Running batch jobs under user credentials

You can allow batch jobs to run under credentials of the user when WebSphere® security is enabled.

About this task

The RUN_JOBS_UNDER_USER_CREDENTIAL variable allows users to enable or disable batch jobs to run under credentials of the user. When the job is dispatched to the endpoint, the batch container switches the credentials of the server to the credentials of the user. The credentials of the server are in the job step thread.

RUN_JOBS_UNDER_USER_CREDENTIAL can be created at any scope level and accepts values true or false. The default is false, which means that batch jobs run under server credentials.

When Java™ 2 Security is enabled, your batch applications must grant the following two permissions in the was.policy file of the application:
  • permission com.ibm.websphere.security.WebSphereRuntimePermission "SecOwnCredentials"
  • permission com.ibm.websphere.security.WebSphereRuntimePermission "ContextManager.getServerCredential"

The following steps describe how to create the custom property to enable or disable batch jobs to run under the credentials of a user after logging on to the administrative console:

Procedure

  1. Click Environment > WebSphere variables.
  2. Select a configuration scope, then click New. The general properties page opens.
  3. For Name, type RUN_JOBS_UNDER_USER_CREDENTIAL.
  4. For Value, type True or False to enable or disable jobs to run under user credential.
  5. Click OK, then click Save. [z/OS]

    To enable jobs to run under user credentials on z/OS®, also complete step 6.

  6. [z/OS]Save the configuration and restart the server. To run jobs under credentials of the user on the z/OS platform, follow these steps:
    1. Go to the security administration pane and click z/OS security options.
    2. Enable application server and z/OS thread identity synchronization. This option specifies that application servers can process the syncToOSThread option for application components that specify it. Local JCA connectors might honor the MVS™ identity for authentication and authorization when an application requests a connection.
    3. Enable the connection manager RunAs thread identity. This option sets the MVS identity associated with the Java Platform, Enterprise Edition (Java EE) identity on the execution thread.
    4. Click OK.
    5. Save the configuration and restart the server.

What to do next

Stop and start the server where the batch execution environment is installed.

指出主題類型的圖示 作業主題



時間戳記圖示 前次更新: July 9, 2016 11:15
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tgrid_bgcred
檔名:tgrid_bgcred.html