[z/OS]

Connection Manager RunAs Identity Enabled and system security

WebSphere® Application Server includes connector configurations that use operating system thread security. By enabling Connection Manager Sync to OS Thread support, the Java™ EE identity (the RunAs identity, for example) can be used to obtain the EIS connection for connector configurations that use operating system thread security.

Operating system thread security: Under certain configurations of Java EE Connector Architecture (JCA), Java Message Service (JMS), or Java database connectivity (JDBC) connectors on WebSphere Application Server for z/OS®, the OS thread identity is the identity used to create the enterprise information systems (EIS) connection. Refer to Connection threadfor more information on which configurations support OS thread security.

The Connection Manager Sync to OS Thread support is enabled by selecting the Enable the connection manager RunAs thread identity option, which is available by clicking Security > Global security > z/OS security options. If the Enable WebSphere Application Server and z/OS thread identity synchronization option is not enabled on the same administrative console panel, the connection to a resource manager under a connector configuration that uses operating system thread security is obtained using the server identity (which serves as a default in this case). Refer to the topic, z/OS security options, for more information.

The WebSphere Connection Manager performs the operating system thread security-related functions. The Connection Manager synchronizes the OS thread identity with the Java thread identity (this Java thread identity corresponds to the Java EE identity) before obtaining the EIS connection. Refer to the topic, Java thread identity and an operating system thread identity, for more information. After the Connection Manager performs the synchronization, the OS thread identity is temporarily replaced with the Java thread identity, and the Java thread identity is the identity used to obtain the EIS connection. This means that Connection Manager Sync to OS Thread support provides a way to obtain an EIS connection using the Java thread identity (the RunAs identity, for example). After obtaining the connection the Connection Manager restores the previous OS thread identity.

Note:
  • The application Sync to OS Thread Allowed setting is not pertinent to determining which identity is used to create a connection under a connector configuration that supports operating system thread security. The topic, Using thread identity support, explains which identity is used to create a connection in which the configuration is unchanged by the application Sync to OS Thread Allowed support. In particular, for connector configurations that use operating system thread security (but in which Connection Manager Sync to OS Thread is disabled), the server identity is used to create the connection regardless of the application Sync to OS Thread Allowed setting or the current RunAs identity.
  • Connection Manager Sync to OS Thread support is only pertinent to obtaining EIS Connections managed by WebSphere Connection Management. For example Connection Manager Sync to OS Thread support might be pertinent to Java database connectivity (JDBC) Connections obtained from application requests on DataSource objects configured via WebSphere Application Server administrative console, and then looked up in Java Naming and Directory Interface (JNDI). (This would depend on whether or not a specific DataSource instance under a specific JDBC provider used OS thread security or not). However, Connection Manager Sync to OS Thread support would not be pertinent for JDBC Connections obtained using the unmanaged DriverManager.getConnection(...) API. Access to such unmanaged resources for which the authorization is performed against the OS thread identity might be affected by the application Sync to OS Thread Allowed support, however.
  • Connection Manager Sync to OS Thread support is used (or not used) for connection requests made by user-written code (such as JMS or JDBC calls from a stateless session bean), connection requests made by certain components of WebSphere Application Server (such as the Message Driven Beans (MDB) Listener), or connection requests made by tooling-generated code (such as container-managed persistence (CMP) beans).
  • Some (but not all) connector configurations that use the Java EE identity also use OS Thread Security. Connector configurations such as the Customer Information Control System (CICS®) CTG Connector in local mode allow use of the Java EE identity using a different Connection Manager mechanism to create the EIS connection. This configuration does not use operating system thread security.

Refer to the topic, Connection thread identity, for details concerning connector configurations that use operating system thread security. You can also refer to the topic, Using thread identity support.

Refer to the topic, Java Platform, Enterprise Edition identity and an operating system thread identity, for more information about the identities.