The distributed identity mapping feature using System Authorization Facility (SAF) for z/OS® provides some major benefits, and is new in this version of WebSphere® Application Server.
Your z/OS security product must be at the appropriate version that supports the distributed identity mapping. The correct SAF version is 7760 or later. For Resource Access Control Facility (RACF®), you must be at z/OS version 1.11 or later.
The advantages of using distributed identity mapping are that the SMF audit records will contain both the distributed user and the SAF user, and that the mapping is controlled by the z/OS Security administrator.
When mapping a non-Local OS registry user, the distributed user name is the value returned by the WebSphere Application Server WSCredential.getUniqueSecurityName() API. The realm name is determined by the WebSphere Application Server WSCredential.getRealmName() API.
To enable distributed identity mapping for this scenario, no further changes are needed in the security configuration.
The advantage of using distributed identity mapping is that the SMF records will contain both the Kerberos user and the mapped SAF user.
When mapping a Kerberos user, the distributed user name is the Kerberos principal name. The realm name is the Kerberos realm name of the Kerberos Key Distribution Center (KDC). For more information on creating distributed identity filters in the z/OS security product, read the Distributed identity filters configuration in z/OS security topic.
To enable distributed identity mapping for this scenario, you must select the radio button for "Use the RACMAP profiles in the SAF product for distributed identity mapping" on the administrative console panel Kerberos authentication settings page. To make this change with wsadmin scripting, set the security custom property com.ibm.websphere.security.krb.useRACMAPMappingToSAF=true.
In previous releases, the first attribute of the asserted DN name was mapped to a SAF user. The advantage of using the distributed identity mapping for an asserted DN is the added flexibility for mapping users, the mapping is controlled by the z/OS security administrator, and the SMF audit records will contain both the asserted DN name and the mapped SAF user ID. In previous releases, an asserted certificate was mapped to a SAF user by using the RACDCERT MAP function in SAF. The advantage of using the distributed identity mapping is that the SMF audit records will contain both the certificate DN name and the mapped SAF user ID. Additionally, the SAF database saves space by not having to store the digital certificates.
When mapping an asserted certificate or DN name in SAF, the distributed user is the DN name and the realm name is the current SAF realm.
To enable distributed identity mapping for this scenario, you must check the checkbox for "Map certificate and DN using SAF distributed identity mapping" in the administrative console panel Common Secure Interoperability Version 2 inbound communications settings. To make this change with wsadmin scripting, set the security custom property com.ibm.websphere.security.certdn.useRACMAPMappingToSAF=true
In previous releases, a certificate was mapped to a SAF user by using the RACDCERT MAP function in SAF. The advantage of using the distributed identity mapping is that the SMF audit records will contain both the certificate DN name and the mapped SAF user ID.
When mapping a certificate received in the CSIv2 transport layer, the distributed user is the DN name and the realm name is the current SAF realm..Additionally, the SAF database saves space by not having to store the digital certificates.
To enable distributed identity mapping for this scenario, you must check the checkbox for "Map certificate using SAF distributed identity mapping" in the administrative console panel Common Secure Interoperability Version 2 inbound communications settings. To make this change with wsadmin scripting, set the security custom property com.ibm.websphere.security.certificate.useRACMAPMappingToSAF=true.
Scenario | SAF version | User registry | SAF authorization=true or SyncToThread=true or runAs=true? | JAAS mapping module configured? | Kerberos or SPNEGO enabled |
---|---|---|---|---|---|
Scenario 1 | 7760 or later (z/OS 1.11 or later for RACF) | non-Local OS | yes | no | n/a |
Scenario 2 | 7760 or later (z/OS 1.11 or later for RACF | Local OS | yes | no | yes |
Scenario 3 | 7760 or later (z/OS 1.11 or later for RACF | Local OS | yes | no | n/a |
Scenario 4 | 7760 or later (z/OS 1.11 or later for RACF | Local OS | yes | no | n/a |
When you configure distributed identity mapping, you must complete the following actions:
When configuring the SAF distributed identity mapping feature at the security domain level, note the realm name for that domain. You can choose to provide a realm name or to use the system-generated realm name. Regardless of which option you choose, this is the realm name that you must use when defining the mappings in the SAF registry.