+

Search Tips   |   Advanced Search

Home Operating Systems: z/OS

 

Authenticate with SAF on IHS (z/OS systems)

You can authenticate to the IHS on z/OS using HTTP basic authentication or client certificates with the System Authorization Facility (SAF) security product. Use SAF authentication for verification of user IDs and passwords or certificates.

The mod_authz_default and mod_auth_basic directives provide basic authentication and authorization support which is needed in mod_authnz_saf configurations. In addition, the mod_ibm_ssl directive provides support for SSL client certificates. If we use SAF authentication, ensure that the first three LoadModule directives from the following example are activated. If we use SSL client certificates, ensure that the mod_ibm_ssl.so LoadModule directive is activated as well. 

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
LoadModule authz_default_module modules/mod_authz_default.so
# Uncomment mod_ibm_ssl if any type of SSL support is required, 
# such as client certificate authentication
#LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
If the mod_authz_default module is not loaded by your Web server, the server returns a response code 500 instead of 401 if the user is not authorized.

SAF authentication is provided by the mod_authnz_saf module. The mod_authnz_saf module allows the use of HTTP basic authentication or client certificates to restrict access by looking up users, groups, and SSL client certificates in SAF. This module also allows you to switch the thread from the server ID to another ID prior to responding to the request by using the SAFRunAS directive. For additional information, see the information center topic about SAF directives. Also, see the topic about migrating and installing IBM HTTP Server on z/OS systems for information about migrating your SAF directives.

  1. Determine the location you want to limit access to. For example: <Location "/admin-bin">.

  2. Add directives in the httpd.conf file to the directory or location to be protected with values specific to your environment.

    To restrict access to files under the /secure to only users who provide a valid SAF user ID and password, consider this example. 

    <Directory  /secure> 	
		AuthName protectedrealm_title	
		AuthType Basic   
		AuthBasicProvider saf   
		Require valid-user   
</Directory>
    You can also restrict access based on user ID or SAF group membership by replacing the Require directive in the previous example... 

    require saf-user USERID
require saf-group GROUPNAME

  3. Optional: Specify Require saf-user or Require saf-group to restrict access to a specific SAF user or group.

 

Subtopics

SAF directives

 

Related concepts

Migrating and installing IHS on z/OS systems