(ZOS) Enabling pluggable login modules to map Java EE identities to System Authorization Facility (SAF)
We need to perform several actions to enable any pluggable login modules to correctly map Java EE identities to SAF. These actions include configuring the active WebSphere Application Server user registry and configuring pluggable mapping modules.
Tasks
- Configure the active WAS user registry as an LDAP registry or a Custom registry, and use System Authorization Facility (SAF) services such as:
- System Authorization Facility (SAF) EJBROLE profiles to control WAS authorization. Refer to Role-based authorization for more information.
- Enable an application to run a WAS application and set the operating system (OS) identity to match the Java EE identity. This is known as application Sync to OS Thread. Refer to Application Synch to OS Thread Allowed and When to use application Synch to OS Thread Allowed for more information.
- Use the Java EE client identity as the identity when issuing a Connection Management request for a local native connector such as CICS, Information Management System (IMS™), Database 2 (DB2 ), or Java Messaging Service (JMS). Refer to Java Platform, Enterprise Edition identity and an operating system thread identity for more information.
- Auditing using SMF audit. Refer to the information about using SMF type 80 to prepare for audit support.
- Configure a pluggable mapping module followed by a WAS for z/OS-supplied module in appropriate system login configurations to use pluggable login modules. If a registry other than local OS is selected and no mapping is done or no valid mapping is available for a particular identity:
- SAF authorization is not supported: If SAF authorization is selected and a method is protected the method fails.
- Application Synch to OS thread is not supported: Requests always run using the user ID of the servant.
- When res-auth=container is specified to native connectors and no alias is identified, a connection management request runs under the servant user ID.
- Pluggable login modules can be used when:
- The WAS authentication mechanism specified is Simple WebSphere Authentication Mechanism (SWAM) or LTPA. SWAM is deprecated in WAS v9.0 and will be removed in a future release.
- The Internet Inter-ORB protocol (IIOP) authentication protocol negotiated uses CSIv2.
- A web request is issued.
Related:
Role-based authorization Application Synch to OS Thread Allowed Java Platform, Enterprise Edition identity and an operating system thread identity Authorizing access to resources Use SMF type 80 - preparing for audit support