(ZOS) Connection thread identity
The application server for z/OS allows you to assign a thread identifier as an owner of a connection, when we first obtain the connection. The thread identity function only applies to Java EE Connector Architecture (JCA) resource adapters and Relational Resource Adapter (RRA) wrappered JDBC providers that support the use of thread identity for connection ownership.
In this article the term thread identity refers to the Java EE Identity (such as the RunAs Identity), as opposed to the OS thread identity. Refer to the topic, Synchronizing a Java thread identity and an operating system thread identity, and the topic, Understanding Connection Manager RunAs Identity Enabled and operating system security, for more information.
The following table lists the JCA resource adapter and JDBC provider processes that support thread identity and thread security. It also provides the level of thread identity support:
Connectors Thread identity support OS thread security IMS™ Connector - local ConnectionFactory configuration ALLOWED Not supported IMS Connector - remote ConnectionFactory configuration NOTALLOWED Not supported CTG CICSECIConnector - local ConnectionFactory configuration ALLOWED Not supported CTG CICSECIConnector - remote ConnectionFactory configuration NOTALLOWED Not supported IMS JDBC Connector - local ConnectionFactory configuration (By default, IMS JDBC only supports this type of configuration.) REQUIRED True RRA DB2 for z/OS local JDBC provider - data sources configured to the local DB2 ALLOWED True RRA DB2 Universal JDBC Driver Provider using Type 2 connectivity ALLOWED True RRA DB2 Universal JDBC Driver Provider using Type 4 connectivity NOTALLOWED Not supported IBM MQ JMS Provider: Connection Factory (TransportType = BINDINGS) ALLOWED True IBM MQ JMS Provider - Connection Factory (TransportType = CLIENT) NOTALLOWED Not supported WebSphere JMS Provider (such as Integral JMS Provider): Connection Factory NOTALLOWED Not supported WAS for z/OS allows resource adapters and JDBC providers to define the level of thread identity support for the defined connection factories or data sources. The level of support can be:
- ALLOWED, which indicates thread identity for connection ownership is allowed for this configuration.
- NOTALLOWED, which indicates thread identity for connection ownership is not allowed for this configuration.
- REQUIRED, which indicates thread identity for connection ownership is required.
The thread identity function is only available in those server configurations where JCA connectors or JDBC providers access local z/OS resources through callable (not TCP/IP) interfaces. So, for example, CICS and IMS provide thread identity support only if the target CICS or IMS is configured on the same system as the z/OS WAS.
To use thread identity when getting connections to a connection factory or JDBC data source for the application, we must specify resauth=Container for the connection factory or JDBC data source. Use the Eclipse assembly tool or WebSphere Studio Application Developer Integration Edition (WSADIE) to indicate the resauth=Container setting.
When the level of thread identity support provided by the connector configuration is ALLOWED, to use thread identity for the connections, we cannot specify a Container-managed alias when defining the connection factory or JDBC data source. If we specify a Container-managed alias, the userid defined by the alias is assigned as the owning id for the connections obtained by the application.
When the JDBC provider supports thread identity, the thread identity function is only used when data sources configured for that provider are used by Version 2.0 EJB modules and v2.3 servlets.
WAS for z/OS also allows supported resource adapters and JDBC providers to enable OS thread security in conjunction with thread identity support. Use OS thread security when:
- The server configuration supports both thread identity and thread security.
- The Connection Manager RunAs Identity Enabled property is enabled.
We can configure the server to allow Connection Manager RunAs Identity Enabled support. To enable this option, click Security > Global security > z/OS security options in the administrative console. On the z/OS security options panel, select the Enable the connection manager RunAs thread identity option, and click Apply.
- The z/OS security product permits synchronization of the Connection management thread identity through the BBO.SYNC FACILITY class or BBO.SYNC SURROGATE class
If these conditions are met, the system creates an access control environment element (ACEE) for the user associated with the thread.
Users of previous versions of WAS for z/OS will note that the instructions for enabling OS Thread Security have changed. Previously, OS Thread Security was enabled via a checkbox named Enable Synch to Thread. This checkbox still exists, but it no longer is associated with any Connection Management functionality. Users who wish to enable OS Thread Security must now use the checkbox named Connection Manager RunAs Identity Enabled
Related:
Java thread identity and an operating system thread identity Connection Manager RunAs Identity Enabled and system security Use thread identity support Security states with thread identity support