+

Search Tips   |   Advanced Search

(ZOS) Use distributed identity mapping for SAF

In this release of WebSphere Application Server, we can use z/OS System Authorization Facility (SAF) security to associate a SAF user ID with a distributed identity.

When we use this feature, we can maintain the original identity information of a user for audit purposes and have less to configure in WAS.

We can log in to a WAS application with the distributed identity of the user. The filters defined in the z/OS security product then determine the mapping of the distributed identity to a SAF user.

The SAF distributed identity mapping feature is not supported in a mixed-version cell (nodes prior to WAS v8.0).


Tasks

  1. Review the Distributed identity mapping using SAF topic. Decide which scenario applies to the configuration and make any necessary changes.

    Before we configure distributed identity mapping, first remove unnecessary JAAS login modules. Ensure that we do not have the com.ibm.ws.security.common.auth.module.MapPlatformSubject login JAAS module configured in WAS. Use the administrative console or wsadmin scripting to remove this login module, or we can use the provided Jython script, removeMapPlatformSubject.py, which searches for and removes this login module from the appropriate login entries. For more information about how to use this script, read the removeMapPlatformSubject script topic.

  2. Configure the RACMAP filters in the z/OS security product to establish the mapping of distributed identities to SAF users. Read the Distributed identity filters configuration in z/OS security topic for more information.


Subtopics