Securing optimized local adapters for inbound support on Liberty for z/OS

Secure your WebSphere® optimized local adapters (WOLA) connections that make inbound calls to the Liberty server.

Before you begin

Run the Liberty servers on z/OS® with server security. For more information, see Security.

Local access to Liberty for z/OS servers is protected by the System Authorization Facility (SAF) CBIND class. When enabled, this class is used to protect Liberty servers when optimized local adapters requests are made. Before you run any application that uses the Register API, grant READ access for the user ID for the job, UNIX System Services process, or Customer Information Control System (CICS®) region to the CBIND class for the target server.

All inbound requests to the Liberty server run under the authority of the current user on thread. This identity is automatically propagated and asserted in the Enterprise JavaBeans (EJB) container, and the application starts under this identity. Inbound requests that drive into a target enterprise bean arrive in the same manner as method invocations do for local EJB requests, and the security options for RunAs work in the same way as local EJB requests.

When inbound or outbound transaction work passes between CICS and Liberty for z/OS, you must take into account some special security considerations. For example, you must determine if the authentication for inbound to the Liberty server work runs with the authority of the specific CICS application or the overall CICS region authority. There are similar concerns when the Liberty server sends outbound work to a CICS application; you must determine if CICS honors the originating application authority or its own CICS current security profile.
Attention: You must make sure that the client applications are authenticated for CICS to process the request.

For passing requests in to Liberty server from CICS, you can indicate that you want to use the current CICS application identity by setting a flag for this with the Register API call.

Procedure


Icon that indicates the type of topic Task topic

File name: twlp_dat_security_in.html