Use this task to add a custom System Authorization Facility
(SAF) mapping module to one of the system login modules by using the
administrative console.
Before you begin
To
use a pluggable login module to perform Java™ Platform,
Enterprise Edition (Java EE)
identity to Resource Access Control Facility (RACF®)
user mapping, you must configure a pluggable mapping module, followed
by configuring the WebSphere® Application Server
for z/OS-supplied module, com.ibm.ws.security.common.auth.module.MapPlatformSubject,
in the appropriate Java Authentication and Authorization
Service (JAAS) system login configurations. When SAF Authorization or Synch
to OS Thread is configured, this approach enables an installation
to configure the active WebSphere Application Server
registry as either a standalone Lightweight Directory Access Protocol
(LDAP) registry or a standalone custom registry.
WebSphere Application Server does not support
a local operating system registry on any platform under the federated
repository functionality. Thus, a SAF-managed RACF registry
is not supported under the federated repository functionality.
Update: A SAF-managed
RACF registry is supported under the federated repository functionality.
In previous releases, it was not supported. To configure the SAF mapping
module to use federated repositories with a SAF user registry adapter
for SAF authorization, see Configuring a custom System Authorization
Facility mapping module for federated repositories.
Before
proceeding, make sure you know how to write a mapping module to get
a SAF identity. For more information, refer to Writing a custom System Authorization Facility (SAF) mapping module with non-local operating system. If you use
anything other than the sample, you must build the relevant classes
and install them into the <WAS_HOME>/classes directory
for each node in the cell, including the deployment manager node in
a cell. If Java 2 security is enabled, ensure
that the server.policy file is updated to provide appropriate
permissions.
About this task
The custom SAF mapping module (either com.ibm.websphere.security.SampleSAFMappingModule
or a customer-written mapping module) must be added to each of the
following system login module entries and must be changed manually
to the second-to-last position in the order for the system login modules
as indicated:
Note: For base configuration, if you select SWAM as your authentication
mechanism, update the SWAM entry. However, if you plan to
use LTPA as your authentication mechanism, set up all four system
login module entries. For a WebSphere Application Server, Network Deployment configuration, you
only need to configure the LTPA authentication mechanism configuration
entries.
Procedure
- Configure the supplied com.ibm.ws.security.common.auth.module.MapPlatformSubject
login module:
- Click Security > Global security.
- Under Java Authentication
and Authorization Service, click System logins > login_module_name
- Under Additional properties, click JAAS login modules
> New.
- Enter the class name: com.ibm.ws.security.common.auth.module.MapPlatformSubject.
- Click Apply to add the new module to the login
module list.
- Configure the custom mapping module:
- Click Security > Global security.
- Under Java Authentication
and Authorization Service, click System logins > login_module_name.
- Under Additional properties, click JAAS login modules >
New.
- Enter the class name of the custom login module in the Module
Classname file. (Use com.ibm.websphere.security.SampleSAFMappingModule
for the shipped sample module).
- Click Apply to add the new module to the login
module list.
- Click Security > Global security.
- Under Authentication, expand Java Authentication
and Authorization Service and click System logins > login_module_name.
- Under Additional properties, click JAAS login modules >
Set Order. The new mapping module is probably at the end of the
list, and must come before com.ibm.ws.security.common.auth.module.MapPlatformSubject
and after com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.
Note: For WebSphere Application Server Version 6.1,
the com.ibm.ws.security.common.auth.module.MapPlatformSubject login
module must be added also; it does not already exist.
- Select the box next to the new mapping module and then
click Move up. When the mapping modules are in the correct
order, click Apply, then Save, and Save (be sure
to select Synchronize changes with Nodes if you are working
with a WebSphere Application Server, Network Deployment cell).
What to do next
Make these changes for each of the system login modules
needed for your WebSphere Application Server for z/OS® configuration.
The choice of which system login modules are needed is based on your
authentication mechanism (SWAM or LTPA).
Note: If the SAF identity
mapping module you installed has configurable properties, you can
update them by creating custom properties in the JAAS system logins
panel in the administrative console. Use this example to update properties
if you used the SampleSAFMapping module as a prototype and updated
the else clause to provide custom mapping logic. In this case,
you must create the useWSPrincipleName custom property and set it
to false for each affected JAAS login configuration that uses
the modified SampleSAFMappingModule.
- Click Security > Global security.
- Under Java Authentication and Authorization
Service, click System logins > login_module_name.
- Under Additional properties, click JAAS login modules > com.ibm.websphere.security.SampleSAFMappingModule.
- Under Additional properties, click Custom Properties > New.
- Enter the custom property name useWSPrincipalName and
the value false.
- Click Apply, Save, and Save.
Repeat this process for each of the system login modules
that use the modified SampleSAFMappingModule.