(ZOS) Enabling trusted applications
From a z/OS perspective, trusted applications imply that the WebSphere Application Server started task control (STC) is to be considered a "trusted application" and is allowed to change System Authorization Facility (SAF) identity on the thread of execution. When a z/OS applications (such as WAS) are trusted, the security infrastructure allows the creation of MVS™ credentials without using a password, passticket, or certificate as an authenticator, while still preserving the integrity of the MVS system.
Through the use of the FACILITY class and BBO.TRUSTEDAPPS class profile, trusted applications (as a general rule) are needed when using SAF as the local operating system user registry or when we plan to use SAF authorization. When WAS is configured to use: SAF security for a local operating system user registry, SAF authorization, or Sync to Thread Allowed, trusted applications must be enabled so that MVS system integrity remains preserved. Trusted applications meet the MVS integrity rules so that unauthorized callers are NOT allowed to call sensitive WAS code to perform authorized functions. When using SAF, we must define the trusted application within the Resource Access Control Facility (RACF ) or an equivalent product. The SAF authorization resource rules need to define WAS as the trusted application with the authority to change the identity on thread execution. In this way, WAS and MVS can work together without jeopardizing each other's integrity.
Use FACILITY class profiles
You enable the trusted applications by ensuring that the WAS has SAF access of READ to the RACF class of FACILITY and profile of BBO.TRUSTEDAPPS.<cell short name>.<cluster short name>.
Once defined, the trusted applications need to be enabled. We use the FACILITY class profile to give the RACF administrator control over the enabling of trusted applications. The following examples illustrates how we use the FACILITY class and the BBO.TRUSTEDAPPS class profile to provide this control.
- Generic Example:
RDEF FACILITY BBO.TRUSTEDAPPS.**UACC(NONE) PERMIT BBO.TRUSTEDAPPS.** CLASS(FACILITY) ID(MYCBGROUP) ACC(READ) SETROPTS RACLIST(FACILITY) REFRESH- Specific Example with a specific server identified by a cell short name of SY1, a cluster short name of BBOC001, and a controller region userid of MYSTCCR.
RDEF FACILITY BBO.TRUSTEDAPPS.SY1.BBOC0001 UACC NONE PERMIT BBO.TRUSTEDAPPS.SY1.BBOC0001 CLASS(FACILITY) ID(MYSTCCR) ACC(READ) SETROPTS RACLIST(FACILITY) REFRESH
Secure the environment after installation Summary of controls