[z/OS]

Security domains and the customization dialog

You can configure a security domain by using a customization dialog.

A security domain provides cell-level granularity of security permissions, which:
Configure a security domain by using the customization dialog to customize your settings. This provides:

Security information is stored in a new SavedVariables file because security domain information can span multiple cells (including test and production). You should be able to use the existing variables you have defined previously. (Make sure you save the values and record the location where it is saved.)

The RACF profiles that are created and checked differently because of this are:
Note: To issue RACF commands, you must have a TSO user ID with the appropriate authority.
Tip: When setting up a base application server, save the general customization variables and security domain variables to different files.
Use CBIND profiles to restrict access to servers if no other specific profile is set. If there is no security domain identifier, enter the following RACF commands:
/*  CBIND profiles in case no server definition is set         */
"RDEFINE CBIND CB.BIND.* UACC(NONE)"  
"RDEFINE CBIND CB.* UACC(NONE)"
If there is a security domain identifier defined as TESTSYS, enter:
/*  CBIND CB.BIND.domain_name.                                  */
"RDEFINE CBIND CB.BIND.TESTSYS.* UACC(NONE)"  
"RDEFINE CBIND CB.TESTSYS.* UACC(NONE)"

Use an APPL profile to protect WebSphere Application Server for z/OS. Sample profiles can grant APPL access to everyone if you use the universal access authority, UACC(NONE), and grant access to the configuration group, unauthenticated user IDs, and all valid WebSphere Application Server for z/OS user IDs.

For example, if there is no security domain, enter the following RACF commands:
RDEFINE APPL CB390 UACC(NONE)
PERMIT CB390 CLASS(APPL) ID(TSCLGP) ACCESS(READ)
And if there is a security domain identifier defined as TESTSYS, for example, enter:
RDEFINE APPL TESTSYS UACC(NONE)
PERMIT TESTSYS CLASS(APPL) ID(TSCLGP) ACCESS(READ)

EJBROLE profiles are defined for role-based authorization checks if there is no security domain identifier and the configuration group is defined as TSTCFG. Note that these are default values set at bootstrap, which is the minimum set of users requiring access to naming and administrative roles for a Local OS registry when System Authorization Facility (SAF) authorization is selected.

The following roles must be defined for both operating system and application security. Enter the following RACF commands:
RDEFINE EJBROLE administrator UACC(NONE)
RDEFINE EJBROLE monitor       UACC(NONE)
RDEFINE EJBROLE configurator UACC(NONE)
RDEFINE EJBROLE  operator     UACC(NONE)
RDEFINE EJBROLE  deployer     UACC(NONE)
RDEFINE EJBROLE  adminsecuritymanager     UACC(NONE)

PERMIT administrator  CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT monitor        CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT configurator   CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT operator       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT deployer       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT adminsecuritymanager       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)

/* Setting up EJBRoles Profiles for Naming roles             */
RDEFINE EJBROLE CosNamingRead   UACC(NONE)
PERMIT CosNamingRead  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE CosNamingWrite  UACC(NONE)
RDEFINE EJBROLE CosNamingCreate UACC(NONE)
RDEFINE EJBROLE CosNamingDelete UACC(NONE)
If there is a security domain identifier defined as TESTSYS and the configuration group is defined as TSTCFG, enter the following RACF commands:
RDEFINE EJBROLE TESTSYS.administrator UACC(NONE)
RDEFINE EJBROLE TESTSYS.monitor       UACC(NONE)
RDEFINE EJBROLE TESTSYS.configurator  UACC(NONE)
RDEFINE EJBROLE TESTSYS.operator      UACC(NONE)
RDEFINE EJBROLE TESTSYS.deployer      UACC(NONE)
RDEFINE EJBROLE TESTSYS.adminsecuritymanager     UACC(NONE)

PERMIT TESTSYS.administrator  CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.monitor        CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.configurator   CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.operator       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.deployer       CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)
PERMIT TESTSYS.adminsecuritymanager        CLASS(EJBROLE)  ID(TSTCFG) ACCESS(READ)

/* Setting up EJBRoles Profiles for Naming roles         */
RDEFINE EJBROLE TESTSYS.CosNamingRead   UACC(NONE)
PERMIT TESTSYS.CosNamingRead  CLASS(EJBROLE)  ID(TSGUEST) ACCESS(READ)
RDEFINE EJBROLE TESTSYS.CosNamingWrite  UACC(NONE)
RDEFINE EJBROLE TESTSYS.CosNamingCreate UACC(NONE)
RDEFINE EJBROLE TESTSYS.CosNamingDelete UACC(NONE)

Security server definition

A security domain definition in z/OS provides WebSphere Application Server for z/OS with a set of cell-wide z/OS Security Server (RACF) security definitions.

