If you are using a SAF user registry, it is necessary to specify a SAF user ID that
represents the unauthenticated state. The name of the unauthenticated user ID is specified on the
unauthenticatedUser attribute of the SAFCredentials element in
server.xml. It is important to define this user ID correctly in your SAF
registry. If you are using a RACF SAF user registry, the unauthenticated user (default WSGUEST)
needs a unique default group (DFLTGRP) with no other user IDs connected to that group, an OMVS
segment, but not a TSO segment, and the options NOPASSWORD,
NOOIDCARD, and RESTRICTED. If you have another SAF user registry,
instead of RACF, then find the user ID options that are provided by that SAF registry that are
equivalent to these RACF options.
About this task
By running the appropriate commands, you can correctly set up an unauthenticated user in your SAF
user registry. An unauthenticated user that is incorrectly setup might cause a security
exposure.
Procedure
- Run the ADDGROUP command. Use WSGUESTG as the group name.
ADDGROUP WSGUESTG SUPGROUP(SYS1)OWNER(SYS1)
DATA('WAS Unauthenticated User Group')
OMVS(AUTOGID)
- Run the ADDUSER command. Use WSGUEST as the user ID name.
ADDUSER WSGUEST DFLTGRP(WSGUESTG) OWNER(SYS1)
OMVS(AUTOUID
HOME(/u/WSGUEST)
PROGRAM(/bin/sh))
NAME('WAS unauth')
NOPASSWORD NOOIDCARD
RESTRICTED
The options NOPASSWORD and NOOIDCARD protect this user ID from
being revoked by repeated attempts to guess the password.
The option RESTRICTED means that this user ID cannot gain access to protected
resources unless it is explicitly permitted to that resource, even is that resource has a general
access setting of UACC(READ).
Note: After the unauthenticated user ID (WSGUEST) is defined to the SAF registry, ensure that the
user ID is permitted to only the minimum number of SAF resources. If the Liberty server is using SAF APPL resource check
to control which users can connect to the Liberty
z/OS® System Security Access Domain, then the unauthenticated
user ID must be given access to the APPL profile.
Run the PERMIT command. PERMIT BBGZDFLT CLASS(APPL) ID(WSGUEST) ACCESS(READ)
What to do next
If you receive the RACF authorization failure message
ICH408I because the
unauthenticated user (WSGUEST) does not have access to a RACF resource, such as an
EJBROLE profile. It is nearly always incorrect to permit the unauthenticated user
ID to the resource profile to resolve the problem. It usually means that the request is running in
an unauthenticated state when it must be running in an authenticated state. The actual problem is
probably a failure to authenticate properly. Whenever it appears necessary to permit the
unauthenticated user ID to a SAF resource profile consider carefully whether that is the correct
action to take. Permitting the unauthenticated user ID to any SAF resource profile makes that
resource available to everyone, including users that are not authenticated. There are almost no
instances where that is required, however, the APPL profile that controls access to the WZSSAD is
one exception.