Add the Login Module

Navigate to Security > Global security;
Expand Java Authentication and Authorization Service entry under the Authentication heading and select System logins;
Select the relevant Alias from the list. The login module should be configured for the DEFAULT, WEB_INBOUND and RMI_INBOUND aliases;
Click the New button to configure a new Login Module;
Set the Module class name field to be curam.util.security.CuramLoginModule;
Check the Use login module proxy option;
Select REQUIRED in the Authentication strategy field;
Click the OK button to confirm the addition of the new login module;
Select the newly added curam.util.security.CuramLoginModule from the list;
Select the Custom properties link under the Additional Properties heading;

Click the New button to add the required properties as listed below.

Table 1. CuramLoginModule Custom Properties
Name	Example Value	Description
exclude_usernames	websphere, db2admin	Required. A list of usernames to be excluded from authentication. The default delimiter is a comma, but may be overridden by exclude_usernames_delimiter. This list should include the WebSphere Application Server for z/OS administration users and the database user. Any users listed here should be defined in the WebSphere Application Server for z/OS user registry.
exclude_usernames_delimiter	\|	Optional. A delimiter for the list of usernames provided in exclude_usernames. A delimiter other than the default comma can be useful when usernames have embedded commas as with LDAP users.
login_trace	true	Optional. This property should be set to `true` to debug the authentication process. If set to `true` the invocation of the login module will result in tracing information being added to the WebSphere Application Server for z/OS SystemOut.log file.
module_name	DEFAULT, WEB_INBOUND or RMI_INBOUND	Optional. This property should be set to one of DEFAULT, WEB_INBOUND or RMI_INBOUND depending on the configuration the login module is being defined for. It is used only when login_trace is set to `true` for tracing purposes.
check_identity_only	true	Optional. If this property is set to `true` the login module will not perform the usual authentication verifications. Instead it will simply ensure that the user exists on the database table. In this case the configured WebSphere Application Server for z/OS user registry will not be by-passed and will be queried after the login module. This option is intended where LDAP support is required or an alternative authentication mechanism is to be used.
user_registry_enabled	true	Optional. This property is used to override the behavior of by-passing the user registry. If this property is set to true the WebSphere Application Server for z/OS user registry will be queried during the authentication process. If this property is set to false, the WebSphere Application Server for z/OS user registry will not be queried. Note: If you are specifying identity only and using LDAP you may need to perform additional configuration steps; please see Special Configuration Steps When Using Identity Only and LDAP.
user_registry_enabled_types	EXTERNAL	Optional. This property is used to specify a comma-delimited list of external user types that will be processed against the WebSphere Application Server for z/OS user registry (e.g. LDAP). See WebSphere Application Server User Registry for more information on the processing of the WebSphere Application Server for z/OS user registry.
user_registry_disabled_types	EXTGEN,EXTAUTO	Optional. This property is used to specify a comma-delimited list of external user types that will not be processed against the WebSphere Application Server for z/OS user registry (e.g. LDAP). See WebSphere Application Server User Registry for more information on the processing of the WebSphere Application Server for z/OS user registry.

Click OK to confirm the addition of the new login module;