If you choose the Use the KERB segment of an SAF user profile radio button on the Kerberos panel of the WebSphere® Application Server administrative console, you must have your Local OS users mapped to a specific Kerberos principal.
To view the Kerberos administrative console page that contains the Use the KERB segment of an SAF user profile radio button, click Security > Global security. Under Authentication, click Kerberos configuration.
The first radio button on the Kerberos administrative console panel under Mapping Kerberos principal names to SAF identities, Do not use SAF profiles for mapping Kerberos principals to SAF identities, is selected by default, but will not use RACMAP or KERB segment for mapping.
The last two radio buttons under Mapping Kerberos principal names to SAF identities, Use the KERB segment of an SAF user profile and Use the RACMAP profiles in the SAF product for distributed identity mapping should not be selected if they already have a JAAS mapping module.
There are two ways to map a Kerberos principal to a SAF identity, depending on whether the Kerberos principal is local or foreign. A Kerberos principal is local when it exists in the z/OS KDC of the same z/OS system as the RACF database.
For more information on the using the ALTUSER command to configure your KDC, see Z/OS V1R7.0 Integrated Security Services Network Authentication Service Administration.
You must not include the Kerberos realm name when specifying the local Kerberos principal name.
Mapping a local Kerberos principal:
ALTUSER USER1 PASSWORD(security) NOEXPIRED KERB(KERBNAME(kerberosUser1))
LISTUSER USER1 KERB NORACF
KERB INFORMATION ---------------- KERBNAME= kerberosUser1 KEY VERSION= 001 KEY ENCRYPTION TYPE= DES NODES3 NODESD
The ALTUSER command should be issued for every user in RACF who needs to login to WebSphere Application Server using Kerberos.
Mapping a foreign Kerberos principal:
You can map each principal in a foreign realm to its own user ID in RACF, or you can map all principals in a foreign realm to the same user ID in RACF. To map a foreign Kerberos principal to a RACF user, define a general resource profile in the KERBLINK class. Each mapping is defined and modified using the RDEFINE and RALTER commands.
For more information on using the KERBLINK class, see the z/OS Security Server RACF Security Administrator's Guide.
RDEFINE KERBLINK /.../FOREIGN.REALM.IBM.COM/foreignKerberosUser2 APPLDATA('USER2')
RLIST KERBLINK /.../FOREIGN.REALM.IBM.COM/foreignKerberosUser2
CLASS NAME ----- ---- KERBLINK /.../FOREIGN.REALM.IBM.COM/foreignKerberosUser2 LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER NONE ALTER NO INSTALLATION DATA ----------------- NONE APPLICATION DATA ---------------- USER2 AUDITING -------- FAILURES(READ) NOTIFY ------ NO USER TO BE NOTIFIED
In this information ...Related tasks
| IBM Redbooks, demos, education, and more(Index) |