![[z/OS]](../images/ngzos.svg)
Connection thread identity
The application server for z/OS® allows you to assign a thread identifier as an owner of a connection, when you first obtain the connection. The thread identity function only applies to Java™ Platform, Enterprise Edition (Java EE) Connector Architecture (JCA) resource adapters and Relational Resource Adapter (RRA) wrappered Java Database Connectivity (JDBC) providers that support the use of thread identity for connection ownership.
In this article the term thread identity refers to the Java EE Identity (such as the RunAs Identity), as opposed to the OS thread identity. Refer to the topic, Synchronizing a Java thread identity and an operating system thread identity, and the topic, Understanding Connection Manager RunAs Identity Enabled and operating system security, for more information.
The following table lists the JCA resource adapter and JDBC provider processes that support thread identity and thread security. It also provides the level of thread identity support:
| Connectors | Thread identity support | OS thread security |
|---|---|---|
| IMS Connector - local ConnectionFactory configuration | ALLOWED | Not supported |
| IMS Connector - remote ConnectionFactory configuration | NOTALLOWED | Not supported |
| CTG CICSECIConnector - local ConnectionFactory configuration | ALLOWED | Not supported |
| CTG CICSECIConnector - remote ConnectionFactory configuration | NOTALLOWED | Not supported |
| IMS JDBC Connector - local ConnectionFactory configuration (By default, IMS JDBC only supports this type of configuration.) | REQUIRED | True |
| RRA DB2® for z/OS local JDBC provider - data sources configured to the local DB2 | ALLOWED | True |
| RRA DB2 Universal JDBC Driver Provider using Type 2 connectivity | ALLOWED | True |
| RRA DB2 Universal JDBC Driver Provider using Type 4 connectivity | NOTALLOWED | Not supported |
| WebSphere® MQ JMS Provider: Connection Factory (TransportType = BINDINGS) | ALLOWED | True |
| WebSphere MQ JMS Provider - Connection Factory (TransportType = CLIENT) | NOTALLOWED | Not supported |
| WebSphere JMS Provider (such as Integral JMS Provider): Connection Factory | NOTALLOWED | Not supported |
WebSphere Application Server for z/OS allows resource adapters and JDBC providers to define the level of thread identity support for the defined connection factories or data sources. The level of support can be:
- ALLOWED, which indicates thread identity for connection ownership is allowed for this configuration.
- NOTALLOWED, which indicates thread identity for connection ownership is not allowed for this configuration.
- REQUIRED, which indicates thread identity for connection ownership is required.
The thread identity function is only available in those server configurations where JCA connectors or JDBC providers access local z/OS resources through callable (not TCP/IP) interfaces. So, for example, CICS® and IMS provide thread identity support only if the target CICS or IMS is configured on the same system as the z/OS WebSphere Application Server.
To use thread identity when getting connections to a connection factory or JDBC data source for your application, you must specify resauth=Container for the connection factory or JDBC data source. Use the Eclipse assembly tool or WebSphere Studio Application Developer Integration Edition (WSADIE) to indicate the resauth=Container setting.
When the level of thread identity support provided by the connector configuration is ALLOWED, if you want to use thread identity for the connections, you cannot specify a Container-managed alias when you define the connection factory or JDBC data source. If you specify a Container-managed alias, the userid defined by the alias is assigned as the owning id for the connections obtained by the application.
When the JDBC provider supports thread identity, the thread identity function is only used when data sources configured for that provider are used by Version 2.0 EJB modules and Version 2.3 servlets.
WebSphere Application Server for z/OS also allows supported resource adapters and JDBC providers to enable OS thread security in conjunction with thread identity support. You can use OS thread security when:
- The server configuration supports both thread identity and thread security.
- The Connection Manager RunAs Identity Enabled property is enabled.
You can configure the server to allow Connection Manager RunAs Identity Enabled support. To enable this option, click in the administrative console. On the z/OS security options panel, select the Enable the connection manager RunAs thread identity option, and click Apply.
- The z/OS security product permits synchronization of the Connection management thread identity through the BBO.SYNC FACILITY class or BBO.SYNC SURROGATE class
If these conditions are met, the system creates an access control environment element (ACEE) for the user associated with the thread.
Users of previous versions of WebSphere Application Server for z/OS will note that the instructions for enabling OS Thread Security have changed. Previously, OS Thread Security was enabled via a checkbox named Enable Synch to Thread. This checkbox still exists, but it no longer is associated with any Connection Management functionality. Users who wish to enable OS Thread Security must now use the checkbox named Connection Manager RunAs Identity Enabled