Define variables for security domain configuration - definitions
This article lists definitions for the terms you will come across in the
WebSphere Application Server for z/OS Customization Dialog.
Note: Some term
definitions--those that you cannot set in the related panel--are not displayed.
To see the definition, you must to go to the Information Center article for
the panel on which you can change that particular term.
Security Domain Configuration (1 of 3)
In some of the following, specifying "Y" (yes) tells the dialog to define
the profile or enable an option. Specifying "N" (no) tells the dialog to not
define the profile or enable the option.
- Use security domain identifier in RACF definitions
- Specify "Y" if you want to use a security domain identifier in your Resource
Access Control Facility (RACF) definitions, which will cause the Customization
Dialog jobs to use the security domain identifier as the APPL and PASSTKT
profile name, and to use it as a middle level or prefix in all CBIND and
EJBROLE profiles generated by WebSphere Application Server for z/OS. The WebSphere
Application Server for z/OS runtime also uses this information to indicate
the profiles that require checking.
If you specify "Y", ensure you also
specify a standard RACF 8-character type prefix for the security domain name.
Selecting "N" will ignore any security domain identifier value specified.
- Security domain identifier
- If you are using a security domain identifier, specify its name here.
It is generally a good idea to make the value the same as the short name of
the WebSphere Application Server for z/OS cell that uses it.
Rule: The
security domain identifier name must contain 8 or fewer characters.
Note: This value is also stored as a custom property in the Global Security
definition in the Administrative Console.
- Sysplex name
- The sysplex name for the target z/OS system on which WebSphere Application
Server for z/OS is installed.
Tip: If you are not sure what the
system name (&&SYSNAME) and sysplex name (&&SYSPLEX) are,
display them using the console command D SYMBOLS on the target z/OS system.
WebSphere Application Server Administrator Information:
- User ID
- The user ID you use to perform administrative actions against your server.
- UID
- The numeric user identifier for the WebSphere Application Server for z/OS
administrator user ID.
- Password
- The password for the WebSphere Application Server for z/OS administrator
user ID.
Unauthenticated User Definitions for Base Servers:
- User ID
- If you allow unauthenticated client requests, this is the default user
ID under which those requests run.
- UID
- The numeric user identifier for the unauthenticated user.
- Group
- The group for unauthenticated users.
- GID
- The numeric group identifier for unauthenticated users.
WebSphere Application Server Asynchronous Administration Task:
- User ID
- Specifies the user ID under which the administration asynchronous operations
procedure executes. Ensure that the user ID has permission to all four of
the administrative roles and exist in the same RACF group as all the Application
Servers.
- UID
- The user identifier for the WebSphere asynchronous administration task
user ID.
WebSphere Application Server Configuration Group Information:
- Group
- Specifies an additional group for application server servant regions.
This is used to control access to resources that are external to the Application
Server (for example, DB2).
- GID
- The numeric group identifier for the WebSphere servant group.
- Configure for local OS security registry
- Specify "Y" if you plan to configure WebSphere Application Server for
z/OS security to use the Local OS Security Registry (such as a RACF or other
security product compliant with System Authorization Facility (SAF)) as the
active registry for user authentication and identification. Specify "N" if
you plan to configure WebSphere Application Server for z/OS security to use
an LDAP or custom registry.
Security Domain Configuration (2 of 3)
In some of the following, specifying "Y" (yes) tells the dialog to define
the profile or enable an option. Specifying "N" (no) tells the dialog to not
define the profile or enable the option.
SSL Customization:
- Certificate authority keylabel
- Name of the keylabel that identifies the WebSphere Application Server
for z/OS certificate authority (CA) that is generated when you run the RACF
jobs.
- Generate certificate authority (CA) certificate
- Select "Y" to generate a new CA certificate. Select "N" to have an existing
CA certificate generate server certificates.
- Expiration date for CA authority
- The expiration date used for any X509 Certificate Authority certificates,
as well as the expiration date for the personal certificates generated for
WebSphere Application Server for z/OS servers. You must specify this even
if you selected "N" for "Generate Certificate Authority (CA) certificate."
- Default RACF keyring name
- The default name given to the RACF key ring. The key ring names created
for repertoires are all the same within a cell.
- Enable SSL on location service daemon
- Select "Y" if you wish to support secure communications using Inter-ORB
Request Protocol (IIOP) to the location service daemon using SSL. If you specify
"Y", a RACF key ring will generate for the location service daemon to use.
Additional z/OS Security Customization Options:
- Generate default RACF realm name
- Specify "Y" if you want to generate a default RACF realm name, which is
a sysplex-wide SAF setting used to identify a particular RACF (or compliant)
database. The CSIV2 protocol uses this value to identify the security realm
for Local OS authentication.
Note:
- Only one value is in effect at any one time, so set this up only once
per sysplex.
- The CSIV2 Local OS registry uses the location service daemon IP name as
the security realm name if there is no value in RACF.
- Default RACF realm name
- If you are generating a default RACF realm name, specify its name here.
Rules: In
this and the following sections, ensure you follow these rules:
- User IDs and groups must be unique names (1 to 8 characters).
- UIDs must be unique numbers, between 1 and 2,147,483,647, within the system.
- Do not assign a UID of 0 (superuser) to any of these users.
