WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: z/OS

             Personalize the table of contents and search results
This topic applies only on the z/OS operating system.

Specifics about server process authorization checking

You can specify specific access restrictions to z/OS resources.

To control access to WebSphere Application Server for z/OS resources:
  • As a general rule, give greater authority to controllers and less authority to servants.
    Table 1. Level of trust and authority for regions
    Region Level of trust and access authority
    Controller
    Note:
    • Contains WebSphere Application Server for z/OS system code.
    • Trusted, runs APF-authorized
    • Contains communication ports and manipulation of system authorization facility (SAF) client identities
    Servant
    Note:
    • Contains WebSphere Application Server for z/OS system code, application code, and pluggable service providers (such as jdbc drivers)
    • Supports Java 2 Security to protect sensitive data and system services
    • Untrusted
  • Regarding the WebSphere Application Server for z/OS run-time clusters, the general rule is to give less authority to the location service daemon, and greater authority to the node, as explained in the table below:
    Table 2. Assigning authorities to WebSphere Application Server for z/OS run-time cluster control and servants
    Run-time Cluster Region Required Authorities
    Location service daemon Control
    • STARTED class
    • Access to Workload Manager (WLM) services
    • Access to DNS
    • OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other clusters
    • IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING in FACILITY (SSL)
    Node Control STARTED class
    Controller Control
    • SSL
    • Kerberos
    • READ authority to the SERVER class,
    • OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other servers
    Servant Control The following classes:
    • OTMA
    • SERVER
    • DSNR,
    • DATASET
    • SURROGAT
    • STARTED
    • LOGSTRM
  • Remember to protect the Resource Recovery Services (RRS) log streams. By default, UACC is READ.
  • Protect the WebSphere Application Server for z/OS properties XML files, especially if they contain passwords. For more information, see the WebSphere Application Server variables in the administrative console or the documentation.
  • Deployment Manager also needs permission to start and stop servers.



Related concepts
Cluster authorizations
Related tasks
Using CBIND to control access to clusters
Reference topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/rsec_clustauth.html