[Version 5.0.2 and later]Configuring local operating system user registries

Before you begin

When a Local OS Registry is chosen for z/OS, the started task identity is chosen as the server identity. Thus, a user ID and password is not required to configure the server.

Note: Each started task, (for example, controller, servant, node agent, and so on) might have a different identity.

For all servers in a given cell to have the authority needed by the administrative subsystem, they must be part of a common configuration group. This customization is generally provided by the configuration dialogs when WebSphere Application Server for z/OS is initially customized.

Why and when to perform this task

The following steps are needed to perform this task initially when setting up security for the first time.

Steps for this task

  1. Click Security > Global security > Local OS > SAF Authorization, and then click the Authorization box.
    com.ibm.security.SAF.unauthenticated
    This property indicates the MVS user ID that is used to represent unprotected servlet requests and is used for the following functions:
    • Authorization if an unprotected servlet invokes an entity bean.
    • Identification of an unprotected servlet for invoking a z/OS connector (Customer Information Control System (CICS), Information Management System (IMS)) that uses a current identity when res-auth=container.
    com.ibm.security.SAF.authorization
    This property can be set to true or false. When this property is set to true, SAF EJBROLE profiles are used for user to role authorization for both J2EE applications and the Role-based authorization requests (naming and administration) associated with the WebSphere Application Server run time.
    com.ibm.security.SAF.delegation
    This property specifies that SAF EJBROLE definitions are to assign which MVS user ID becomes the active identity when you select the RunAs specified role.
    com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress[Version 5.0.2 and later]
    This property is located in the Administrative Console under: Global Security > User Registry > LocalOS > Custom Properties > com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress and allows you to turn ICH408I messages on or off. The default value for this property is false, which does not suppress messages. You can set this value to true to suppress the ICH408I messages.

    [Version 5.0.2 and later]SMF records access violations no matter what value is specified for this new property. This property affects access violation message generation for both application-defined roles and for WebSphere runtime-defined roles for the naming and administrative subsystems. EJBROLE profile checks are done for both declarative (deployment descriptors) and programmatic checks:

    • Declarative checks are coded as SecurityConstraints in Web applications, and Deployment Descriptors are coded as SecurityConstraints in EJB files. This property is not used to control messages in this case. Instead, there are a set of roles permitted, and if an access violation occurs an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation (for that role).
    • Program logic checks (or access checks) are performed using the programmatic isCallerinRole(x) for EJB or isUserInRole(x) for Web applications. The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages generated by this call.
    For more information on SAF authorization, refer toControlling access to console users using System Authorization FacilityLocal OS Registry. For more information on administrative roles, refer to Admin roles.

    For more information on SAF authorization, see Controlling access to console users using System Authorization Facility

    If your changes are not validated, the server might not restart.

  2. Under Additional Properties, click Custom Properties.
    Under Custom Properties, you can set the following properties:

Results

The Local OS user registry has been configured.

What to do next

  1. If you are enabling security, complete the remaining steps. As the final step, ensure that you validate the user and password by clicking OK or Apply in the Global Security panel. Save, stop, and start all the product servers.
  2. For any changes in this panel to be effective, you need to save, stop and start all the product servers (deployment managers, nodes and Application Servers).
  3. If the server comes up without any problems the setup is correct.

Related concepts
Local operating system user registries
Lightweight Directory Access Protocol
Related tasks
Configuring global security
Controlling access to console users using System Authorization Facility
Related reference
Custom user registries
Local operating system user registry settings



Searchable topic ID:   tseclocalos
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_localos.html

Library | Support | Terms of Use | Feedback