Enable z/OS authorized services on Liberty for z/OS

Liberty on z/OS offers the ability for the applications to take advantage of z/OS authorized services for System Authorization Facility (SAF) authorization, Workload Manager (WLM), Resource Recovery services (RRS), and SVCDUMP. If the application requires these services, set up an Liberty angel process and grant access for our Liberty server to use these services. To use the z/OS Authorized Services, we can set up the following types of profiles using a SAF security product such as RACF:

SAF STARTED profile is required if you plan on running the Liberty server or the Liberty angel process as a z/OS Started Task. For more information about the Liberty angel process, see Process types on z/OS.
SAF SERVER profile is required if you plan on having the Liberty server access any of the z/OS Authorized Services for the applications. We can find the description of each service in the following content.

Note: If we are not planning to run the Liberty server as a Started Task and are not planning to use any of the authorized services, RACF need not be set up.

Create STARTED profiles for users WLPUSER0 and WLPUSER1
- Create STARTED profiles for the PROCs for the angel and Liberty server processes. This action enables the angel and Liberty server to run as Started Tasks.
  - To cause the angel to run under the user ID WLPUSER0:
  - To cause a server running under the BBGZSRV procedure name to run under the user ID WLPUSER1:
- Create a SERVER profile for the angel process and permit the WLPUSER1 user ID to the profile.This action grants a Liberty server access to the angel process, which is required for the z/OS authorized services. To create an unnamed angel server profile and enable a server running as WLPUSER1 to connect to it, use the following commands:
  To create a named angel server profile and enable a server running as WLPUSER1 to connect to it, use the following commands:
  The profile name specified for the namedAngelName variable is the name of the new angel. Tip: We can use generic profiles such as BBG.ANGEL.* to grant a user ID access to multiple angels.

Create a SERVER profile for the authorized module BBGZSAFM

Create a SERVER profile for the authorized module BBGZSAFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to use the z/OS Authorized services. To enable a server running as WLPUSER1 to access the authorized module:

Create SERVER profiles for the individual authorized services provided for the z/OS operating system. These profiles enable the server to invoke the individual authorized services and these services are grouped by function:

To enable the SAF authorized user registry services and SAF authorization services (SAFCRED):

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(wlpuser1)

To enable the WLM services (ZOSWLM):

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)

To enable the RRS transaction services (TXRRS):

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(wlpuser1)

To enable the SVCDUMP services (ZOSDUMP):

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(wlpuser1)

To enable optimized local adapter services:

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA CLASS(SERVER)ACCESS(READ) ID(wlpuser1)

To enable the IFAUSAGE services (PRODMGR):

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.PRODMGR UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.PRODMGR CLASS(SERVER) ACCESS(READ) ID(wlpuser1)

To enable the AsyncIO services (ZOSAIO):

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSAIO UACC(NONE) 
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSAIO CLASS(SERVER) ACCESS(READ) ID(wlpuser1)

Note: During server startup, Liberty checks all authorized services for access. Specifying the SAFLOG=Y JCL parameter on the angel PROC causes SAF error messages for all authorized services that a server is not allowed to use.

Create a SERVER profile for the authorized client module BBGZSCFM
- Create a SERVER profile for the authorized client module BBGZSCFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to load the z/OS Authorized client services. To enable a server running as WLPUSER1 to access the authorized client module:
- Create SERVER profiles for the individual authorized client services provided for the z/OS operating system. These profiles enable clients to invoke the individual authorized services provided by the server. These services are grouped by function:
  - To enable optimized local adapter services:

Access z/OS security resources using WZSSAD
The WLP z/OS System Security Access Domain (WZSSAD) refers to the permissions granted to the Liberty server. These permissions control which System Authorization Facility (SAF) application domains and resource profiles the server is permitted to query when authenticating and authorizing users.
Enable Asynchronous TCP/IP sockets I/O for Liberty on z/OS
By default, the Liberty server uses a Java implementation to handle incoming TCPIP requests. To obtain improve performance and scalability in many environments, enable the asynchronous TCP/IP sockets I/O for Liberty (AsyncIO) on z/OS service and take advantage of native z/OS services.
Unauthorized services used by the SAF registry
The System Authorization Facility (SAF) registry uses a number of unauthorized services from the C environment provided by LE (Language Environment).
Set up the System Authorization Facility (SAF) unauthenticated user
If we are using a SAF user registry, it is necessary to specify a SAF user ID that represents the unauthenticated state. The name of the unauthenticated user ID is specified on the unauthenticatedUser attribute of the SAFCredentials element in server.xml. It is important to define this user ID correctly in your SAF registry. If we are using a RACF SAF user registry, the unauthenticated user (default WSGUEST) needs a unique default group (DFLTGRP) with no other user IDs connected to that group, an OMVS segment, but not a TSO segment, and the options NOPASSWORD, NOOIDCARD, and RESTRICTED. If we have another SAF user registry, instead of RACF, then find the user ID options provided by that SAF registry that are equivalent to these RACF options.
Required SAF permission when components use the REST Handler framework
z/OS users of System Authorization Facility (SAF) with Liberty components that are built on the REST Handler framework must grant the allAuthenticatedUsers permission.

Parent topic: Authorize access to resources in Liberty

Related tasks

Configure security for z/OS Connect