Roles for Enterprise JavaBeans and web applications, and servlets
Roles are associated with Java Platform, Enterprise Edition (Java EE) applications. Modules within the applications refer to roles using the role reference that points to the application role. Access to web applications, servlets, or EJB methods is based upon the user or caller. Roles are associated with web applications, and servlets or enterprise beans at assembly time. The role needed to use a servlet or EJB method is named in the application's deployment descriptors.
Which users and groups have which roles is determined using RACF profiles in the EJBROLE class (if SAF authorization is selected). If a user is in the access list of an EJBROLE profile, the user has that role. If a group is in the access list of an EJBROLE profile, users in that group have that role. If the EJBROLE profile has ACCESS(READ), all users have that role.
The SAF profile prefix (previously referred to as z/OS® security domain), if specified, becomes a prefix used by WebSphere® Application Server for z/OS and RACF when checking EJBROLE profiles. This provides WebSphere SAF profile prefix-level granularity of roles.
Test Cell has Security Domain=TEST Production Cell has Security Domain=PROD
For example, an application using role Clerk is deployed on both cells. On the test cell, users need READ access to the EJBROLE profile TEST.Clerk. On the production cell, users need READ access to the EJBROLE profile PROD.Clerk.
The following profiles are defined in the RACF EJBROLE class for administrative authorization: administrator, configurator, monitor, operator, deployer, adminsecuritymanager, and auditor.
Refer to System Authorization Facility for role-based authorization for more information on how SAF can be used for Java EE-based role authorization.
Using the RACF profiles
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF (or your equivalent security product). You must also understand the techniques for managing the security environment.
Basic information about the RACF profiles used by WebSphere Application Server for z/OS can be found in the SAF-based authorization. This section adds some additional details about the CBIND, SERVER, FACILITY, SURROGAT, and STARTED class profiles.
User IDs and Group IDs
CR = Controller Region SR = Servant Region CFG = Configuration (group) server = server short name cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid> <SR_userid> <SR_groupid>, <CFG_groupid> <demn_userid> <demn_groupid>, <CFG_groupid> <admin_userid> <CFG_groupid> <client_userid> <client_groupid> <ctracewtr_userid> <ctracewtr_groupid>
Below are the various profiles used to protect the WebSphere Application Server for z/OS resources, along with the permissions and access levels.
Using CBIND class profiles
CBIND Class profiles - access to generic servers CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL) CBIND Class profiles - access to objects in servers CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
CBIND Class profiles - access to generic servers CB.BIND.<profilePrefix>.<cluster> UACC(READ) CBIND Class profiles - access to objects in servers CB.<profilePrefix>.<cluster> UACC(READ)
CB.CBIND.<cluster> CB.CBIND.<SAF profile prefix>.<cluster>
CB.<cluster> CB.<SAF profile prefix>.<cluster>
Using SERVER class profiles
SERVER class profiles – access to controllers using static Application Environments CB.<server>.<cluster> UACC(NONE) PERMIT <SR_userid> ACC(READ) SERVER class profiles – access to controllers using dynamic Application Environments CB.<server>.<cluster>.<cell> UACC(NONE) PERMIT <SR_userid> ACC(READ)
RDEFINE CB.&<server<cluster> UACC(NONE); PERMIT &<SR_userid> ACCESS(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, and SR is the MVS user ID for the server region.
CB.& <server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, cell = cell short name, and SR is the MVS user ID for the server region.
SERVER class profiles control whether a servant can call authorized routines in the associated controller.
CB.<server>.<cluster> CB.<SAF profile prefix>.<server>.<cluster>
CB.<server>.<cluster>.<cell> 22
Using STARTED class profiles
STARTED Class profiles - (MGCRE) - for control regions, daemons, and Node agents <<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid)) <demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid)) STARTED Class profiles - (ASCRE) - for servant regions and adjuncts <SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid)) STARTED Class profiles for IJP - (MGCRE) <MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid)) - These IJPs don't exist in WAS 6.1
Using APPL class profiles
An APPL class profile controls whether an authenticated user can use any applications in the cell. If a SAF profile prefix is specified, the APPL class profile name will be the SAF profile prefix name. If SAF profile prefix is not specified, the APPL class profile name will be CBS390. Refer to System Authorization Facility considerations for the operating system and application levels.
