Running jobs under user credentials

This articles explains how to allow jobs to run under a user's credentials when WebSphere security is enabled.

About this task

WebSphere Extended Deployment Version 6.0.2 introduced a feature that, by default, allows jobs to run under a user's credentials when WebSphere security is enabled. When the job is dispatched to the endpoint, the LREE will switch the server's credential, which is in the job step thread, to the user's credential. If you want to change the default behavior, apply IFIX PK35827, create a dynamic cluster custom property called RunUnderUserCredential, then set its value to true. After applying IFIX PK35827, the default behavior will be changed to NOT run under the user's credential, unless the custom property is created and set to true.

WebSphere Extended Deployment V6.1 introduces a new variable called RUN_JOBS_UNDER_USER_CREDENTIAL that allows users to enable or disable jobs to run under user's credentials. The custom property RunUnderUserCredential is still valid, for dynamic cluster only, in order to support WebSphere Extended Deployment V6.0.2 dynamic cluster migration.
Note:

RUN_JOBS_UNDER_USER_CREDENTIAL can be created at any scope level and accepts values true or false. The default is false, which means that jobs will run under server credentials.

When Java 2 Security is enabled, your Compute Grid applications must grant the following two permissions in the application's WebSphere Application Server.policy file:
  • permission com.ibm.websphere.security.WebSphereRuntimePermission "SecOwnCredentials"
  • permission com.ibm.websphere.security.WebSphereRuntimePermission "ContextManager.getServerCredential"

The following steps describe how to create the custom property to enable or disable jobs to run under user's credential after logging in to the administrative console:

Procedure

  1. Click Environment > WebSphere Variables
  2. Select a configuration scope, then click New. The general properties panel opens.
  3. Type RUN_JOBS_UNDER_USER_CREDENTIAL in the Name field.
  4. Type True or False to enable or disable jobs to run under user credential.
  5. Click OK, then click Save. In order to enable jobs to run under user credentials on z/OS, the following additional steps must be followed:
  6. [For z/OS operating system] Save the configuration and restart the server. To run jobs under user's credentials on the z/OS platform, follow these steps:[For z/OS operating system]
    1. Navigate to the security administration pane and click z/OS security options.
    2. Enable application server and z/OS thread identity synchronization. This option specifies that application servers can process the syncToOSThread option for application components that specify it. Local JCA connectors may honor the MVS identity for authentication and authorization when an application requests a connection.
    3. Enable the connection manager RunAs thread identity. This option sets the MVS identity associated with the Java 2 Platform Enterprise Edition (J2EE) identity on the execution thread.
    4. Click OK.
    5. Save the configuration and restart the server.

What to do next

Stop and start the server where the GEE is installed.