- GIDs should be unique numbers between 1 and 2,147,483,647.
- Use SAF EJBROLE profiles to enforce J2EE roles
Select Y to indicate the use of SAF EJBROLE profiles, rather than WebSphere
Application Server for z/OS bindings created during application deployment,
for authorization of Java 2 Platform, Enterprise Edition (J2EE) and WebSphere
Application Server for z/OS administrator roles. Specifying a value of "Y":
- Triggers the RACF jobs generated by the customization dialog to generate
sample EJBROLE profiles and restrict access to WebSphere Application Server
for z/OS administration and naming services
- Updates the Local OS registry definition to use EJBROLE profiles to authorize
WebSphere Application Server for z/OS roles (SAF authorization is set to true)
The value specified here has no effect until WebSphere Application Server
for z/OS global security is enabled.When this variable is set to "Y",
the RACF jobs generated by the customization dialog set up EJBROLE profiles
required for WebSphere Application Server for z/OS run time administration
and naming. Additionally, the local OS registry uses SAF authorization by
default when global security is enabled. (Using SAF authorization with LDAP
or custom user registries requires both a change in the user registry SAF
authorization setting, and the installation of JAAS system login pluggable
identity mapping modules to map WebSphere principals to SAF user IDs.)
When
SAF EJBROLE profiles are used, it is the WebSphere Application Server for
z/OS administrator's responsibility to ensure that SAF EJBROLE profiles are
defined, and a system administrator's responsibility to complete user-to-role
mapping.
If you specify a security domain identifier, SAF EJBROLE profiles
must prepend the security domain identifier to the profile name. For example,
if your application role is defined as Teller and your security domain
identifier is defined as CELL1, then WebSphere Application Server
for z/OS checks if the caller has read access to the EJBROLE profile called CELL1.Teller.
If you do not use a security domain identifier, the access check is performed
on the EJBROLE Teller profile.
- Provide mapping for J2EE principals to SAF user IDs
- Select "Y" to indicate that you wish to customize your system to include
a Java Authentication and Authorization Service (JAAS) identity mapping module
that maps network identities (the configured LDAP or Custom user registry)
to SAF user IDs. This updates the Java Authentication and Authorization Service
(JAAS) system login configurations for the WEB_INBOUND, RMI_INBOUND, DEFAULT,
and SWAM_ZOSMAPPING login configuration entries.
Note:
- If specify "Y", the mapping class you specify must be available to the
WebSphere Application Server for z/OS runtime before you enable global security.
If you use anything other than the IBM provided sample, you must build the
relevant classes and install it in the classes directory of the Application
Server and the Deployment Manager (on all nodes in the cell)
- If Java 2 security is enabled, make sure that the server.policy file is
updated to provide the appropriate permissions.
- Ensure that the code is trusted, it must be treated with the same care
as an APF-authorized module. The default configuration is accessed from the
z/OS controller.
- MappingClass
- If "Y" is specified above, specify the class name that perform identity
mapping to a SAF user ID. The default value is the sample class provided by
IBM. This value is com.ibm.websphere.security.SampleSAFMappingModule.
- Enable PassTickets for z/SAS authentication
- Specify "Y" to enable PassTickets for z/SAS authentication, in which case
KEYMASK is required.
- PassTicket KEYMASK value
Specify any string of 16 hexadecimal characters as a secret KEYMASK
for PassTickets.
- Enable SAF authentication using LTPA or ICSF login tokens
- Specify "Y" to enable the WebSphere Application Server for z/OS servant
to authenticate users to the SAF registry without providing a password or
SAF-specific authenticator. This is required when:
- WebSphere Application Server for z/OS security is enabled
- Local OS is the active registry
and either:
- ICSF or LTPA is the authentication mechanism OR
- A Trust Association Interceptor is in use.
Setting this value to "Y" permits the WebSphere Application Server for
z/OS servant runtime (an unauthorized application) to log on to z/OS with
a z/OS userid but no z/OS authenticator. This is required to establish a z/OS
userid via the verification of a WebSphere Application Server for z/OS login
token verification or Trust Association Intercepter.Note: Easing
some traditional z/OS system restrictions places additional responsibility
on the WebSphere Application Server for z/OS administrator to ensure that
installed applications do not contain malicious code. You can use Java 2 security
to minimize this exposure.
- Use APPL Profile to restrict access to WebSphere Application Server
- If the RACF class APPL is active in your installation, or if you wish
to use the APPL class to restrict access to WebSphere Application Server,
specify "Y" to create a profile APPL class to represent WebSphere Application
Server for z/OS for this security domain. If the APPL class is not presently
active, the customization jobs will activate it.
If you specified a security
domain identifier, it is used as the APPL profile name. Otherwise, a profile
name of "CBS390" is used. The dialog gives universal read access to this profile
as well as permitting the WebSphere unauthenticated group for the security
domain to this profile.
Security Domain Configuration (3 of 3)
- WebSphere Application Server user ID home directory
- Specify a new or existing z/OS HFS directory in which home directories
for WebSphere Application Server for z/OS user IDs will be created by the
customization process. This directory does not need to be shared among z/OS
systems in a WebSphere Application Server cell.

Setting up WebSphere Application Server for z/OS security

Warning: no string named [tins_dialogdefvarsteps] found.

Define variables for security domain configuration - worksheets
Searchable topic ID:
rinsdefvar1def
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/rins_defvar1def.html