Define variables for security domain configuration - definitions

This article lists definitions for the terms you will come across in the WebSphere Application Server for z/OS Customization Dialog.

Note: Some term definitions--those that you cannot set in the related panel--are not displayed. To see the definition, you must to go to the Information Center article for the panel on which you can change that particular term.

Security Domain Configuration (1 of 3)

In some of the following, specifying "Y" (yes) tells the dialog to define the profile or enable an option. Specifying "N" (no) tells the dialog to not define the profile or enable the option.

Use security domain identifier in RACF definitions
Specify "Y" if you want to use a security domain identifier in your Resource Access Control Facility (RACF) definitions, which will cause the Customization Dialog jobs to use the security domain identifier as the APPL and PASSTKT profile name, and to use it as a middle level or prefix in all CBIND and EJBROLE profiles generated by WebSphere Application Server for z/OS. The WebSphere Application Server for z/OS runtime also uses this information to indicate the profiles that require checking.

If you specify "Y", ensure you also specify a standard RACF 8-character type prefix for the security domain name. Selecting "N" will ignore any security domain identifier value specified.

Security domain identifier
If you are using a security domain identifier, specify its name here. It is generally a good idea to make the value the same as the short name of the WebSphere Application Server for z/OS cell that uses it.

Rule: The security domain identifier name must contain 8 or fewer characters.

Note: This value is also stored as a custom property in the Global Security definition in the Administrative Console.

Sysplex name
The sysplex name for the target z/OS system on which WebSphere Application Server for z/OS is installed.

Tip: If you are not sure what the system name (&&SYSNAME) and sysplex name (&&SYSPLEX) are, display them using the console command D SYMBOLS on the target z/OS system.

WebSphere Application Server Administrator Information:

User ID
The user ID you use to perform administrative actions against your server.
UID
The numeric user identifier for the WebSphere Application Server for z/OS administrator user ID.
Password
The password for the WebSphere Application Server for z/OS administrator user ID.

Unauthenticated User Definitions for Base Servers:

User ID
If you allow unauthenticated client requests, this is the default user ID under which those requests run.
UID
The numeric user identifier for the unauthenticated user.
Group
The group for unauthenticated users.
GID
The numeric group identifier for unauthenticated users.

WebSphere Application Server Asynchronous Administration Task:

User ID
Specifies the user ID under which the administration asynchronous operations procedure executes. Ensure that the user ID has permission to all four of the administrative roles and exist in the same RACF group as all the Application Servers.
UID
The user identifier for the WebSphere asynchronous administration task user ID.

WebSphere Application Server Configuration Group Information:

Group
Specifies an additional group for application server servant regions. This is used to control access to resources that are external to the Application Server (for example, DB2).
GID
The numeric group identifier for the WebSphere servant group.

Configure for local OS security registry
Specify "Y" if you plan to configure WebSphere Application Server for z/OS security to use the Local OS Security Registry (such as a RACF or other security product compliant with System Authorization Facility (SAF)) as the active registry for user authentication and identification. Specify "N" if you plan to configure WebSphere Application Server for z/OS security to use an LDAP or custom registry.

Security Domain Configuration (2 of 3)

In some of the following, specifying "Y" (yes) tells the dialog to define the profile or enable an option. Specifying "N" (no) tells the dialog to not define the profile or enable the option.

SSL Customization:

Certificate authority keylabel
Name of the keylabel that identifies the WebSphere Application Server for z/OS certificate authority (CA) that is generated when you run the RACF jobs.
Generate certificate authority (CA) certificate
Select "Y" to generate a new CA certificate. Select "N" to have an existing CA certificate generate server certificates.
Expiration date for CA authority
The expiration date used for any X509 Certificate Authority certificates, as well as the expiration date for the personal certificates generated for WebSphere Application Server for z/OS servers. You must specify this even if you selected "N" for "Generate Certificate Authority (CA) certificate."
Default RACF keyring name
The default name given to the RACF key ring. The key ring names created for repertoires are all the same within a cell.
Enable SSL on location service daemon
Select "Y" if you wish to support secure communications using Inter-ORB Request Protocol (IIOP) to the location service daemon using SSL. If you specify "Y", a RACF key ring will generate for the location service daemon to use.

Additional z/OS Security Customization Options:

Generate default RACF realm name
Specify "Y" if you want to generate a default RACF realm name, which is a sysplex-wide SAF setting used to identify a particular RACF (or compliant) database. The CSIV2 protocol uses this value to identify the security realm for Local OS authentication.

