You can use a Java Authentication
and Authorization Services (JAAS) login module to map a registry principal
to the System Authorization Facility (SAF) user ID.
Note: If you are using the SAF distributed identity mapping feature,
you do not need to configure a mapping module.
- A pluggable login module can set z/OS® well-defined
attributes in the shared map during login.
- The com.ibm.websphere.security.SampleSAFMappingModule sample
mapping module, is provided by WebSphere® Application
Server. This module sets the z/OS attributes that are defined
in the Shared State. This module must precede the com.ibm.ws.security.common.auth.module.MapPlatformSubject mapping
module entry in the list of login modules.
The following set of well-defined attributes that are used in WebSphere Application Server mapping are
defined in the com.ibm.wsspi.security.token.AttributeNameConstants class,
which is available in the sas.jar file:
Use this attribute to set the value of the MVS user
ID when an operation is performed that requires a z/OS SAF
user ID. If a value is not specified, WebSphere Application
Server uses the unauthenticated user to establish a SAF user ID. This
SAF user ID must be a valid MVS user ID.
Use this attribute to indicate that the specified string
is placed in the X500Name property when creating
a Resource Access Control Facility (RACF®)
access control environment element (ACEE).
This attribute associates an audit string with a SAF user, which
is displayed in a System Management Facility (SMF) record when either
of the following actions is performed:
You can enter a maximum of 223 characters in this field. If the
specified value is larger than 223 characters, only the first 223
characters are used. If this value is omitted, audit data is not added
when building a principal. Any audit data recorded in this field is
prefixed within the SMF audit record string "WebSphere Mapped
Userid".
Use this optional field to indicate which principal class
in a JAAS subject is returned when using the getCallerPrincipal and
getUserPrincipal application programming interfaces (API).
This principal can be created by either of the following mechanisms:
- WebSphere Application Server runtime
- A JAAS login module
The default value of this field is com.ibm.websphere.security.auth.WSPrincipal.
Using this default value returns the WebSphere Application
Server principal name in the configured WebSphere Application
Server registry.
To return a mapped SAF principal, specify com.ibm.ws.security.zos.Principal.
If a value is specified but a principal does not match the specified CALLER_PRINCIPAL_CLASS value,
the return value indicates an unauthenticated user. Specifying getUserInRole returns
a null value, and specifying getCallerPrincipal()
returns a string that indicates that the user is unauthenticated.
Note: Some network identities are not processed using the mapping
module provided:
- Server identity
- This identity is always mapped to the user ID of the process and
is assigned by the STARTED profile.
- SAF identity corresponding to the UNAUTHENTICATED user
- The SAF identity corresponding to the UNAUTHENTICATED user means
there is no network identity. This value is configured using the WebSphere z/OS Profile
Management Tool or the zpmt command and can be
modified using the administrative console. It is recommended that
you create the SAF identity for unauthenticated users with the RESTRICTED
attribute.