[Version 5.0.2 and later]Installing and configuring a custom System Authorization Facility mapping module for WebSphere Application Server

In order to use a pluggable login module to perform Java 2 Platform, Enterprise edition (J2EE) identity to Resource Access Control Facility (RACF) user mapping, a pluggable mapping module followed by a WebSphere Application Server for zOS-supplied module must be configured in appropriate Java Authentication and Authorization Service (JAAS) system login configurations. This enables an installation to configure the active WebSphere Application Server user registry as either Lightweight Directory Access Protocol (LDAP) or a Custom registry and use System Authorization Facility (SAF) authorization.

Before proceeding you should make sure you know how to write a mapping module to get a SAF identity. For more information, refer to Writing a custom System Authorization Facility mapping module for WebSphere Application Server . If you use anything other than the sample, you must build the relevant classes and install it into the <WAS_HOME>/classes directory for each node in the cell, including the deployment manager node in a Network Deployment cell. If Java 2 security is enabled, ensure that the server.policy file is updated to provide appropriate permissions.

The custom SAF mapping module (either com.ibm.websphere.security.SampleSAFMappingModule or a customer-written mapping module) must be added to each of the system login module entries below, and must be changed to the second to last position in the order manually for the system login modules as indicated below.

Note: For base configuration, if you select SWAM as your authentication mechanism, update the SWAM_ZOSMAPPING entry. However, if you plan to use LTPA as your authentication mechanism, set up all four system login module entries. For an ND configuration you only need to configure the LTPA authentication mechanism configuration entries.

To add a custom SAF mapping module to one of the system login modules listed above, log on to the administrative console application and:

  1. Click Security > JAAS Configuration > System Logins > login_module_name > JAAS Login Modules > New.
  2. Enter the class name of the custom login module in the Module Classname file. (Use com.ibm.websphere.security.SampleSAFMappingModule for the shipped sample module). Click APPLY to add the new module to the login module list.
  3. Click Security > JAAS Configuration > System Logins > login_module_name > JAAS Login Modules > Set Order.
  4. The new mapping module is probably at the end of the list, and must come before com.ibm.ws.security.common.auth.module.MapPlatformSubject. You must click the check box next to the new mapping module, then click Move up. When the mapping modules are in the correct order, click Apply, then Save, and Save (be sure to select Synchronize changes with Nodes if you are working with a Network Deployment cell).
Make these changes for each of the system login modules needed for your WebSphere Application Server for z/OS configuration. The choice of which system login modules are needed is based on your authentication mechanism (SWAM or LTPA).

Note: If the SAF identity mapping module you installed has configurable properties, you can update them by creating custom properties in the system login panel in the administrative console. Use this example to update properties if you used the SampleSAFMapping module as a prototype and updated the else clause to provide custom mapping logic. In this case you must create the useWSPrincipleName custom property and set it to false for each affected JAAS login configuration that uses the modified SampleSAFMappingModule.

  1. Click Security > JAAS Configuration > System Logins > jaas_configuration_entryName > JAAS Login Modules > com.ibm.websphere.security.SampleSAFMappingModule > Custom Properties > New.
  2. Enter the custom property name useWSPrincipalName and the value false. Then click Apply, Save, and Save.

Repeat this process for each of the system login modules that use the modified SampleSAFMappingModule.

For more information, refer to:


Related reference
Login configuration for Java Authentication and Authorization Service



Searchable topic ID:   csecinstallsafmapmods
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_installsafmapmods.html

Library | Support | Terms of Use | Feedback