(ZOS) Audit support
This topic gives an overview of how to use audit support.
Auditing is performed using SMF records issued by RACF or an equivalent External Security Manager. This means that SMF audit records are cut as part of the WAS use of SAF interfaces and RACROUTE macros.
WAS for z/OS makes use of the following RACROUTE macros:
- RACROUTE REQUEST AUTH (and FASTAUTH) - to check if a user is authorized to a class
- RACROUTE REQUEST=EXTRACT - to extract a RACO from an ACEE
- RACROUTE REQUEST TOKENXTR - to extract the UTOKEN (for CICS)
- RACROUTE REQUEST LIST - to check if the FASTAUTH routines can use the in-storage copies of the general-resource profiles for authorization checking
- RACROUTE REQUEST STAT - to determine if certain classes are active
and of the following SAF APIs:
- initACEE (IRRSIA00) - to manage ACEEs
- R_usermap (IRRSIM00) - map a Kerberos principal name to a RACF user ID
For more information on the SMF auditability of the RACROUTE and SAF API calls that WAS uses, refer to the RACROUTE Macro Reference documentation and the Security Server RACF Callable Services documentation, respectively, in the z/OS Information Center that is appropriate for our version of z/OS.
| Authentication mechanism | Service name | Authenticated identity |
|---|---|---|
| Custom Registry | WebSphere Custom Registry | Custom registry principal name |
| Kerberos | Kerberos for WAS | Kerberos principal, in the "DCE" format used for extracting the corresponding MVS™ userid using IRRSIM00 (/.../realm/principal) |
| RunAs Rolename | WebSphere Role Name | Role name |
| RunAs Server | WebSphere Server Credential | MVS userid |
| Trust Interceptor | WebSphere Authorized Login | MVS userid |
| RunAs Userid/Password | WebSphere Userid/Password | MVS Userid |
MVS System Management Facilities (SMF)
z/OS Security Server RACF Auditor's Guide