.SYNC.<profilePrefix> profile
in the FACILITY class. Additionally, grant the userid of the server
READ access to one or more BBG.SYNC.<runAsUserId> profiles
in the SURROGATE class, one for each RunAs identity to be synchronized
with the OS identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(READ) CLASS(FACILITY)
PERMIT BBG.SYNC.<runAsUserId> ID(<serverUserId>) ACCESS(READ) CLASS(SURROGAT)
Note: The <profilePrefix> is by default "BBGZDFLT" and
can be configured by using the <safCredentials profilePrefix="xx"> element
in your configuration file.
For more information
about syncToOSThread, see Java thread identity and an operating system
thread identity