(zos)Summary of controls
Each controller, servant, and client must have its own MVS™ user ID. When a request flows from a client to the cluster or from a cluster to a cluster, WebSphere Application Server for z/OS passes the user identity (client or cluster) with the request. Thus, each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request. The tables outline System Authorization Facility (SAF) and non-SAF authorizations.
Summary of z/OS security controls independent of administrative security setting
In a WAS for z/OS configuration, there are many different types of processes:
- dmgrs
- Node agents
- Location service daemons
- WebSphere Application Servers
Each of these can be viewed as either a WAS for z/OS controller process or pair of processes (a controller and servant).
Each controller and servant must run under a valid MVS user ID assigned as part of the definition of a started task. This MVS user ID must have a valid UNIX Systems Services user identity (UID) and be connected to WebSphere configuration group that is common to all servers in the cell with a valid MVS and UNIX System Services group identity (GID) identity.
The following table summarizes the controls used to grant authorizations that are needed by these controllers and servants to access operating system resources. By understanding and using these controls, we can control all resource accesses in WebSphere Application Server for z/OS.
controls and SAF authorizations.
This table contains a summary of controls and their SAF authorizations.
Control Authorization DATASET class Access to data sets DSNR class Access to Database 2 (DB2 ) FACILITY class (BPX.WLMSERVER) Access to the BPX.WLMSERVER profile to perform Workload Manager (WLM) enclave management in the servant. Without this access, classification is not performed. FACILITY class (IMSXCF.OTMACI) Access to Open Transaction Manager Access (OTMA) for Information Management System (IMS™), and access to the BPX.WLMSERVER profile HFS file permissions Access to Hierarchical File System (HFS) files LOGSTRM class Access to log streams OPERCMDS class Access to startServer.sh shell script and Integral JMSProvider SERVER class Access to controller by a servant STARTED class Associate user ID (and optionally group ID) to start procedure SURROGAT class (*.DFHEXCI) Access to EXCI for Customer Information Control System (CICS ) access The WebSphere z/OS Profile Management Tool or the zpmt command and Resource Access Control Facility (RACF ) customization jobs set these up for the initial server settings for the *'ed profiles.
Examples of authorizations for the other profiles can be found in the generated exec file in HLQ.DATA(BBOWBRAC). The selection of an identity to be used for authorization to native connector resources (CICS, DB2, , IMS) is dependent on the:
- Type of connector
- Resource authentication (resAuth) setting of the deployed application
- Availability of an alias
- Security setting
Resource managers such as DB2, IMS, and CICS have implemented their own resource controls, which control the ability of clients to access resources. When resource controls are used by DB2, use the DSNR RACF class (if we have RACF support) or issue the relevant DB2 GRANT statements. We can:
- Access OTMA for IMS through the FACILITY Class (IMSXCF.OTMACI)
- Access EXCI for CICS through the SURROGAT class (*.DFHEXCI)
- Control access to data sets through the DATASET class and HFS files through file permission
Note that MVS SAF Authorization to all other MVS subsystem resources accessed by J2EE applications is typically performed using the identity of the servant MVS user ID. Refer to JEE identity and an operating system thread identity for more information.
The BPX.WLMSERVER profile in the FACILITY class is used to authorize an address space to use the Language Environment (LE) runtime services that interface with workload management (WLM) to perform workload management within a server region. These LE runtime services are by used by WebSphere Application Server to extract classification information from enclaves and to manage the association of work with an Enclave. Because unauthorized interfaces are used to manipulate WLM enclaves for server region work that has not been passed from a controller to a servant, WebSphere Application Server servants should be permitted READ access to this profile. Without this permission, attempts to create, delete, join, or leave a WLM enclave fails with a java.lang.SecurityException.
Summary of z/OS security controls in effect when administrative and application security are enabled
When administrative and application securities are enabled, SSL must be available for encryption and message protection. In addition, authentication and authorization of J2EE and administrative clients is enabled.
The FACILITY class authorization needed for SSL services and the definition of SAF keyrings are required when administrative security is enabled.
When a request flows from a client to WebSphere Application Server or from a cluster to a cluster, WebSphere Application Server for z/OS passes the user identity (client or cluster) with the request. Thus each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request. The tables outline z/OS specific authorizations using SAF.
The following table summarizes the controls used to grant authorizations to resources. By understanding and using these controls, we can control access to all resources in WebSphere Application Server for z/OS.
Control Authorization CBIND class Access to a cluster EJBROLE or GEJBROLE class Access to methods in enterprise beans FACILITY class (IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING) SSL key rings, certificates, and mappings FACILITY Class (IRR.RUSERMAP) Kerberos credentials FACILITY Class (BBO.SYNC) Enables Synch to OS Thread Allowed FACILITY Class (BBO.TRUSTEDAPPS) Enables trusted applications SURROGAT Class (BBO.SYNC) Enables Synch to OS Thread Allowed PTKTDATA class PassTicket enabling in the sysplex Set OS Thread Identity to RunAs Identity J2EE cluster property used to enable the start identity for non-J2EE resources
Subtopics
- (zos) Enable trusted applications
From a z/OS perspective, trusted applications imply that the WAS started task control (STC) is to be considered a "trusted application" and is allowed to change System Authorization Facility (SAF) identity on the thread of execution. When a z/OS applications (such as WebSphere Application Server) are trusted, the security infrastructure allows the creation of MVS credentials without using a password, passticket, or certificate as an authenticator, while still preserving the integrity of the MVS system.
- (zos) System Authorization Facility classes and profiles
Related concepts
Authorization checking Cluster authorizations
Related tasks
Controlling access to console users when using a Local OS Registry Use CBIND to control access to clusters Deploy secured applications Secure applications during assembly and deployment
Server process authorization checking