Each controller, servant, and client must have its own MVS user ID. When a request flows from a client to the cluster or from a cluster to a cluster, WebSphere Application Server for z/OS passes the user identity (client or cluster) with the request. Thus, each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request. The tables in this article outline System Authorization Facility (SAF) and non-SAF authorizations.
Summary of z/OS security controls independent of global security setting
In a WebSphere Application Server for z/OS configuration, there are many different types of processes:
Each controller and servant must run under a valid MVS user ID assigned as part of the definition of a started task. This MVS user ID must have a valid UNIX Systems Services user identity (UID) and be connected to WebSphere configuration group that is common to all servers in the cell with a valid MVS and UNIX System Services group identity (GID) identity.
The following table summarizes
the controls used to grant authorizations needed by these controllers and
servants to access operating system resources. By understanding and using
these controls, you can control all resource accesses in WebSphere Application
Server for z/OS.
Control | Authorization |
---|---|
DATASET class | Access to data sets |
DSNR class | Access to Database 2 (DB2) |
FACILITY class (IMSXCF.OTMACI) | Access to Open Transaction Manager Access (OTMA) for Information Management System (IMS) |
HFS file permissions | Access to Hierarchical File System (HFS) files |
LOGSTRM class | Access to log streams |
OPERCMDS class | Access to startServer.sh shell script and Integral JMSProvider |
SERVER class | Access to controller by a servant |
STARTED class | Associate user ID (and optionally group ID) to start procedure |
SURROGAT class (*.DFHEXCI) | Access to EXCI for Customer Information Control System (CICS) access |
The customization dialogs and Resource Access Control Facility (RACF) customization jobs set these up for the initial server settings for the *'ed profiles.
Note: Examples of authorizations for the other profiles can be found in the generated exec file in HLQ.DATA(BBOWBRAC). The selection of an identity to be used for authorization to native connector resources (CICS, DB2, IMS) is dependent on the:
Resource managers such as DB2, IMS, and CICS have implemented their own resource controls, which control the ability of clients to access resources. When resource controls are used by DB2, use the DSNR RACF class (if you have RACF support) or issue the relevant DB2 GRANT statements. You can:
Summary of z/OS security controls in effect when global security is enabled
When global security is enabled, SSL must be available for encryption and message protection. In addition, authentication and authorization of J2EE and administrative clients is enabled.
The FACILITY class authorization needed for SSL services and the definition of SAF keyrings are required when global security is enabled. The remainder of the z/OS security controls described here are valid only when LocalOS is chosen as the registry. For a description of non-z/OS-specific WebSphere Application Server controls, refer to Assembling secured applications, Deploying secured applications, and Managing security.
When a request flows from a client to the WebSphere Application Server or from a cluster to a cluster, WebSphere Application Server for z/OS passes the user identity (client or cluster) with the request. Thus each request is performed on behalf of the user identity and the system checks to see if the user identity has the authority to make such a request. The tables in this article outline z/OS specific authorizations using SAF.
The following table summarizes
the controls used to grant authorizations to resources. By understanding and
using these controls, you can control access to all resources in WebSphere
Application Server for z/OS.
Control | Authorization |
---|---|
CBIND class | Access to a cluster |
EJBROLE or GEJBROLE class | Access to methods in enterprise beans |
FACILITY class (IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING) | SSL key rings, certificates, and mappings |
FACILITY Class (IRR.RUSERMAP) | Kerberos credentials |
PTKTDATA class | PassTicket enabling in the sysplex |
Set OS Thread Identity to RunAs Identity | J2EE cluster property used to enable the execution identity for non-J2EE resources |