To control access to WebSphere
® Application
Server for z/OS resources:
- As a general rule, give greater authority to controllers and
less authority to servants.
Table 1. Level of trust and authority
for regions. This table indicates the level of trust
and authority for regions.
Region |
Level of trust and access authority |
Controller |
Note:
- Contains WebSphere Application
Server for z/OS system code.
- Trusted, runs APF-authorized
- Contains communication ports and manipulation of System Authorization
Facility (SAF) client identities
|
Servant |
Note:
- Contains WebSphere Application
Server for z/OS system code,
application code, and pluggable service providers (such as jdbc drivers)
- Supports Java™ 2 Security
to protect sensitive data and system services
- Untrusted
|
- Regarding the WebSphere Application
Server for z/OS run-time clusters,
the general rule is to give less authority to the location service
daemon, and greater authority to the node, as explained in the
table below:
Table 2. Assigning authorities to WebSphere Application Server
for z/OS run-time cluster
control and servants . This table lists the required
authorities for z/OS run-time
cluster control and servants.
Run-time Cluster |
Region |
Required Authorities |
Location service daemon |
Control |
- STARTED class
- Access to Workload Manager (WLM) services
- Access to DNS
- OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other
clusters
- IRR.DIGTCERT.LIST and IRR.DIGCERT.LISTRING in FACILITY (SSL)
|
Node |
Control |
STARTED class |
Controller |
Control |
- SSL
- Kerberos
- READ authority to the SERVER class,
- OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other
servers
|
Servant |
Control |
The following classes:
- OTMA
- SERVER
- DSNR,
- DATASET
- SURROGATE
- STARTED
- LOGSTREEAM
|
- Remember to protect the Resource Recovery Services (RRS) log streams.
By default, UACC is READ.
- Protect the WebSphere Application
Server for z/OS properties
XML files, especially if they contain passwords. For more information,
see the WebSphere Application
Server variables in the administrative console or the documentation.
- Deployment Manager also needs permission to start and stop servers.