The thread identity function allows you to assign a thread
identifier as an owner of a connection when you first obtain the connection.
This function only applies to Java Platform,
Enterprise Edition (Java EE)
Connector Architecture (JCA) resource adapters and Relational Resource
Adapter (RRA) wrappered Java Database
Connectivity (JDBC) providers that support the use of thread identity
for connection ownership.
About this task
In this article the term thread identity refers to the Java EE Identity (such as the RunAs Identity),
as opposed to the OS thread identity. Refer to the topics Synchronizing
a Java thread identity and an operating system thread identity, and
Understanding Connection Manager RunAs Identity Enabled and operating
system security, for more information.
Perform the following
steps to enable the thread identity function for the connection factories
or JDBC provider data sources created with the supported JCA resource
adapters and JDBC providers:
Procedure
- Define resauth=Container for the application
resource. See the topic Connection thread identity for details.
- Ensure the JCA resource adapters or JDBC providers support
the thread identity function.
Review the supported
resource adapters and data source providers, and the level of support:
REQUIRED, ALLOWED, and NOTALLOWED. See the topic Connection thread
identity for a table of the JCA resource adapter processes and the
JDBC provider processes that support thread identity and thread security.
If
the adapter or provider is not listed, then thread identity support
is NOTALLOWED, by default.
- Set the Container-managed authentication alias to
NULL, if you configure the connector locally.
When the
connector is configured locally, the resource adapter determines the
level of thread identity support as ALLOWED. If
thread identity support is allowed and you specify Container-managed
authentication alias as NULL, the connector uses the current
thread identity as the owner for each connection that is created.
When
the resource adapter or JDBC provider determines that the level of
thread identity support is REQUIRED, any specification
for the Container-managed authentication alias
is ignored. Thread identity support in this case always applies.
- Determine connector behavior when Java 2 security is a factor. See
the article Security states with thread identity support for more
information.
If you want the thread identity associated
with a connection to be the thread identity, then you must enable Java 2 security. In the case
of JDBC providers that support the thread identity function and require
the thread to be pushed to the z/OS® thread
of execution, you must set the server Connection Manager RunAs
Identity Enabled property to true.
Note: With
Bean Managed Persistence (BMP) beans, if you obtain a connection under
the ejbLoad() or ejbStore() functions during pre-invoke
or post-invoke method processing, your thread identity support
does not become the RunAs identity because the container during
this processing is running under server identity. See the topic Delegations
for more information. With BMP beans, instead of using thread identity,
specify a Container-managed alias to associate the user with the
connection.