+

Search Tips   |   Advanced Search

(ZOS) Resource Access Control Facility Tips for customizing WAS

It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF (or our security product). This paper describes these mechanisms along with some techniques for managing the security environment.

Details about the RACF profiles used to protect the WebSphere servers and resources use the following classes:

We must add the required RACF profiles and permissions for another server in the cell.

We can define the minimal set of users, groups, and profiles for a testing environment (where security of individual servers is not the main focus or concern).

RACF Profiles (CBIND, SERVER, and STARTED): Basic information about the RACF profiles used by WebSphere can be found in the System Authorization Facility classes and profiles. This section adds some additional details about the CBIND, SERVER, and STARTED class profiles.

User IDs and Group IDs: As part of using the WebSphere z/OS Profile Management Tool or the zpmt command, the BBOCBRAK job generates RACF commands that then can be run with the BBOWBRAK job. Key:

CR = Controller Region
SR = Servant Region
CFG = Configuration (group)
server = server short name
cluster = generic server (short) name (also called cluster transition name)

First, six users and six groups are defined as follows, which are shown symbolically to help we understand how they are used in the various permissions later on:

<CR_userid> <CR_groupid>, <CFG_groupid>
<SR_userid> <SR_groupid>, <CFG_groupid>
<demn_userid> <demn_groupid>, <CFG_groupid>
<admin_userid> <CFG_groupid>
<client_userid> <client_groupid>
<ctracewtr_userid> <ctracewtr_groupid>

Below are the various profiles used to protect the WebSphere servers and resources, along with the permissions and access levels.

CBIND Class Profiles: There are two formats and levels of CBIND class profiles for protecting access to application servers and objects in those servers:

CBIND Class profiles - access to generic servers
CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL)

CBIND Class profiles - access to objects in servers
CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)

SERVER Class Profiles: There are currently two formats of the SERVER class profiles for protecting access to the server controller regions. We must define a single format SERVER profile, depending upon whether or not Dynamic Application Environment (DAE) support is enabled. This is done using the WLM DAE APAR OW54622, which is applicable to z/OS V1R2 or higher.

In the WebSphere z/OS Profile Management Tool or the zpmt command, both formats are predefined, and one of these is actually required at runtime. The required format is determined dynamically by the WAS for z/OS Runtime based on the availability of Dynamic Application Environment (DAE) support.

STARTED Class Profiles: There are two formats of STARTED class profiles used to assign user and group IDs to controller regions and other STCs based on whether the started task is started with the MGCRE interface or the address space create (ASCRE) interface used by Workload Manager (WLM) to start servant regions:

STARTED Class profiles - (MGCRE)
<<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid))
<demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid))

STARTED Class profiles - (ASCRE)
<SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid))

STARTED Class profiles for IJP - (MGCRE)
<MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid))

Generate new user IDs and Profiles for a new Server: To use unique user IDs for each new application server, we must define these users, groups, and profiles in the RACF database.

One technique is to edit a copy of the BBOWBRAK member using the WebSphere z/OS Profile Management Tool or the zpmt command, .DATA partitioned data set, and change the following entries to the new users, groups, and unique New_server name, and New_cluster name profiles:

Minimalist Profiles: To minimize the number of users, groups, and profiles in the RACF data set, we can use one user ID, one group ID, and very generic profiles so they cover multiple servers in the same cell. Here is an example of profiles with one user (T5USR), one group (T5GRP), and a set of servers in the T5CELL having server short names starting with T5SRV* and generic server names starting with T5CL*. This technique can also be used with Integral JMS provider (IJP) and WAS ND (ND) configurations.

/* CBIND Class profiles (UACC) - access to generic servers */
CB.BIND.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)

/* CBIND Class profiles (UACC) - access to objects in servers */
CB.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)

/* SERVER Class profiles - access to controllers (old style) */
CB.*.T5CL* UACC(NONE); PERMIT ID(T5USR) ACC(READ)

/* SERVER Class profiles - acc to controllers (new style) */
CB.*.*.T5CELL UACC(NONE); PERMIT ID(T5USR) ACC(READ)

/* STARTED Class profiles - (MGCRE) - for STCs, except servants */
T5ACR.* STDATA(USER(T5USR) GROUP(T5GRP)) /* controller*/
T5DMN.* STDATA(USER(T5USR) GROUP(T5GRP)) /* daemon */
T5CTRW.* STDATA(USER(T5USR) GROUP(T5GRP)) /* CTrace WTR*/
WMQX*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* IJP */

/* STARTED Class profiles - (ASCRE - for servants) */
T5SRV*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* servant */

  • Use CBIND to control access to clusters
  • Security tuning tips
  • Resource Access Control Facility Tools