+

Search Tips   |   Advanced Search

(zos)

Use distributed identity mapping for SAF

In this release of WAS, we can use z/OS System Authorization Facility (SAF) security to associate a SAF user ID with a distributed identity.

When you use this feature, we can maintain the original identity information of a user for audit purposes and have less to configure in WebSphere Application Server.

We can log in to a WAS application with the distributed identity of the user. The filters defined in the z/OS security product then determine the mapping of the distributed identity to a SAF user.

The SAF distributed identity mapping feature is not supported in a mixed-version cell (nodes prior to WebSphere Application Server Version 8.0).

  1. Review the Distributed identity mapping using SAF topic. Decide which scenario applies to the configuration and make any necessary changes.

    Before you configure distributed identity mapping, first remove unnecessary JAAS login modules. Ensure that we do not have the com.ibm.ws.security.common.auth.module.MapPlatformSubject login JAAS module configured in WebSphere Application Server. Use the console or wsadmin scripting to remove this login module, or we can use the provided Jython script, removeMapPlatformSubject.py, which searches for and removes this login module from the appropriate login entries. For more information about how to use this script, read the removeMapPlatformSubject script topic.

  2. Configure the RACMAP filters in the z/OS security product to establish the mapping of distributed identities to SAF users. Read the Distributed identity filters configuration in z/OS security topic for more information.


Subtopics