+

Search Tips   |   Advanced Search

(zos)

Map a registry principal to a System Authorization Facility user ID using a Java Authentication and Authorization Services login module

We can use a Java Authentication and Authorization Services (JAAS) login module to map a registry principal to the System Authorization Facility (SAF) user ID.

For the SAF distributed identity mapping feature, we do not need to configure a mapping module.

The following set of well-defined attributes used in WebSphere Application Server mapping are defined in the com.ibm.wsspi.security.token.AttributeNameConstants class, which is available in the sas.jar file:


com.ibm.wsspi.security.token.AttributeNameConstants.ZOS_USERID

Use this attribute to set the value of the MVS™ user ID when an operation is performed that requires a z/OS SAF user ID. If a value is not specified, WAS uses the unauthenticated user to establish a SAF user ID. This SAF user ID must be a valid MVS user ID.


com.ibm.wsspi.security.token.AttributeNameConstants.ZOS_AUDIT_STRING

Use this attribute to indicate that the specified string is placed in the X500Name property when creating a Resource Access Control Facility (RACF ) access control environment element (ACEE).

This attribute associates an audit string with a SAF user, which is displayed in a System Management Facility (SMF) record when either of the following actions is performed:

We can enter a maximum of 223 characters in this field. If the specified value is larger than 223 characters, only the first 223 characters are used. If this value is omitted, audit data is not added when building a principal. Any audit data recorded in this field is prefixed within the SMF audit record string "WebSphere Mapped Userid".


com.ibm.wsspi.security.token.AttributeName.Constants.CALLER_PRINCIPAL_CLASS

Use this optional field to indicate which principal class in a JAAS subject is returned when using the getCallerPrincipal and getUserPrincipal APIs.

This principal can be created by either of the following mechanisms:

The default value of this field is com.ibm.websphere.security.auth.WSPrincipal. Using this default value returns the WAS principal name in the configured WebSphere Application Server registry.

To return a mapped SAF principal, specify com.ibm.ws.security.zos.Principal. If a value is specified but a principal does not match the specified CALLER_PRINCIPAL_CLASS value, the return value indicates an unauthenticated user. Specifying getUserInRole returns a null value, and specifying getCallerPrincipal() returns a string that indicates that the user is unauthenticated.

Some network identities are not processed using the mapping module provided:

Server identity

This identity is always mapped to the user ID of the process and is assigned by the STARTED profile.

SAF identity corresponding to the UNAUTHENTICATED user

The SAF identity corresponding to the UNAUTHENTICATED user means there is no network identity. This value is configured using the WebSphere z/OS Profile Management Tool or the zpmt command and can be modified using the console. IBM recommends that we create the SAF identity for unauthenticated users with the RESTRICTED attribute.


Related concepts

  • Java thread identity and an operating system thread identity
  • JEE identity and an operating system thread identity
  • Distributed identity mapping using SAF


    Related tasks

  • Develop programmatic logins with the Java Authentication and Authorization Service
  • Develop with programmatic security APIs for web applications