The z/OS® Profile
Management Tool allows you to specify System Authorization Facility (SAF)
profile prefixes (previously referred to as z/OS security domains) for your WebSphere® Application Server for z/OS configuration.
Note:
- You must set up a base Application Server using the WebSphere z/OS Profile
Management Tool or the zpmt command before using the Application Server
to set up a WebSphere Application Server, Network Deployment node, which is managed by the deployment manager
process (dmgr). It is critical that you LOAD saved environment variables
from the base Application Server into the deployment manager node that federates
the base node. Do this before performing security customization on the deployment
manager node.
- If the APPL class is active and you have defined a profile for WebSphere Application Server, make sure that all z/OS identities using WebSphere Application Server services
have READ permission to the WebSphere Application Server APPL profile. This
includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated identities, WebSphere Application Server administrative identities, user IDs based on role-to-user mappings,
and all user identities for system users. If you have not specified a SAF
profile prefix, the APPL profile used is CBS390 or the name used as the SAF
profile prefix. If you have specified a SAF profile prefix, the APPL profile
used. When adding an administrator to the administrative console using local
operating system security, if the APPL class is activated, the administrator's
user ID must be authorized to the CBS390 (or the name specified as the SAF
profile prefix) APPL class for RACF® as well. If the administrator's user
ID is not authorized to CBS390 APPL, message BBOS0108E is issued, indicating
that the credential-handling function (RunAsGetSpecCred) failed in routine
because the user is not authorized.
- Once a profile is created, it is possible to control checking the APPL
class profile from the administrative console by navigating to the SAF authorization
options panel and by configuring the check box labeled "Use APPL profile to
restrict access to the server".