You can secure the application server by configuring Lightweight
Access Directory Protocol (LDAP) on z/OS® with
an existing Resource Access Control Facility (RACF®)
back end. This integrates the native z/OS security
settings defined in RACF with the WebSphere® Application
Server security environment.
Before you begin
The following requirements exist when implementing these
steps:
- You must have an LDAP server configured with RACF based
on z/OS. See z/OS Internet Library for more information
about this configuration..
- You must use LDAP on z/OS v1r3 or higher. For v1r3 or
v1r4, you must apply APAR 0A03857 - PTF UA06622 before following these
steps.
- The user logs into WebSphere security with RACF user
ID and is authenticated with the LDAP using a password and a Distinguished
Name, the Bind DN. The Bind DN incorporates the RACF user
ID and the SDBM suffix in the LDAP server configuration file. If the RACF user
is johndoe, and the suffix value in the SDBM section of the
LDAP configuration file is cn=myRACF, then the bind DN is: racfid=johndoe,
profiletype=user, cn=myRACF.
- Each RACF group, including WebSphere security
groups, a user belongs to is stored in a multi-value racfconnectgroupname attribute
in the LDAP entry for the user. The attribute is returned when a base
or subtree search is performed with the user's DN as the Base DN.
- The Bind DN must represent an RACF user
with Special or Auditor privileges. For more information
about the required RACF authority, see the z/OS Security
Server RACF Command Language Reference for your z/OS version
in the z/OS Internet Library.
- You must define the racfconnectgroupname attribute in the
LDAP default schema.
Remember: If you have TBDM defined
in the LDAP server configuration file in addition to SDBM, the schema
in TDBM is the default schema for the LDAP server. If the TDBM schema
does not included the
racfconnectgroupname attribute, remove
TDBM from the LDAP server configuration file or add the schema in
the
schema.user.ldif file and
schema.IBM.ldif file
to the TDBM schema. For more information about TDBM and SDBM, see
Native authentication with RACF and Tivoli® Access
Manager.
Procedure
- Click Security > Global security.
- Under User account repository, select Standalone LDAP
registry and then click Configure.
- Under the Type of LDAP server, click Custom.
- Complete the fields for your LDAP environment. For more
information, see Configuring Lightweight Directory Access Protocol user registries. The users and groups must be in the sub tree of the Base DN.
- Make sure that Ignore case for authorization is
selected. RACF user names and group names
are not case-sensitive.
- Click Apply and then click Save.
- Under Additional Properties, click Advanced Lightweight
Directory Access Protocol (LDAP) user registry setting.
- Change User filter and Group filter to racfid=%v.
- Change User ID map and Group ID Map to *:racfid.
- Change Group member ID map to racfconnectgroupname:racfgroupuserids.
- Click Apply and click Save.
- Assign the administrative role to a user. See Authorizing access to administrative roles for more information.
- Restart WebSphere Application Server.
Results
Your environment is now protected by LDAP on z/OS with
a RACF back end.