WebSphere Application Server for z/OS supports access to resources
by clients and servers in a distributed environment. Determine how to control
access to these resources and prevent inadvertent or malicious destruction
of the system or data.
These are the pieces in the distributed network that you must consider:
- You must authorize servers to the base operating system services in z/OS.
These services include System Authorization Facility (SAF) security, database
management, and transaction management.
- For the server clusters, you must distinguish between controllers and
servants. Controllers run authorized system code, so they are trusted. Servants
run application code and are given access to resources, so carefully consider
the authorization you give servants.
- You must also distinguish between the level of authority for run-time
servers and for your own application servers have. For example, the node
needs the authority to start other clusters, while your own application clusters
do not need this authority.
- You must authorize clients (users) to servers and objects within servers.
The characteristics of each client requires special consideration:
- Is the client on the local system or is it remote? The security of the
network becomes a consideration for remote clients.
- Will you allow unidentified (unauthenticated) clients to access the system?
Some resources on your system might be intended for public access, while others
you might need to protect. To access protected resources, clients must establish
their identities and have authorization to use those resources.
- Authentication is the process of establishing the identity of a
client in a particular context. A client can be an end user, a machine, or
an application. The term authentication mechanism in WebSphere Application
Server on z/OS refers more specifically to the facility in which WebSphere
identifies an authenticated identity, using HTTP and Java Management Extensions
(JMX) facilities. When configuring a cell, you must select a single authentication
mechanism. The choices for authentication mechanism include:
- Simple WebSphere Authorization Mechanism (SWAM) - only on Base Application
Server, not available on the Network Deployment configuration
- Lightweight Third Party Authentication (LTPA)
- Integrated Cryptographic Service Facility (ICSF)
- Information about users and groups reside in a user registry. In WebSphere
Application Server, a user registry authenticates a user and retrieves information
about users and groups to perform security-related functions, including authentication
and authorization. Implementation is provided to support multiple operating
system or operating environment-based user registries. When configuring a
cell, you must select a single user registry. The user registry can be local
or remote. The choices for user registry include:
- SAF-based local registry (default)
- Lightweight Directory Access Protocol (LDAP) - LDAP
can be either a local or remote registry
- Custom user registry - A custom user registry is
set up to meet unique registry needs. WebSphere Application Server provides
a simple user registry sample called the FileBasedRegistrySample.
If you need to protect resources, it is critical that you identify who
accesses those resources. Thus, any security system requires client (user)
identification, also known as authentication. In a distributed network supported
by WebSphere Application Server for z/OS, clients can access resources from:
- Within the same system as a server
- Within the same sysplex as the server
- Remote z/OS systems
- Heterogeneous systems, such as WebSphere Application Server on distributed
platforms, Customer Information Control System (CICS), or other Java 2 Platform,
Enterprise Edition-compliant systems.
Additionally, clients can request a service that requires a server to forward
the request to another cluster. In such cases, the system must handle delegation,
the availability of the client identity for use by intermediate clusters and
target clusters.
Finally, in a distributed network, how do you verify that messages being
passed are confidential and have not been tampered? How do you verify that
clients are who they claim to be? How do you map network identities to z/OS
identities? These issues are addressed by the following support in WebSphere
Application Server for z/OS:
- The use of Secure Sockets Layer (SSL) and digital certificates
- Kerberos
- Common Secure Interoperability, Version 2 (CSIv2)