Set up the System Authorization Facility (SAF) unauthenticated user

If we are using a SAF user registry, it is necessary to specify a SAF user ID that represents the unauthenticated state. The name of the unauthenticated user ID is specified on the unauthenticatedUser attribute of the SAFCredentials element in server.xml. It is important to define this user ID correctly in your SAF registry. If we are using a RACF SAF user registry, the unauthenticated user (default WSGUEST) needs a unique default group (DFLTGRP) with no other user IDs connected to that group, an OMVS segment, but not a TSO segment, and the options NOPASSWORD, NOOIDCARD, and RESTRICTED. If we have another SAF user registry, instead of RACF, then find the user ID options provided by that SAF registry that are equivalent to these RACF options.

By running the appropriate commands, we can correctly set up an unauthenticated user in your SAF user registry. An unauthenticated user that is incorrectly setup might cause a security exposure.

  1. Run the ADDGROUP command. Use WSGUESTG as the group name. 

      ADDGROUP WSGUESTG SUPGROUP(SYS1)OWNER(SYS1)
 DATA('WAS Unauthenticated User Group')
 OMVS(AUTOGID)

  2. Run the ADDUSER command. Use WSGUEST as the user ID name. 

       ADDUSER WSGUEST DFLTGRP(WSGUESTG) OWNER(SYS1)
 OMVS(AUTOUID  
 HOME(/u/WSGUEST)
 PROGRAM(/bin/sh))
 NAME('WAS unauth')
 NOPASSWORD NOOIDCARD
 RESTRICTED

    The options NOPASSWORD and NOOIDCARD protect this user ID from being revoked by repeated attempts to guess the password.

    The option RESTRICTED means that this user ID cannot gain access to protected resources unless it is explicitly permitted to that resource, even is that resource has a general access setting of UACC(READ).

  3. Note: After the unauthenticated user ID (WSGUEST) is defined to the SAF registry, ensure the user ID is permitted to only the minimum number of SAF resources. If the Liberty server is using SAF APPL resource check to control which users can connect to the Liberty z/OS System Security Access Domain, then the unauthenticated user ID must be given access to the APPL profile. Run the PERMIT command. 

      PERMIT BBGZDFLT CLASS(APPL) ID(WSGUEST) ACCESS(READ)


What to do next

If we receive the RACF authorization failure message ICH408I because the unauthenticated user (WSGUEST) does not have access to a RACF resource, such as an EJBROLE profile. It is nearly always incorrect to permit the unauthenticated user ID to the resource profile to resolve the problem. It usually means that the request is running in an unauthenticated state when it must be running in an authenticated state. The actual problem is probably a failure to authenticate properly. Whenever it appears necessary to permit the unauthenticated user ID to a SAF resource profile consider carefully whether that is the correct action to take. Permitting the unauthenticated user ID to any SAF resource profile makes that resource available to everyone, including users that are not authenticated. There are almost no instances where that is required, however, the APPL profile that controls access to the WZSSAD is one exception.