Use this page to determine which secure administration, applications, and infrastructure options to specify for the application server for z/OS.
If you are configuring security for the first time, complete the steps in the Configuring secure administration, applications, and infrastructure article prior to making changes. After security is configured, validate any changes to the user registry or authentication mechanism panels. Click Apply to validate the user registry settings. An attempt is made to authenticate the server ID to the configured user registry. Validating the user registry settings after enabling secure administration, applications, and infrastructure can reduce potential problems when you restart the server for the first time.
Specifies the System Authorization Facility (SAF) user ID that is assumed for the Internet Inter-ORB Protocol (IIOP) unauthenticated clients that make requests of this server from another system.
Specifies whether an application remote identity is permitted.
Specifies the SAF user ID that is assumed for the Internet Inter-ORB Protocol (IIOP) unauthenticated clients that make requests of this server from the same system.
Specifies whether an application local identity is permitted.
Indicates if an operating system thread identity is enabled for synchronization with the Java 2 Platform, Enterprise Edition (J2EE) identity that is used in the application server runtime if an application is coded to request this function.
Synchronizing the operating system identity to the J2EE identity causes the operating system identity to synchronize with the authenticated caller, or delegated RunAs identity in a servlet or Enterprise JavaBeans (EJB) file. This synchronization or association means that the caller or security role identity, rather than the server region identity, is used for z/OS system service requests such as access to files.
If the Sync to OS thread allowed value is false, which is the default setting, the ability to modify the identity on the operating system thread of the deployment descriptor setting in the deployment descriptor of the installed application is disabled. If the server is not configured to accept enable synchronization, and the application deployment descriptor, com.ibm.websphere.security.SyncToOSThread, is set to true, a BBOJ0080W warning stating that the EJB requests the SyncToOSThread option, but the server is not enabled for the SyncToOSThread option is issued.
Any J2EE Connector architecture (J2CA) connector that uses the thread identity support must support thread identity. Customer Information Control System (CICS), Information Management System (IMS), and DB2 support thread identity. CICS and IMS support thread identity only if the target CICS or IMS is configured on the same system as the application server for z/OS. DB2 always supports thread identity. If a connector does not support thread identity, the user identity that is associated with the connection is based on the default user identity that is supported by the particular connector.
Data type | Boolean |
Default | Disabled |
Range | Enabled or Disabled |
Important: This option significantly increases the number of SMF 80 records used for security auditing. If security auditing is turned on for SMF 80 records, then the amount of DASD used also increases significantly.