WebSphere® Application
Server for z/OS® supports
access to resources by clients and servers in a distributed environment.
Determine how to control access to these resources and prevent inadvertent
or malicious destruction of the system or data.
These are the pieces in the distributed network that you must consider:
- You must authorize servers to the base operating system services in z/OS.
These services include System Authorization Facility (SAF) security, database
management, and transaction management.
- For the server clusters, you must distinguish between controllers and
servants. Controllers run authorized system code, so they are trusted. Servants
run application code and are given access to resources, so carefully consider
the authorization you give servants.
- You must also distinguish between the level of authority for run-time
servers and for your own application servers have. For example, the node
needs the authority to start other clusters, while your own application clusters
do not need this authority.
- You must authorize clients (users) to servers and objects within servers.
The characteristics of each client requires special consideration:
- Is the client on the local system or is it remote? The security of the
network becomes a consideration for remote clients.
- Will you allow unidentified (unauthenticated) clients to access the system?
Some resources on your system might be intended for public access, while others
you might need to protect. To access protected resources, clients must establish
their identities and have authorization to use those resources.
- Authentication is the process of establishing the identity of a
client in a particular context. A client can be an end user, a machine, or
an application. The term authentication mechanism in WebSphere Application Server on z/OS refers
more specifically to the facility in which WebSphere identifies an authenticated
identity, using HTTP and Java™ Management Extensions (JMX) facilities.
When configuring a cell, you must select an authentication mechanism. The
choices for authentication mechanism include:
- Information about users and groups reside in a user registry. In WebSphere Application
Server, a user registry authenticates a user and retrieves information about
users and groups to perform security-related functions, including authentication
and authorization. Implementation is provided to support multiple operating
system or operating environment-based user registries. When configuring a
cell, you must select a single user registry. The user registry can be local
or remote. The choices for user registry include:
- SAF-based local registry (default when a z/OS security product is chosen
for administrative security during customization)
- Standalone Lightweight Directory Access Protocol (LDAP) registry - LDAP
can be either a local or remote registry
- Standalone custom user registry - A custom user registry is set up to
meet unique registry needs. WebSphere Application Server provides a simple
user registry sample called the FileBasedRegistrySample.
- Federated repositories (default when the WebSphere Application Server is chosen
for administrative security during customization)
If you need to protect resources, it is critical that you identify who
accesses those resources. Thus, any security system requires client (user)
identification, also known as authentication. In a distributed network supported
by WebSphere Application
Server for z/OS,
clients can access resources from:
- Within the same system as a server
- Within the same sysplex as the server
- Remote z/OS systems
- Heterogeneous systems, such as WebSphere Application Server on distributed
platforms, Customer Information Control System (CICS®), or other Java Platform,
Enterprise Edition-compliant systems.
Additionally, clients can request a service that requires a server to forward
the request to another cluster. In such cases, the system must handle delegation,
the availability of the client identity for use by intermediate clusters and
target clusters.
Finally, in a distributed network, how do you verify that messages being
passed are confidential and have not been tampered? How do you verify that
clients are who they claim to be? How do you map network identities to z/OS identities?
These issues are addressed by the following support in WebSphere Application Server for z/OS:
- The use of Secure Sockets Layer (SSL) and digital certificates
- Kerberos
- Common Secure Interoperability, Version 2 (CSIv2)
- Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)