(ZOS) SAF profile prefixes and the customization jobs
We can configure a System Authorization Facility (SAF) profile prefix (previously referred to as a z/OS security domain) using the z/OS Profile Management Tool.
An SAF profile prefix allows an installation to add a prefix to the SAF profiles that represent their roles. For example, an installation can define SAF class EJBRole and a SAF profile of myPrefix.administrator. A SAF profile prefix can be defined for the entire cell or it can be defined at the WebSphere security domain-level granularity of security permissions. SAF profile prefixes:
- Provide WebSphere security domain-level granularity of roles
- Allow different administrators to be assigned for test and production
- Are used as the APPL profile for servers in the WebSphere security domain
We can configure a SAF profile prefix using the z/OS Profile Management Tool to customize our settings or on the SAF authorization options panel in the administrative console. This provides a new sample set of Resource Access Control Facility (RACF ) customization jobs that must only be run once when the domain is created.
The RACF profiles that are created and checked differently because of this are:
- CBIND
- EJBROLE
- APPL
Use CBIND profiles to restrict access to servers if no other specific profile is set. If there is no SAF profile prefix, enter the following RACF commands:
/* CBIND profiles in case no server definition is set */ "RDEFINE CBIND CB.BIND.* UACC(NONE)" "RDEFINE CBIND CB.* UACC(NONE)"If there is a SAF profile prefix defined as TESTSYS, enter:
/* CBIND CB.BIND.domain_name. */ "RDEFINE CBIND CB.BIND.TESTSYS.* UACC(NONE)" "RDEFINE CBIND CB.TESTSYS.* UACC(NONE)"Use an APPL profile to protect WAS for z/OS. Sample profiles can grant a certain level of APPL access to everyone if we use the universal access authority, UACC, and grant access to the configuration group, unauthenticated user IDs, and all valid WAS for z/OS user IDs. A UACC(NONE) will give a default access of NONE to everyone. We can control whether the APPL class profile is used for authorization by setting the checkbox labeled "Use APPL profile to restrict access to the server" on the SAF authorization options panel in the administrative console.
For example, if there is no SAF profile prefix, enter the following RACF commands:
RDEFINE APPL CBS390 UACC(NONE) PERMIT CBS390 CLASS(APPL) ID(TSCLGP) ACCESS(READ)And if there is a SAF profile prefix defined as TESTSYS, for example, enter:
RDEFINE APPL TESTSYS UACC(NONE) PERMIT TESTSYS CLASS(APPL) ID(TSCLGP) ACCESS(READ)The following EJBROLE profiles are defined for role-based authorization checks if there is no SAF profile prefix and the configuration group is defined as TSTCFG. Note that these are the minimum set of users requiring access to naming and administrative roles when System Authorization Facility (SAF) authorization is selected.
The following roles must be defined for both operating system and application security. Enter the following RACF commands:
RDEFINE EJBROLE administrator UACC(NONE) RDEFINE EJBROLE monitor UACC(NONE) RDEFINE EJBROLE configurator UACC(NONE) RDEFINE EJBROLE operator UACC(NONE) RDEFINE EJBROLE deployer UACC(NONE) RDEFINE EJBROLE adminsecuritymanager UACC(NONE) RDEFINE EJBROLE auditor UACC(NONE) PERMIT administrator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT auditor CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT adminsecuritymanager CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) /* Setting up EJBRoles Profiles for Naming roles */ RDEFINE EJBROLE CosNamingRead UACC(NONE) PERMIT CosNamingRead CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingWrite UACC(NONE) PERMIT CosNamingWrite CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingCreate UACC(NONE) PERMIT CosNamingCreate CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingDelete UACC(NONE) PERMIT CosNamingDelete CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ)If there is a SAF profile prefix defined as TESTSYS and the configuration group is defined as TSTCFG, enter the following RACF commands:
RDEFINE EJBROLE TESTSYS.administrator UACC(NONE) RDEFINE EJBROLE TESTSYS.monitor UACC(NONE) RDEFINE EJBROLE TESTSYS.configurator UACC(NONE) RDEFINE EJBROLE TESTSYS.operator UACC(NONE) RDEFINE EJBROLE TESTSYS.deployer UACC(NONE) RDEFINE EJBROLE TESTSYS.adminsecuritymanager UACC(NONE) RDEFINE EJBROLE TESTSYS.auditor UACC(NONE) PERMIT TESTSYS.administrator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.auditor CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.adminsecuritymanager CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) /* Setting up EJBRoles Profiles for Naming roles */ RDEFINE EJBROLE TESTSYS.CosNamingRead UACC(NONE) PERMIT TESTSYS.CosNamingRead CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingWrite UACC(NONE) PERMIT TESTSYS.CosNamingWrite CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingCreate UACC(NONE) PERMIT TESTSYS.CosNamingCreate CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingDelete UACC(NONE) PERMIT TESTSYS.CosNamingDelete CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ)CBIND profile definitions for servers
If there is no SAF profile prefix, enter the following RACF commands:
RDEFINE CBIND CB.BIND.BBO* UACC(NONE) RDEFINE CBIND CB.BIND.TSTC001 UACC(NONE) PERMIT CB.BIND.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) PERMIT CB.BIND.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.BBO* UACC(NONE) RDEFINE CBIND CB.TSTC001 UACC(NONE)If there is a SAF profile prefix defined as TESTSYS, enter:
RDEFINE CBIND CB.BIND.TESTSYS.BBO* UACC(NONE) RDEFINE CBIND CB.BIND.TESTSYS.TSTC001 UACC(NONE) PERMIT CB.BIND.TESTSYS.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) PERMIT CB.BIND.TESTSYS.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TESTSYS.BBO* UACC(NONE) RDEFINE CBIND CB.TESTSYS.TSTC001 UACC(NONE)
- To create a new specific server that has a jobname starting with a prefix other than BBO*, define a specific CBIND profile by entering the following RACF commands:
RDEFINE CBIND CB.BIND.TSTC002 UACC(NONE) PERMIT CB.BIND.TSTC002 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TSTC002 UACC(NONE)- The samples create server definitions with specific server names (but a generic profile with a server prefix of BBO). If we have created an alternative server prefix and wish to avoid additional CBIND definitions, add generic CBIND profiles that reflect the new name by entering the following RACF commands, where TST is the server jobname prefix:
RDEFINE CBIND CB.BIND.TESTSYS.TST* UACC(NONE) PERMIT CB.BIND.TESTSYS.TST* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TESTSYS.TST* UACC(NONE)
- While the SAF profile prefix separates the RACF classes (CBIND, EJBROLE, APPL), it does not separate the file permissions for configuration files in the Hierarchical File System (HFS). For example, if:
- The administrator is WSADMIN in group WSCFG
- The Servant region identity is WASSRV (which must also belong to the WSCFG group)
- The user TOM has READ access to the TEST.administrator EJBROLE but not to the PROD.administrator EJBROLE,
TOM cannot use the administration application to make changes to the PROD cell.
- A rogue application running in the TEST application server can modify HFS files in the PROD cell. This is because the TEST server runs with the WASSRV user ID that belongs to the WSCFG group. Both the TEST and PROD HFS files can be modified by the WSCFG group. For maximum protection, PROD should be created and associated with a different RACF group from TEST. Also, consider enabling application server and z/OS thread identity synchronization. This process enables that z/OS system services, such as writing to the HFS, are performed using the Java EE identity, instead of the servant region identity. For more information, read about z/OS security options.
Related:
WAS security for z/OS z/OS Profile Management Tool security settings z/OS security options