To enable syncToOSThread for J2C connections
on the Liberty profile, you use the appSecurity-1.0 and zosSecurity-1.0 features
with additional configuration.
Before you begin
Enabling syncToOSThread support for
J2C connections requires the appSecurity-1.0 and zosSecurity-1.0 features.
You must also define the syncToOSThread configuration
element. In addition, you must use the SAF registry for authentication,
and authorized SAF services must be available.
Because syncToOSThread support
requires authorized SAF services the angel process must be up and
running and the server must be connected to it. For more information
about the angel process, see Liberty profile: Process types on z/OS.
Procedure
- Configure the server to enable syncToOSThread for
J2C connections by adding the appSecurity-1.0 and zosSecurity-1.0 features
and defining the syncToOSThread configuration
element with attribute j2cEnabled="true". Additionally,
ensure the SAF registry must be used for authentication:
<featureManager>
<feature>appSecurity-1.0</feature>
<feature>zosSecurity-1.0</feature>
</featureManager>
<safRegistry id="saf" />
<syncToOSThread j2cEnabled="true" />
Note: - Using j2cEnabled=true enables syncToOSThread for
type-2 J2C connections. The Java RunAs identity is synchronized with
the OS identity when obtaining a connection via a resource that specifies res-auth=container.
The connection is associated with the OS identity and is assigned
the same permissions and privileges as the OS identity.
- Do not specify a JAAS alias for the data source if you wish to
use syncToOSThread. The JAAS alias, if defined,
will override the OS identity.
- Grant the server permission to perform syncToOSThread operations
by configuring your SAF product with either of the following profiles:
- Grant the userid of the server CONTROL access to the BBG.SYNC.<profilePrefix>
profile in the FACILITY class. This allows the server to sync any
RunAs identity with the OS identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(CONTROL) CLASS(FACILITY)
- Grant the userid of the server READ access to the BBG.SYNC.<profilePrefix> profile
in the FACILITY class. Additionally, grant the userid of the server
READ access to one or more BBG.SYNC.<runAsUserId> profiles
in the SURROGATE class, one for each RunAs identity to be synchronized
with the OS identity:
PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(READ) CLASS(FACILITY)
PERMIT BBG.SYNC.<runAsUserId> ID(<serverUserId>) ACCESS(READ) CLASS(SURROGAT)
Note: The <profilePrefix> is by default "BBGZDFLT" and
can be configured by using the <safCredentials profilePrefix="xx"> in
your configuration file.
For more information
about syncToOSThread, see Java thread identity and an operating system
thread identity