(ZOS) Server process authorization checking
We can specify specific access restrictions to z/OS resources.
To control access to WebSphere Application Server for z/OS resources:
- As a general rule, give greater authority to controllers and less authority to servants.
Region Level of trust and access authority Controller
- Contains WAS for z/OS system code.
- Trusted, runs APF-authorized
- Contains communication ports and manipulation of System Authorization Facility (SAF) client identities
Servant
- Contains WAS for z/OS system code, application code, and pluggable service providers (such as jdbc drivers)
- Supports Java 2 Security to protect sensitive data and system services
- Untrusted
- Regarding the WAS for z/OS run-time clusters, the general rule is to give less authority to the location service daemon, and greater authority to the node, as explained in the following table:
Run-time Cluster Region Required Authorities Location service daemon Control
- STARTED class
- Access to Workload Manager (WLM) services
- Access to DNS
- OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other clusters
- IRR.DIGTCERT.LIST and IRR.DIGCERT.LISTRING in FACILITY (SSL)
Node Control STARTED class Controller Control
- SSL
- Kerberos
- READ authority to the SERVER class,
- OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other servers
Servant Control The following classes:
- OTMA
- SERVER
- DSNR,
- DATASET
- SURROGATE
- STARTED
- LOGSTREEAM
- Remember to protect the Resource Recovery Services (RRS) log streams. By default, UACC is READ.
- Protect the WAS for z/OS properties XML files, especially if they contain passwords. For more information, see the WebSphere Application Server variables in the administrative console or the documentation.
- Deployment Manager also needs permission to start and stop servers.
Related:
Cluster authorizations Use CBIND to control access to clusters