+

Search Tips   |   Advanced Search

(ZOS) Connection thread identity

The application server for z/OS allows you to assign a thread identifier as an owner of a connection, when we first obtain the connection. The thread identity function only applies to Java EE Connector Architecture (JCA) resource adapters and Relational Resource Adapter (RRA) wrappered JDBC providers that support the use of thread identity for connection ownership.

In this article the term thread identity refers to the Java EE Identity (such as the RunAs Identity), as opposed to the OS thread identity. Refer to the topic, Synchronizing a Java thread identity and an operating system thread identity, and the topic, Understanding Connection Manager RunAs Identity Enabled and operating system security, for more information.

The following table lists the JCA resource adapter and JDBC provider processes that support thread identity and thread security. It also provides the level of thread identity support:

Connectors Thread identity support OS thread security
IMS™ Connector - local ConnectionFactory configuration ALLOWED Not supported
IMS Connector - remote ConnectionFactory configuration NOTALLOWED Not supported
CTG CICSECIConnector - local ConnectionFactory configuration ALLOWED Not supported
CTG CICSECIConnector - remote ConnectionFactory configuration NOTALLOWED Not supported
IMS JDBC Connector - local ConnectionFactory configuration (By default, IMS JDBC only supports this type of configuration.) REQUIRED True
RRA DB2 for z/OS local JDBC provider - data sources configured to the local DB2 ALLOWED True
RRA DB2 Universal JDBC Driver Provider using Type 2 connectivity ALLOWED True
RRA DB2 Universal JDBC Driver Provider using Type 4 connectivity NOTALLOWED Not supported
IBM MQ JMS Provider: Connection Factory (TransportType = BINDINGS) ALLOWED True
IBM MQ JMS Provider - Connection Factory (TransportType = CLIENT) NOTALLOWED Not supported
WebSphere JMS Provider (such as Integral JMS Provider): Connection Factory NOTALLOWED Not supported

WAS for z/OS allows resource adapters and JDBC providers to define the level of thread identity support for the defined connection factories or data sources. The level of support can be:

The thread identity function is only available in those server configurations where JCA connectors or JDBC providers access local z/OS resources through callable (not TCP/IP) interfaces. So, for example, CICS and IMS provide thread identity support only if the target CICS or IMS is configured on the same system as the z/OS WAS.

To use thread identity when getting connections to a connection factory or JDBC data source for the application, we must specify resauth=Container for the connection factory or JDBC data source. Use the Eclipse assembly tool or WebSphere Studio Application Developer Integration Edition (WSADIE) to indicate the resauth=Container setting.

When the level of thread identity support provided by the connector configuration is ALLOWED, to use thread identity for the connections, we cannot specify a Container-managed alias when defining the connection factory or JDBC data source. If we specify a Container-managed alias, the userid defined by the alias is assigned as the owning id for the connections obtained by the application.

When the JDBC provider supports thread identity, the thread identity function is only used when data sources configured for that provider are used by Version 2.0 EJB modules and v2.3 servlets.

WAS for z/OS also allows supported resource adapters and JDBC providers to enable OS thread security in conjunction with thread identity support. Use OS thread security when:

If these conditions are met, the system creates an access control environment element (ACEE) for the user associated with the thread.

Users of previous versions of WAS for z/OS will note that the instructions for enabling OS Thread Security have changed. Previously, OS Thread Security was enabled via a checkbox named Enable Synch to Thread. This checkbox still exists, but it no longer is associated with any Connection Management functionality. Users who wish to enable OS Thread Security must now use the checkbox named Connection Manager RunAs Identity Enabled


Related:

  • Java thread identity and an operating system thread identity
  • Connection Manager RunAs Identity Enabled and system security
  • Use thread identity support
  • Security states with thread identity support