This topic applies only on the z/OS operating system.

z/OS System Authorization Facility authorization

Use this page to configure the System Authorization Facility (SAF) and the SAF Authorization properties.

To view this administrative console page, complete the following steps:
  1. Click Security > Global Security.
  2. Under User registries, click Custom, LDAP, or Local OS.
  3. Under Additional properties, click z/OS SAF properties.

The common properties for unauthenticated user, SAF authorization, and SAF EJBROLE message suppression are no longer custom properties.

Configuration tab

Unauthenticated user ID

Specifies the MVS user ID that is used to represent unprotected servlet requests when SAF authorization is specified or a local operating system registry is configured. This user ID must be a maximum of 8 characters long.

This property definition is used in the following instances:
  • For authorization if an unprotected servlet invokes an entity bean
  • For identification of an unprotected servlet for invoking a z/OS connector such as Customer Information Control System (CICS) or Information Management System (IMS) that uses a current identity when res-auth=container
  • When an application-initiated Synch to OS thread function is attempted
For more information, see the following articles in the information center:
  • "Understanding application Synch to OS Thread Allowed"
  • "When to use application Synch to OS Thread Allowed"

Authorization

Specifies that SAF EJBROLE profiles are used for user-to-role authorization for both Java 2 Platform, Enterprise Edition applications and the role-based authorization requests (naming and administration) that are associated with application server runtime

If a Lightweight Access Directory Protocol (LDAP) registry or Custom registry is configured and SAF authorization is specified, a mapping to a z/OS principal is required at each login for any protected methods to run:
  • If the authentication mechanism is Lightweight Third Party Authentication (LTPA), it is recommended that you update all of the following configuration entries to include a mapping to a valid z/OS principal (such as WEB_INBOUND, RMI_INBOUND, and DEFAULT).
  • If the authentication mechanism is Simple WebSphere Authentication Mechanism (SWAM), you must update the SWAM configuration entry to include a mapping to a valid z/OS principal.

SMF audit record strategy

Determines when an audit record is written to the System Management Facility (SMF). On each authorization call, RACF or an equivalent SAF-based product can write an audit record to SMF that contains the result of the authorization check.

WebSphere Application Server for z/OS uses the SAF RACROUTE AUTH and RACROUTE FASTAUTH operations and passes the LOG option that is specified in the security configuration. The options are DEFAULT, ASIS, NOFAIL, and NONE.

To set this property, in the administrative console, complete the following steps
  1. Click Security > Global Security.
  2. Additional properties, click Custom properties.
  3. Click New.
  4. In the Name field, enter com.ibm.security.SAF.Authz.Log.Option.
  5. In the Value field, enter one of the following values:
    DEFAULT

    When multiple role constraints are specified, such as when a user must be in one of a set of roles, all of the roles except for the last role is checked with the NOFAIL option. The last role is checked with the ASIS option. In this manner, if authorization is granted to any one of the roles, WebSphere Application Server will write an authorization success record. If the authorization is not successful in these roles, a failure record will not be written.

    ASIS
    Specifies that the audit events are recorded in the manner that is specified in the profile. Also specifies the audit events that protect the resource or in the manner that is specified by the SETROPTS options.
    NOFAIL
    Specifies that failures are not recorded. Authorization failure messages are not issued, but successful authorization audit records might be written.
    NONE
    Specifies that neither successes nor failures are recorded.

Only one authorization failed record is written for a failed J2EE authorization check, even if several SAF authorization calls are made. For more information on the LOG options for SAF RACROUTE AUTH and RACROUTE FASTAUTH, see the RACF or equivalent SAF-based product documentation.

Important: If a set of roles is permitted, in for example, the role list for the naming-authz.xml file, and an access violation occurs, an ICH408I access violation message indicates that a failure has occurred for one of the roles. The role, which is associated with the failure, might not be the minimal role that is needed for this access request. Instead, the reported violation and the corresponding ICH408I message indicates the final role in the list. SMF logs a single access violation for the indicated role. To see all of the roles that are verified, set the com.ibm.security.SAF.Authz.Log.Option custom property to the ASIS value.
You can use the com.ibm.security.SAF.Authz.Log.Option custom property with the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress custom property to control the ICH408I failure messages. To set the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress custom property, complete the following steps:
  1. Click Security > Global security.
  2. Under User registries, click Local OS.
  3. Under Additional properties, click Custom properties.



Related concepts
System Authorization Facility user registries
Related tasks
Authorizing access to resources
Developing a custom SAF EJB role mapper
Related reference
Audit support
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 9:31:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=usecsafpropszos
File name: usec_safpropszos.html