Auditing is performed using SMF records issued
by RACF or an equivalent External Security Manager. This means that SMF audit
records are cut as part of the WebSphere Application Server use of SAF interfaces
such as IRRSIA00 (to manage ACEEs) and the RACROUTE macro.
The
table below lists the various security authentication mechanisms and the corresponding
data that is written to each part of the ACEE X500NAME field (this data is
also in the RACO and SMF records). The information under "Service Name" is
the constant string that is included in the "Issuer's Distinguished Name"
field of X500NAME. The information under "Authenticated Identity" is the principal
that is recorded in the "Subject's Distinguished Name" field.
Table 1. Security authentication
mechanisms and the corresponding data that is written to each part of the
ACEE X500NAME field
Authentication
mechanism |
Service
name |
Authenticated identity |
Custom
Registry |
WebSphere
Custom Registry |
Custom
registry principal name |
Kerberos |
Kerberos
for WebSphere Application Server |
Kerberos
principal, in the "DCE" format used for extracting the corresponding MVS userid
using IRRSIM00 (/.../realm/principal) |
RunAs
Rolename |
WebSphere
Role Name |
Role
name |
RunAs
Server |
WebSphere
Server Credential |
MVS
userid |
Trust
Interceptor |
WebSphere
Authorized Login |
MVS
userid |
RunAs
Userid/Password |
WebSphere
Userid/Password |
MVS
Userid |
|
In addition to tracking by MVS userid, events need to be traced to
an originating userid. This is especially true for originating userids that
are not MVS-based, such as EJB Roles, Kerberos principals, and Custom Registry
principals.