This topic applies only on the z/OS operating system.

Updating system login configurations to perform a System Authorization Facility identity user mapping

Use this task to modify configurations to perform System Authorization Facility (SAF) identity mapping.

Before you begin

About this task

A mapping module must be placed in the Java™ Authentication and Authorization Service (JAAS) configuration to provide the mapping from a non-local operating system registry to a SAF user ID. The com.ibm.ws.security.common.auth.module.MapPlatformSubject login module follows this mapping module in the configuration. You can do this using either the Simple WebSphere® Authentication Mechanism (SWAM) or the Lightweight Third Party Authentication (LTPA) authentication mechanism.

Refer to Selecting an authentication mechanism for more information. Refer to Java Authentication and Authorization Service for more information.
Note: SWAM is deprecated in WebSphere Application Server Version 7.0 and will be removed in a future release.

Application login configurations do not require changes to modify configurations to perform SAF identity mapping. The WebSphere application login configuration entry WSLogin, calls a system login module that is configured as the default, which performs the mapping if SAF authorization is required.

To modify configurations to perform System Authorization Facility (SAF) identity mapping and if WebSphere Application Server is configured, you must take the following steps.

Procedure

Results

What to do next

When LTPA is configured, if you are mapping the WebSphere Application Server registry to a SAF user ID, the following system login configuration entries must be configured to provide the user mapping:

WEB_INBOUND
The WEB_INBOUND login configuration handles logins for Web application requests, including servlets and JavaServer pages (JSP). This login configuration interacts with the output object that is generated from a trust association interceptor (TAI) if configured. The Subject that is passed into the WEB_INBOUND login configuration can contain objects that are generated by the TAI.

WebSphere Application Server administrative console requests and a subset of administrative functions, including file transfer, authenticate using this login configuration entry.

RMI_INBOUND
The RMI_INBOUND login configuration handles logins for inbound RMI requests. Typically, these logins are requests for authenticated access to Enterprise JavaBeans™ (EJB) files, and can be performed as Java Management Extensions (JMX) requests when using the RMI connector.
DEFAULT
The DEFAULT login configuration handles the logins for inbound requests made by most other protocols and internal authentications, such as communication between a z/OS® controller and servant processes after an initial authentication request is performed.
When SWAM is configured and you are mapping the WebSphere Application Server user registry to a SAF identity, configure the following system login configuration entry to provide the user mapping:
Note: SWAM is deprecated in WebSphere Application Server Version 7.0 and will be removed in a future release.
SWAM
This entry is used for all authentication when SWAM is selected.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 10:04:34 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=tsec_syslogconfsaf
File name: tsec_syslogconfsaf.html