(zos)z/OS Profile Management Tool security settings
The z/OS Profile Management Tool allows us to specify System Authorization Facility (SAF) profile prefixes (previously referred to as z/OS security domains) for the WAS for z/OS configuration.
- Set up a base Application Server using the WebSphere z/OS Profile Management Tool or the zpmt command before using the Application Server to set up a WAS Network Deployment node, which is managed by the deployment manager process (dmgr). It is critical that you LOAD saved environment variables from the base Application Server into the deployment manager node that federates the base node. Do this before performing security customization on the deployment manager node.
- If the APPL class is active and we have defined a profile for WebSphere Application Server, make sure that all z/OS identities using WebSphere Application Server services have READ permission to the WAS APPL profile. This includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated identities, WebSphere Application Server administrative identities, user IDs based on role-to-user mappings, and all user identities for system users. If we have not specified a SAF profile prefix, the APPL profile used is CBS390 or the name used as the SAF profile prefix. If we have specified a SAF profile prefix, the APPL profile used. When adding an administrator to the console using local operating system security, if the APPL class is activated, the administrator's user ID must be authorized to the CBS390 (or the name specified as the SAF profile prefix) APPL class for RACF as well. If the administrator's user ID is not authorized to CBS390 APPL, message BBOS0108E is issued, indicating that the credential-handling function (RunAsGetSpecCred) failed in routine because the user is not authorized.
- Once a profile is created, it is possible to control checking the APPL class profile from the console by navigating to the SAF authorization options panel and by configuring the check box labeled Use APPL profile to restrict access to the server.
Related concepts
WAS security for z/OS SAF profile prefixes and the customization jobs
Related tasks
Preparing for security at installation time
Summary of controls