System Authorization Facility (SAF) user registries are used for several purposes in WebSphere® Application Server for z/OS®.
Using a local operating system or non-local operating system registry implementation, the WebSphere Application Server for z/OS authentication mechanism can use SAF interfaces. SAF interfaces are defined by MVS™ to enable applications to use system authorization services or user registries to control access to resources such as data sets and MVS commands. SAF either processes security authorization requests directly or works with RACF®, or other security products, to process the requests. Note that a local operating system SAF user registry is not a centralized registry like Lightweight Directory Access Protocol (LDAP), but it is a centralized registry within a sysplex.
With WebSphere Application Server for z/OS, SAF user registries provide digital certificate to user ID mappings using the Resource Access Control Facility (RACF) RACDCERT command. For more information on the RACDCERT command, refer to z/OS Security Server RACF Command Language Reference (SA22-7687-05), available at http://www.ibm.com/servers/eserver/zseries/zos/bkserv/r5pdf/secserv.html.
WebSphere Application Server for z/OS localOS User Registry (SAF User Registry) implementation sets the registry realm name from the SAFDFLT profile in the REALM class when the REALM class is active and the SAFDFLT profile is defined. This realm name is specified as the APPLDATA property of the SAFDFLT profile. If the realm name cannot be obtained from the OS security product (such as RACF), the value of protocol_iiop_daemon_listenIPAddress is used instead. This can happen, for example, if the REALM class is not active, or if the SAFDFLT profile is not defined.
Refer to Selecting a registry or repository for general information about selecting user registries.