Using the syncToOSThread function

You can use the syncToOSThread function of Liberty in a CICS Liberty JVM server. SyncToOSThread enables a Java subject, authenticated by Liberty, to be synchronized with the operating system (OS) thread identity. Without syncToOSThread, the operating system thread identity defaults to be the CICS region user ID, this is the identity used to authorize access to resources outside of CICS control such as zFS files. With syncToOSThread in effect, the user's subject is used to access these operating system resources.

About this task

Enabling syncToOSThread requires the Liberty appSecurity-1.0 and zosSecurity-1.0 features. These features are included with the cicsts:security-1.0 feature. You must also define the syncToOSThread configuration element in the Liberty server.xml and add a special <env-entry/> to the application's deployment descriptor (web.xml). In addition, the SAF registry must be used for authentication, the angel process must be up and running, and the server must be connected to the angel process. For more information about the angel process, see Process types on z/OS.

Procedure

  1. Configure the syncToOSThread configuration element in the Liberty server.xml and add the required <env-entry/> to each web application's deployment descriptor by following steps 1 and 2 in Enabling syncToOSThread for applications
  2. Grant the Liberty server permission to perform syncToOSThread operations by configuring SAF with either of the following profiles:
    • Grant the CICS region user ID CONTROL access to the BBG.SYNC.<profilePrefix> profile in the FACILITY class, where <profilePrefix> is specified on the <safCredentials /> element. This allows the Liberty server to synchronize any Java subject with the OS thread identity:
      PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(CONTROL) CLASS(FACILITY)
    • Grant the CICS region user ID READ access to the BBG.SYNC.<profilePrefix> profile in the FACILITY class. Additionally, grant the CICS region user ID READ access to one or more BBG.SYNC.<AuthUserid/> profiles in the SURROGATE class, one for each authenticated user ID to be synchronized with the OS identity:
      PERMIT BBG.SYNC.<profilePrefix> ID(<serverUserId>) ACCESS(READ) CLASS(FACILITY)
PERMIT BBG.SYNC.<AuthUserid> ID(<serverUserId>) ACCESS(READ) CLASS(SURROGAT)
    Restriction: A servlet configured as the welcome page in web.xml, does not support the syncToOSThread function.