The z/OS® Profile Management Tool allows you to specify
System Authorization Facility (SAF) profile prefixes (previously referred
to as z/OS security domains) for your WebSphere® Application Server for z/OS configuration.
Note: - You must set up a base Application Server using the WebSphere z/OS Profile
Management Tool or the zpmt command before using the Application
Server to set up a WebSphere Application Server, Network Deployment node,
which is managed by the deployment manager process (dmgr). It is critical
that you LOAD saved environment variables from the base Application
Server into the deployment manager node that federates the base node.
Do this before performing security customization on the deployment
manager node.
- If the APPL class is active and you have defined a profile for WebSphere Application Server, make sure that
all z/OS identities using WebSphere Application Server services have
READ permission to the WebSphere Application Server APPL
profile. This includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated
identities, WebSphere Application Server administrative
identities, user IDs based on role-to-user mappings, and all user
identities for system users. If you have not specified a SAF profile
prefix, the APPL profile used is CBS390 or the name used as the SAF
profile prefix. If you have specified a SAF profile prefix, the APPL
profile used. When adding an administrator to the administrative console
using local operating system security, if the APPL class is activated,
the administrator's user ID must be authorized to the CBS390 (or the
name specified as the SAF profile prefix) APPL class for RACF® as
well. If the administrator's user ID is not authorized to CBS390 APPL,
message BBOS0108E is issued, indicating that the credential-handling
function (RunAsGetSpecCred) failed in routine because the user is
not authorized.
- Once a profile is created, it is possible to control checking
the APPL class profile from the administrative console by navigating
to the SAF authorization options panel and by configuring the check
box labeled "Use APPL profile to restrict access to the server".