The APPL class profile only takes effect when both the APPL class is active in RACF and when the option to use the APPL profile is enabled in WebSphere. The WebSphere option can be enabled or disabled from the administrative console by navigating to the SAF authorization options panel and setting the checkbox "Use APPL profile to restrict access to the server". For more information on this setting, read about z/OS System Authorization Facility authorization.
Creating multiple security configurations within a cell
You might require distinct sets of profiles within a given cell to separate logical WebSphere security domains in your enterprise, (for example, test, and production users).
You can define a SAF profile prefix during customization using the z/OS Profile Management Tool, the zpmt command, or the SAF Authorization options panel in the administration console.
Use the WebSphere Application Server for z/OS administrative console to set a SAF profile prefix under , which creates the following property in the security.xml file.
xmi:id="Property_47" name="com.ibm.security.SAF.profilePrefix" value="<profile_prefix>" required="false"/>
Class | No SAF profile prefix | With a SAF profile prefix |
---|---|---|
CBIND |
|
|
EJBROLE | ApplicationRoleName | <profilePrefix>.ApplicationRoleName |
APPL | CBS390 | <profilePrefix> |
Generating new user IDs and Profiles for a new Server
If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
Using FACILITY and SURROGAT class profiles (Synch
to OS Thread Allowed Option and the connection manager RunAs thread
identity option)
RDEF FACILITY BBO.SYNC.<cell short name>.<cluster short name> UACC(NONE) PE BBO.SYNC.<cell short name>.<cluster short name> CLASS(FACILITY)ID(<CR user ID>) ACC(READ or CONTROL) RDEF SURROGAT BBO.SYNC.<Run-As user ID> UACC(NONE) PE BBO.SYNC.<Run-As user ID> CLASS(SURROGAT) ID(<SR user ID>) ACC(READ)
RDEF FACILITY BBO.SYNC.SY1.BBOC001 UACC(NONE) PE BBO.SYNC.SY1.BBOC001 CLASS(FACILITY) ID(CBSYMCR) ACC(READ) RDEF SURROGAT BBO.SYNC.J2EEID UACC(NONE) PE BBO.SYNC.J2EEID CLASS(SURROGAT) ID(CBSYMSR) ACC(READ)
Using FACILITY class profiles (Enabling Trusted Applications)
RDEF FACILITY BBO.TRUSTEDAPPS.<cell short name>.<cluster short name> UACC NONE PE BBO.TRUSTEDAPPS.<cell short name>.<cluster short name> CLASS(FACILITY) ID(CR userid) ACC(READ)The following generic example can be user for all servers:
RDEFINE FACILITY BBO.TRUSTEDAPPS.mycell01.**UACC(NONE) PERMIT BBO.TRUSTEDAPPS.mycell01.** CLASS(FACILITY) ID(MYCBGROUP) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESHThe following example is for a specific server, that is, a system with a cell short name of SY1, a cluster short name (the server generic short name) or BBOC001, and a controller region userid of CBSYMCR:
RDEF FACILITY BBO.TRUSTEDAPPS.SY1.BBOC001 UACC NONE PE BBO.TRUSTEDAPPS.SY1.BBOC001 CLASS(FACILITY) ID(CBSYMCR) ACC(READ)
Using minimalist profiles
To minimize the number of users, groups, and profiles in the RACF data set, you can use one user ID, one group ID, and very generic profiles so they cover multiple servers in the same cell. This technique can also be used with Integral Java Message Service provider and WebSphere Application Server, Network Deployment configurations.