(ZOS) Use distributed identity mapping for SAF
In this release of WebSphere Application Server, we can use z/OS System Authorization Facility (SAF) security to associate a SAF user ID with a distributed identity.
When we use this feature, we can maintain the original identity information of a user for audit purposes and have less to configure in WAS.
We can log in to a WAS application with the distributed identity of the user. The filters defined in the z/OS security product then determine the mapping of the distributed identity to a SAF user.
The SAF distributed identity mapping feature is not supported in a mixed-version cell (nodes prior to WAS v8.0).
Tasks
- Review the Distributed identity mapping using SAF topic. Decide which scenario applies to the configuration and make any necessary changes.
Before we configure distributed identity mapping, first remove unnecessary JAAS login modules. Ensure that we do not have the com.ibm.ws.security.common.auth.module.MapPlatformSubject login JAAS module configured in WAS. Use the administrative console or wsadmin scripting to remove this login module, or we can use the provided Jython script, removeMapPlatformSubject.py, which searches for and removes this login module from the appropriate login entries. For more information about how to use this script, read the removeMapPlatformSubject script topic.
- Configure the RACMAP filters in the z/OS security product to establish the mapping of distributed identities to SAF users. Read the Distributed identity filters configuration in z/OS security topic for more information.
Subtopics
- Distributed identity mapping using SAF
The distributed identity mapping feature using System Authorization Facility (SAF) for z/OS provides some major benefits, and is new in this version of WAS.- Distributed identity filters configuration in z/OS security
Before we can map distributed identities to System Authorization Facility (SAF) users, first configure distributed identity filters in the z/OS security product for WAS.- removeMapPlatformSubject script
To use distributed identity mapping for System Authorization Facility (SAF), use the removeMapPlatformSubject Jython script provided to remove the unnecessary JAAS login module, MapPlatformSubject, from the security configuration.