(zos)z/OS System Authorization Facility authorization
Use this page to configure the System Authorization Facility (SAF) and the SAF Authorization properties.
To enable SAF authorization:
- Click Security > Global security > External authorization providers.
- Select the System Authorization Facility (SAF) from the drop-down list under Authorization provider.
- Click the Configure button.
When you select SAF authorization, WAS uses the authorization policy stored in the z/OS security product for authorization. If a Lightweight Access Directory Protocol (LDAP) registry or Custom registry is configured and SAF authorization is specified, a mapping to a z/OS principal is required at each login for any protected methods to run:
- If the authentication mechanism is LTPA> (LTPA), IBM recommends that you update all of the following configuration entries to include a mapping to a valid z/OS principal (such as WEB_INBOUND, RMI_INBOUND, and DEFAULT).
- If the authentication mechanism is SWAM, you must update the SWAM configuration entry to include a mapping to a valid z/OS principal.
SWAM is deprecated and will be removed in a future release.
The common properties for unauthenticated user, SAF authorization, and SAF EJBROLE message suppression are no longer custom properties.
When you select this option, WAS uses the authorization policy stored in the z/OS security product for authorization.
Unauthenticated user ID
Specifies the MVS™ user ID used to represent unprotected servlet requests when SAF authorization is specified or a local operating system registry is configured. This user ID must be a maximum of 8 characters long.
This property definition is used in the following instances:
- For authorization if an unprotected servlet invokes an entity bean
- For identification of an unprotected servlet for invoking a z/OS connector such as Customer Information Control System (CICS ) or Information Management System (IMS™) that uses a current identity when res-auth=container
- When an application-initiated Synch to OS thread function is attempted
For more information, see the following articles in the information center:
- "Understanding application Synch to OS Thread Allowed"
- "When to use application Synch to OS Thread Allowed"
SAF profile mapper
Name of SAF EJBRole profile to which a Java EE role name is mapped. The name specified implements the com.ibm.websphere.security.SAFRoleMapper interface.
The com.ibm.ws.security.z/OS.authz.SAFRoleMapperImpl implementation class, which is the default SAF role mapper implementation, is initially configured. This initial configuration maps all the characters that are not allowed in a SAF role name, such as the percent (%), ampersand (&), asterisk (*) and blank characters, to a pound (#) character.
For more information, see the Develop a custom SAF EJB role mapper
Enable SAF delegation
The SAF EJBROLE definitions are assigned the MVS user identity that becomes the active identity when you select the RunAs specified role.
Select the Enable SAF delegation option only if you select the Enable SAF Authorization option as the external authorization provider.
Use the APPL profile to restrict access to the application server
Use the APPL profile to restrict access to WebSphere Application Server.
If we have defined an SAF profile prefix, the APPL profile used is the profile prefix. Otherwise, the APPL profile name is CBS390. All of the z/OS identities using WebSphere services should have READ permission to the APPL profile. This includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated identities, WebSphere Application Server administrative identities, user IDs based on role-to-user mappings, and all user identities for system users. If the APPL class is not active on the z/OS system, then this property has no effect, regardless of its value.
Information Value Default: Enabled.
Suppress authorization failed messages from the z/OS security product
Whether ICH408I messages are on or off. The default value for this settings is false (unchecked), which does not suppress messages.
System Management Facility (SMF) records access violations no matter what value is specified for this new property. This property affects the generation of access violation messages for both application-defined roles and for application server run-time-defined roles for the naming and administrative subsystems. EJBROLE profile checks are done for both declarative and programmatic checks:
- Declarative checks are coded as security constraints in Web applications and deployment descriptors are coded as security constraints in EJB files.
- Program logic checks or access checks are performed using the programmatic isCallerinRole(x) method for enterprise beans or isUserInRole(x) method for Web applications.
Avoid trouble:
- If we do not want administrative role messages suppressed when the SMF audit record strategy is set to Default, set the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress.Admin property to false. The value specified for this property overrides any other setting that governs message suppression for administrative roles.
- When a third-party authorization such as Tivoli Access Manager or SAF for z/OS is used, the information in the console panel might not represent the data in the provider. Also, any changes to the panel might not be reflected in the provider automatically. Follow the provider's instructions to propagate any changes made to the provider.
gotcha
For more information on SAF authorization, see "Controlling access to console users when using a Local OS registry" in the information center. For more information on administrative roles, see "Administrative roles" in the information center.
Information Value Default: Disabled, which does not suppress messages.
SMF audit record strategy
Determines when an audit record is written to the System Management Facility (SMF). On each authorization call, RACF or an equivalent SAF-based product, can write an audit record to SMF with the result of the authorization check.
WebSphere Application Server for z/OS uses the SAF RACROUTE AUTH and RACROUTE FASTAUTH operations and passes the LOG option specified in the security configuration. The options are DEFAULT, ASIS, NOFAIL, and NONE.
The following options are available from the drop-down list:
- DEFAULT
When multiple role constraints are specified, such as a user must be in one of a set of roles, all of the roles except for the last role is checked with the NOFAIL option. If the authorization is granted in one of the roles before the last role, WebSphere Application Server writes an authorization success record. If the authorization is not successful in these roles, the last role is checked with the ASIS log option. If the user is authorized to the last role, a success record might be written. If the user is not authorized, a failure record might be written.
- ASIS
- The audit events are recorded in the manner specified in the profile that protects the resource or in the manner specified by the SETROPTS options.
- NOFAIL
- Specifies that failures are not recorded. Authorization failure messages are not issued, but successful authorization audit records might be written.
- NONE
- Specifies that neither successes or failures are recorded.
Only one authorization failed record is written for a failed Java EE authorization check even if several SAF authorization calls are made. For more information on the LOG options for SAF RACROUTE calls, see the RACF or equivalent SAF-based product documentation. We can also see the topic Audit Support for additional information about the SMF auditability of WAS's calls to RACROUTE macros and SAF APIs during resource authorization processing.
SAF profile prefix
Specifies a prefix which will be added to all the SAF EJBROLE profiles used for the Java EE roles. This prefix is also used as the APPL profile name and is inserted into the profile name used for CBIND checks. There is no default value for the SAF profile prefix field. If a prefix is not explicitly specified, then no prefix is added to the SAF EJBROLE profiles, the default value of CBS390 will be used as the APPL profile name, and nothing is inserted into the profile name for CBIND checks.
Use APPL profile to restrict access to WebSphere Application Server
If we have defined an SAF profile prefix, the APPL profile used is the profile prefix. Otherwise, the APPL profile name is CBS390. All of the z/OS identities using WebSphere services should have READ permission to the APPL profile. This includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated identities, WebSphere Application Server administrative identities, user IDs based on role-to-user mappings, and all user identities for system users. Note that if the APPL class is not active on the z/OS system, then this property has no effect, regardless of its value.
The SAF profile prefix corresponds to the property, com.ibm.security.SAF.profilePrefix.name, in the security.xml file.
Related tasks
Authorizing access to resources Develop a custom SAF EJB role mapper
Audit support