Note:

Default RACF realm name
If you are generating a default RACF realm name, specify its name here.

Rules: In this and the following sections, ensure you follow these rules:

Use SAF EJBROLE profiles to enforce J2EE roles

Select Y to indicate the use of SAF EJBROLE profiles, rather than WebSphere Application Server for z/OS bindings created during application deployment, for authorization of Java 2 Platform, Enterprise Edition (J2EE) and WebSphere Application Server for z/OS administrator roles. Specifying a value of "Y":

The value specified here has no effect until WebSphere Application Server for z/OS global security is enabled.

When this variable is set to "Y", the RACF jobs generated by the customization dialog set up EJBROLE profiles required for WebSphere Application Server for z/OS run time administration and naming. Additionally, the local OS registry uses SAF authorization by default when global security is enabled. (Using SAF authorization with LDAP or custom user registries requires both a change in the user registry SAF authorization setting, and the installation of JAAS system login pluggable identity mapping modules to map WebSphere principals to SAF user IDs.)

When SAF EJBROLE profiles are used, it is the WebSphere Application Server for z/OS administrator's responsibility to ensure that SAF EJBROLE profiles are defined, and a system administrator's responsibility to complete user-to-role mapping.

If you specify a security domain identifier, SAF EJBROLE profiles must prepend the security domain identifier to the profile name. For example, if your application role is defined as Teller and your security domain identifier is defined as CELL1, then WebSphere Application Server for z/OS checks if the caller has read access to the EJBROLE profile called CELL1.Teller. If you do not use a security domain identifier, the access check is performed on the EJBROLE Teller profile.

Provide mapping for J2EE principals to SAF user IDs
Select "Y" to indicate that you wish to customize your system to include a Java Authentication and Authorization Service (JAAS) identity mapping module that maps network identities (the configured LDAP or Custom user registry) to SAF user IDs. This updates the Java Authentication and Authorization Service (JAAS) system login configurations for the WEB_INBOUND, RMI_INBOUND, DEFAULT, and SWAM_ZOSMAPPING login configuration entries.

Note:

MappingClass
If "Y" is specified above, specify the class name that perform identity mapping to a SAF user ID. The default value is the sample class provided by IBM. This value is com.ibm.websphere.security.SampleSAFMappingModule.
Enable PassTickets for z/SAS authentication
Specify "Y" to enable PassTickets for z/SAS authentication, in which case KEYMASK is required.
PassTicket KEYMASK value

Specify any string of 16 hexadecimal characters as a secret KEYMASK for PassTickets.

Enable SAF authentication using LTPA or ICSF login tokens
Specify "Y" to enable the WebSphere Application Server for z/OS servant to authenticate users to the SAF registry without providing a password or SAF-specific authenticator. This is required when:and either:Setting this value to "Y" permits the WebSphere Application Server for z/OS servant runtime (an unauthorized application) to log on to z/OS with a z/OS userid but no z/OS authenticator. This is required to establish a z/OS userid via the verification of a WebSphere Application Server for z/OS login token verification or Trust Association Intercepter.

Note: Easing some traditional z/OS system restrictions places additional responsibility on the WebSphere Application Server for z/OS administrator to ensure that installed applications do not contain malicious code. You can use Java 2 security to minimize this exposure.

Use APPL Profile to restrict access to WebSphere Application Server
If the RACF class APPL is active in your installation, or if you wish to use the APPL class to restrict access to WebSphere Application Server, specify "Y" to create a profile APPL class to represent WebSphere Application Server for z/OS for this security domain. If the APPL class is not presently active, the customization jobs will activate it.

If you specified a security domain identifier, it is used as the APPL profile name. Otherwise, a profile name of "CBS390" is used. The dialog gives universal read access to this profile as well as permitting the WebSphere unauthenticated group for the security domain to this profile.

Security Domain Configuration (3 of 3)

WebSphere Application Server user ID home directory
Specify a new or existing z/OS HFS directory in which home directories for WebSphere Application Server for z/OS user IDs will be created by the customization process. This directory does not need to be shared among z/OS systems in a WebSphere Application Server cell.

Related concepts
Setting up WebSphere Application Server for z/OS security
Related tasks
Warning: no string named [tins_dialogdefvarsteps] found.
Related reference
Define variables for security domain configuration - worksheets



Searchable topic ID:   rinsdefvar1def
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/rins_defvar1def.html

Library | Support | Terms of Use | Feedback