This topic applies only on the z/OS operating system.

System Authorization Facility user registries

System Authorization Facility (SAF) user registries are used for several purposes in WebSphere Application Server for z/OS.

SAF-based user registries are used to: Refer to Selecting a user registry for more information

Using a Local OS or non-Local OS user registry implementation, the WebSphere Application Server for z/OS authentication mechanism can use SAF interfaces. SAF interfaces are defined by MVS to enable applications to use system authorization services or user registries to control access to resources such as data sets and MVS commands. SAF either processes security authorization requests directly or works with RACF, or other security products, to process the requests. Note that a Local OS SAF user registry is not a centralized user registry like Lightweight Directory Access Protocol (LDAP), but it is a centralized registry within a sysplex.

Note: When a non-Local OS user registry is used, WebSphere Application Server for z/OS uses the non-Local OS registry for authentication but still uses the SAF interface to control access to system resources.

With WebSphere Application Server for z/OS, SAF user registries provide digital certificate to user ID mappings using the Resource Access Control Facility (RACF) RACDCERT command. For more information on the RACDCERT command, refer to z/OS Security Server RACF Command Language Reference (SA22-7687-05), available at http://www.ibm.com/servers/eserver/zseries/zos/bkserv/r5pdf/secserv.html.

WebSphere Application Server for z/OS localOS User Registry (SAF User Registry) implementation sets the registry realm name from the SAFDFLT profile in the REALM class when the REALM class is active and the SAFDFLT profile is defined. This realm name is specified as the APPLDATA property of the SAFDFLT profile. If the realm name cannot be obtained from the OS security product (such as RACF), the value of protocol_iiop_daemon_listenIPAddress is used instead. This can happen, for example, if the REALM class is not active, or if the SAFDFLT profile is not defined.

For any realm name changes to take effect, the entire cell, including the Daemon Address Space, must be recycled for the changes to be effective. There is a UNIX System Services restriction, however. If you list user and group information, only those users with an OMVS segment (where the user and group information is stored) are shown. Refer to Summary of controls for more information.

Note: The default and only implementation for a Local OS user registry is SAF.

Refer to User registries for general information about selecting user registries.




Subtopics
z/OS System Authorization Facility authorization
Related concepts
System Authorization Facility considerations for the operating system and application levels
Authorization technology
Related tasks
Selecting a user registry
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=csecsafuserreg
File name: csec_safuserreg.html