Running batch jobs under user credentials
We can allow batch jobs to run under credentials of the user when WebSphere security is enabled.
The RUN_JOBS_UNDER_USER_CREDENTIAL variable allows users to enable or disable batch jobs to run under credentials of the user. When the job is dispatched to the endpoint, the batch container switches the credentials of the server to the credentials of the user. The credentials of the server are in the job step thread.
RUN_JOBS_UNDER_USER_CREDENTIAL can be created at any scope level and accepts values true or false. The default is false, which means that batch jobs run under server credentials.
When Java 2 Security is enabled, the batch applications must grant the following two permissions in the was.policy file of the application:
- permission com.ibm.websphere.security.WebSphereRuntimePermission "SecOwnCredentials"
- permission com.ibm.websphere.security.WebSphereRuntimePermission "ContextManager.getServerCredential"
The following steps describe how to create the custom property to enable or disable batch jobs to run under the credentials of a user after logging on to the console:
- Click Environment > WebSphere variables.
- Select a configuration scope, then click New. The general properties page opens.
- For Name, type RUN_JOBS_UNDER_USER_CREDENTIAL.
- For Value, type True or False to enable or disable jobs to run under user credential.
- Click OK, then click Save.
To enable jobs to run under user credentials on z/OS , also complete step 6.
- (zos) Save the configuration and restart the server. To run jobs under credentials of the user on the z/OS platform, follow these steps:
- Go to the security administration pane and click z/OS security options.
- Enable application server and z/OS thread identity synchronization. This option specifies that application servers can process the syncToOSThread option for application components that specify it. Local JCA connectors might honor the MVS™ identity for authentication and authorization when an application requests a connection.
- Enable the connection manager RunAs thread identity. This option sets the MVS identity associated with the Java EE identity on the execution thread.
- Click OK.
- Save the configuration and restart the server.
What to do next
Stop and start the server where the batch execution environment is installed.
Related concepts
Command-line interface for batch jobs Roles and privileges for securing the job scheduler (zos) Application Synch to OS Thread Allowed
(zos) Java thread identity and an operating system thread identity
Related tasks
Secure the job scheduler using roles