(ZOS) Use thread identity support
The thread identity function allows us to assign a thread identifier as an owner of a connection when we first obtain the connection. This function only applies to Java EE Connector Architecture (JCA) resource adapters and Relational Resource Adapter (RRA) wrappered JDBC providers that support the use of thread identity for connection ownership.
In this article the term thread identity refers to the Java EE Identity (such as the RunAs Identity), as opposed to the OS thread identity. Refer to the topics Synchronizing a Java thread identity and an operating system thread identity, and Understanding Connection Manager RunAs Identity Enabled and operating system security, for more information.
Perform the following steps to enable the thread identity function for the connection factories or JDBC provider data sources created with the supported JCA resource adapters and JDBC providers:
Tasks
- Define resauth=Container for the application resource. See the topic Connection thread identity for details.
- Ensure the JCA resource adapters or JDBC providers support the thread identity function.
Review the supported resource adapters and data source providers, and the level of support: REQUIRED, ALLOWED, and NOTALLOWED. See the topic Connection thread identity for a table of the JCA resource adapter processes and the JDBC provider processes that support thread identity and thread security.
If the adapter or provider is not listed, then thread identity support is NOTALLOWED, by default.
- Set the Container-managed authentication alias to NULL, if we configure the connector locally.
When the connector is configured locally, the resource adapter determines the level of thread identity support as ALLOWED. If thread identity support is allowed and we specify Container-managed authentication alias as NULL, the connector uses the current thread identity as the owner for each connection created.
When the resource adapter or JDBC provider determines that the level of thread identity support is REQUIRED, any specification for the Container-managed authentication alias is ignored. Thread identity support in this case always applies.
- Determine connector behavior when Java 2 security is a factor. See the article Security states with thread identity support for more information.
If we want the thread identity associated with a connection to be the thread identity, then enable Java 2 security. In the case of JDBC providers that support the thread identity function and require the thread to be pushed to the z/OS thread of execution, set the server Connection Manager RunAs Identity Enabled property to true.
Note: With Bean Managed Persistence (BMP) beans, if you obtain a connection under the ejbLoad() or ejbStore() functions during pre-invoke or post-invoke method processing, your thread identity support does not become the RunAs identity because the container during this processing is running under server identity. See the topic Delegations for more information. With BMP beans, instead of using thread identity, specify a Container-managed alias to associate the user with the connection.
Subtopics
- Security states with thread identity support
Different Java Platform, Enterprise Edition Connector Architecture (JCA) resource adapters and JDBC drivers provide different support for authenticating threads that transact with application server resources.
Related:
Connection thread identity Delegations Java thread identity and an operating system thread identity Connection Manager RunAs Identity Enabled and system security