[z/OS]

Audit support

This topic gives an overview of how to use audit support.

[Updated in August 2012] Auditing is performed using SMF records issued by RACF® or an equivalent External Security Manager. This means that SMF audit records are cut as part of the WebSphere Application Server use of SAF interfaces and RACROUTE macros. [Updated in August 2012]

aug2012

WebSphere Application Server for z/OS makes use of the following RACROUTE macros, as well as the initACEE (IRRSIA00) SAF API, which is used to manage ACEEs:
  • RACROUTE REQUEST AUTH (and FASTAUTH) - to check if a user is authorized to a class
  • RACROUTE REQUEST=EXTRACT - to extract a RACO from an ACEE
  • RACROUTE REQUEST TOKENXTR - to extract the UTOKEN (for CICS)
  • RACROUTE REQUEST LIST - to check if the FASTAUTH routines can use the in-storage copies of the general-resource profiles for authorization checking
  • RACROUTE REQUEST STAT - to determine if certain classes are active

For more information on the SMF auditability of the RACROUTE and SAF API calls that WebSphere Application Server uses, refer to the RACROUTE Macro Reference documentation and the Security Server RACF Callable Services documentation, respectively, in the z/OS Information Center that is appropriate for your version of z/OS.

Table 1. Security authentication mechanisms and the corresponding data that is written to each part of the ACEE X500NAME field. The following table lists the various security authentication mechanisms and the corresponding data that is written to each part of the ACEE X500NAME field (this data is also in the RACO and SMF records).
Authentication mechanism Service name Authenticated identity
Custom Registry WebSphere® Custom Registry Custom registry principal name
Kerberos Kerberos for WebSphere Application Server Kerberos principal, in the "DCE" format used for extracting the corresponding MVS userid using IRRSIM00 (/.../realm/principal)
RunAs Rolename WebSphere Role Name Role name
RunAs Server WebSphere Server Credential MVS userid
Trust Interceptor WebSphere Authorized Login MVS userid
RunAs Userid/Password WebSphere Userid/Password MVS Userid
In addition to tracking by MVS userid, events need to be traced to an originating userid. This is especially true for originating userids that are not MVS-based, such as EJB Roles, Kerberos principals, and Custom Registry principals.



Related tasks
Collecting job-related information with the System Management Facility (SMF)
Related information
MVS System Management Facilities (SMF)
z/OS Security Server RACF Auditor's Guide
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 5, 2014 9:49:51 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=rtrb_SMFusingaudit
File name: rtrb_SMFusingaudit.html