Assign distinct MVS user IDs to servers in isolatable security domains

The user IDs assigned to the control and servant tasks are defined by the SAF STARTED profile. A specific STARTED profile can be created for all controller procedures with a given procedure name. For example, enter the following RACF commands:
RDEFINE STARTED TST5ACR.* STDATA(USER(TSSYMCR1) GROUP(TSTCFG) TRACE( YES))
Tip: Your controller procedure should be given a unique procedure name for each security domain.
Servant regions use different procedure names. In order to avoid having to customize the security for each new server created, use a generic profile with a generic server prefix (BBO*) to assign the user ID of all servers whose procedure names begin with BBO to a specific profile for other server names by entering the following RACF commands:
RDEFINE STARTED BBO*.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES))
RDEFINE STARTED TSTS001S.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES))
Note: You cannot modify the server and generic server prefix name BBO using the customization dialog. If you require isolation and do not want to require security customization when you add new servers, note that there is an implicit relationship between the server name and the MVS user ID of the servant task. If you do not need to use security customization when adding new servers, and you do not require a unique user ID for an authorization request to a particular server, create an alternate STARTED profile with a unique generic server prefix name by entering the following RACF commands:
RDEFINE STARTED TST*.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES))
Each servant procedure in the TEST security domain must be defined with TST as the server prefix name used for all servers in this domain. Create a specific STARTED profile for each server for more control over the authorization of requests on different server by entering the following RACF commands:
RDEFINE STARTED TSTS001S.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES))
RDEFINE STARTED TSTS002S.* STDATA(USER(TSSYMSR2) GROUP(TSTCFG) TRACE(YES))

Restrict SERVER access to security domains. In addition, the server class profiles are used to indicate which servant identities can access the appropriate Workload Manager (WLM) queues WebSphere Application Server for z/OS uses. In order to clearly isolate the security domains sets, note the relationship between server names and servant region MVS user IDs.

The SERVER profile checked is either in the form CB.servername.clustername.cellname or CB.servername.clustername, depending upon whether or not WLM Dynamic Application Environment support is enabled. For example, if your server name is TSTC001, the definitions are set by entering the following RACF commands:
RDEFINE SERVER CB.* UACC(NONE)
RDEFINE SERVER CB.*.BBO* UACC(NONE) 
RDEFINE SERVER CB.*.BBO*.* UACC(NONE) 
RDEFINE SERVER CB.*.TSTC001 UACC(NONE)(READ)  
RDEFINE SERVER CB..*.TSTC001.*  UACC(NONE) 
Permissions to access this server name are given by entering the following RACF commands:
PERMIT CB.*.TSTC001 CLASS(SERVER) ID(TSSYMSR1) ACC(READ)
PERMIT CB.*.TSTC001.* CLASS(SERVER) ID(TSSYMSR1) ACC(READ)
You can create additional SERVER definitions to accommodate a new server transition prefix, or create specific profiles per servant (similarly to how you can use the STARTED profile). Use a server transition prefix of TST to restrict the access of the TSSYMSR user ID to queues from TST servers. For example, to set this up enter the following RACF commands:
RDEFINE SERVER CB.*.TST* UACC(NONE)(READ)
RDEFINE SERVER CB.*.TST.*  UACC(NONE)
PERMIT CB.*.TST* CLASS(SERVER) ID(TSSYMSR1) ACC(READ)
PERMIT CB.*.TST*.* CLASS(SERVER) ID(TSSYMSR1) ACC(READ)

CBIND profile definitions for servers

If there is no security domain identifier, information is defined during bootstrap. Enter the following RACF commands:
RDEFINE CBIND CB.BIND.BBO* UACC(NONE)
RDEFINE CBIND CB.BIND.TSTC001 UACC(NONE)
PERMIT CB.BIND.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
PERMIT CB.BIND.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
RDEFINE CBIND CB.BBO* UACC(NONE)
RDEFINE CBIND CB.TSTC001 UACC(NONE)
If there is a security domain identifier defined as TESTSYS, enter:
RDEFINE CBIND CB.BIND.TESTSYS.BBO* UACC(NONE)
RDEFINE CBIND CB.BIND.TESTSYS.TSTC001 UACC(NONE)
PERMIT CB.BIND.TESTSYS.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
PERMIT CB.BIND.TESTSYS.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL)
RDEFINE CBIND CB.TESTSYS.BBO* UACC(NONE)
RDEFINE CBIND CB.TESTSYS.TSTC001 UACC(NONE)
Note:

Refer to Planning a security domain for more information on security domains.

Note:



Related concepts
WebSphere Application Server security for z/OS
Related reference
Security customization dialog settings
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 1:23:07 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=csecsafsecdom
File name: csec_safsecdom.html