Setting up WebSphere Application Server for z/OS security
WebSphere Application Server for z/OS supports access to resources
by clients and servers in a distributed network. Determine how to control
access to these resources and prevent inadvertent or malicious destruction
of the system or data.
These are the pieces in the distributed network that you must consider:
- You must authorize servers to the base operating system services in z/OS
or OS/390. These services include SAF security, database management, and transaction
management.
- For the server clusters, you must distinguish between controllers and
servants. Controllers run authorized system code, so they are trusted. Servants
run application code and are given access to resources, so carefully consider
the authorization you give servants.
- You must also distinguish between the level of authority for run-time
servers and for your own application servers have. For example, the node
needs the authority to start other clusters, while your own application clusters
do not need this authority.
- You must authorize clients (users) to servers and objects within servers.
The characteristics of each client require special consideration:
- Is the client on the local system or is it remote? The security of the
network becomes a consideration for remote clients.
- Will you allow unidentified (unauthenticated) clients to access the system?
Some resources on your system might be intended for public access, while others
you might need to protect. To access protected resources, clients must establish
their identities and have authorization to use those resources.
- Authentication is the process of establishing the identity of a
client in a particular context. A client can be an end user, a machine, or
an application. The term authentication mechanism in WebSphere Application
Server on z/OS refers more specifically to the facility in which WebSphere
identifies an authenticated identity, using HTTP and JMX facilities. When
configuring a cell, you must select a single authentication mechanism. The
choices for authentication mechanism include:
- Simple WebSphere Authorization Mechanism (SWAM) - only on Base Application
Server, not available on the Network Deployment configuration
- Lightweight Third Party Authentication (LTPA)
- Integrated Cryptographic Service Facility (ICSF)
- Information about users and groups resides in a user registry. In WebSphere
Application Server, a user registry authenticates a user and retrieves information
about users and groups to perform security-related functions, including authentication
and authorization. Implementation is provided to support multiple operating
system or operating environment-based user registries. When configuring a
cell, you must select a single user registry. The user registry can be local
or remote. The choices for user registry include:
- SAF-based local registry (default)
- Lightweight Directory Access Protocol (LDAP) - LDAP can be either a local
or remote registry
- Custom user registry - A custom user registry is set up to meet unique
registry needs. WebSphere provides a simple user registry sample called the
FileBasedRegistrySample.
If you need to protect resources, it is critical that you identify who
accesses those resources. Thus, any security system requires client (user)
identification, also known as authentication. In a distributed network supported
by WebSphere Application Server for z/OS, clients can access resources from:
- Within the same system as a server
- Within the same sysplex as the server
- Remote z/OS or OS/390 systems
- Heterogeneous systems, such as WebSphere Application Server on distributed
platforms, CICS, or other J2EE -compliant systems.
Additionally, clients can request a service that requires a server to forward
the request to another cluster. In such cases, the system must handle delegation,
the availability of the client identity for use by intermediate clusters and
target clusters.
Finally, in a distributed network, how do you verify that messages being
passed are confidential and have not been tampered with? How
do you verify that clients are who they claim to be? How do you map network
identities to z/OS or OS/390 identities? These issues are addressed by the
following support in WebSphere Application Server for z/OS:
- The use of SSL and digital certificates
- Kerberos
- Common Secure Interoperability, Version 2 (CSIv2)

Selecting a user registry
Selecting an authentication mechanism
Authorization checking
Setting permission for files created by applications
Setting up RACF protection for DB2
Understanding System Authorization Facility profile names generated by the Customization Dialog

Implementing security considerations
Steps for enabling global security for WebSphere Application Server
Setting up Secure Sockets Layer security for WebSphere Application Server for z/OS

Security customization dialog settings
PropFilePasswordEncoder command reference
Searchable topic ID:
csecsettingup
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_settingup.html