(zos)Enable trusted applications
From a z/OS perspective, trusted applications imply that the WAS started task control (STC) is to be considered a "trusted application" and is allowed to change System Authorization Facility (SAF) identity on the thread of execution. When a z/OS applications (such as WebSphere Application Server) are trusted, the security infrastructure allows the creation of MVS™ credentials without using a password, passticket, or certificate as an authenticator, while still preserving the integrity of the MVS system.
Through the use of the FACILITY class and BBO.TRUSTEDAPPS class profile, trusted applications (as a general rule) are needed when using SAF as the local operating system user registry or when you plan to use SAF authorization. When WebSphere Application Server is configured to use: SAF security for a local operating system user registry, SAF authorization, or Sync to Thread Allowed, trusted applications must be enabled so that MVS system integrity remains preserved. Trusted applications meet the MVS integrity rules so that unauthorized callers are NOT allowed to call sensitive WebSphere Application Server code to perform authorized functions. When using SAF, define the trusted application within the Resource Access Control Facility (RACF ) or an equivalent product. The SAF authorization resource rules need to define WebSphere Application Server as the trusted application with the authority to change the identity on thread execution. In this way, WebSphere Application Server and MVS can work together without jeopardizing each other's integrity.
Use FACILITY class profiles
You enable the trusted applications by ensuring that the WAS has SAF access of READ to the RACF class of FACILITY and profile of BBO.TRUSTEDAPPS.<cell short name>.<cluster short name>.
Once defined, the trusted applications need to be enabled. Use FACILITY class profile to give the RACF administrator control over the enabling of trusted applications. The following examples illustrates how you use the FACILITY class and the BBO.TRUSTEDAPPS class profile to provide this control.
- Generic Example:
RDEF FACILITY BBO.TRUSTEDAPPS.**UACC(NONE) PERMIT BBO.TRUSTEDAPPS.** CLASS(FACILITY) ID(MYCBGROUP) ACC(READ) SETROPTS RACLIST(FACILITY) REFRESH
- Specific Example with a specific server identified by a cell short name of SY1, a cluster short name of BBOC001, and a controller region userid of MYSTCCR.
RDEF FACILITY BBO.TRUSTEDAPPS.SY1.BBOC0001 UACC NONE PERMIT BBO.TRUSTEDAPPS.SY1.BBOC0001 CLASS(FACILITY) ID(MYSTCCR) ACC(READ) SETROPTS RACLIST(FACILITY) REFRESH
Related tasks
Secure the environment after installation
Summary of controls