Use this task to add a custom System Authorization Facility (SAF)
mapping module to one of the system login modules by using the administrative
console.
Before you begin
To
use a pluggable login module to perform Java 2 Platform, Enterprise Edition
(J2EE) identity to Resource Access Control Facility (RACF) user mapping, you
must configure a pluggable mapping module, followed by configuring a WebSphere
Application Server for z/OS-supplied module in the appropriate Java Authentication
and Authorization Service (JAAS) system login configurations. When SAF
Authorization or Synch to OS Thread is configured, this approach
enables an installation to configure the active WebSphere Application Server
registry as either a standalone Lightweight Directory Access Protocol (LDAP)
registry or a standalone custom registry.
WebSphere
Application Server does not support a local operating system registry on any
platform under the federated repository functionality. Thus, a SAF-managed
RACF registry is not supported under the federated repository functionality.
Before
proceeding, make sure you know how to write a mapping module to get a SAF
identity. For more information, refer to Writing a custom System Authorization Facility (SAF) mapping module with non-local operating system. If you use anything other than the sample, you must
build the relevant classes and install them into the <WAS_HOME>/classes directory for each node in the cell, including the deployment manager node
in a cell. If Java 2 security is enabled, ensure that the server.policy file
is updated to provide appropriate permissions.
About this task
The custom SAF mapping module (either com.ibm.websphere.security.SampleSAFMappingModule
or a customer-written mapping module) must be added to each of the following
system login module entries and must be changed manually to the second-to-last
position in the order for the system login modules as indicated:
Note: For base configuration, if you select SWAM as your authentication
mechanism, update the SWAM entry. However, if you plan to use LTPA
as your authentication mechanism, set up all four system login module entries.
For a Network Deployment configuration, you only need to configure the LTPA
authentication mechanism configuration entries.
Procedure
- Click Security > Secure administration, applications,
and infrastructure.
- Under Java Authentication and Authorization Service,
click System logins > login_module_name.
- Under Additional properties, click JAAS login modules > New.
- Enter the class name of the custom login module in the Module
Classname file. (Use com.ibm.websphere.security.SampleSAFMappingModule
for the shipped sample module).
- Click Apply to add the new module to the login module list.
- Click Security > Secure administration, applications,
and infrastructure.
- Under Authentication, expand Java Authentication
and Authorization Service and click System logins > login_module_name.
- Under Additional properties, click JAAS login modules > Set
Order. The new mapping module is probably at the end of the list, and
must come before com.ibm.ws.security.common.auth.module.MapPlatformSubject
and after com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.
Note: For WebSphere Application Server Version 6.1,
the com.ibm.ws.security.common.auth.module.MapPlatformSubject login module
must be added also; it does not already exist.
- Select the box next to the new mapping module and then click Move
up. When the mapping modules are in the correct order, click Apply,
then Save, and Save (be sure to select Synchronize changes
with Nodes if you are working with a Network Deployment cell).
What to do next
Make these changes for each of the system login modules needed
for your WebSphere Application Server for z/OS configuration. The choice of
which system login modules are needed is based on your authentication mechanism
(SWAM or LTPA).
Note: If the SAF identity mapping module you installed
has configurable properties, you can update them by creating custom properties
in the JAAS system logins panel in the administrative console. Use this example
to update properties if you used the SampleSAFMapping module as a prototype
and updated the else clause to provide custom mapping logic. In this
case, you must create the useWSPrincipleName custom property and set it to false for
each affected JAAS login configuration that uses the modified SampleSAFMappingModule.
- Click Security > Secure administration, applications,
and infrastructure.
- Under Java Authentication and Authorization Service,
click System logins > login_module_name.
- Under Additional properties, click JAAS login modules > com.ibm.websphere.security.SampleSAFMappingModule.
- Under Additional properties, click Custom Properties > New.
- Enter the custom property name useWSPrincipalName and the value false.
- Click Apply, Save, and Save.
Repeat this process for each of the system login modules that
use the modified SampleSAFMappingModule.