You need to perform several actions to enable any pluggable
login modules to correctly map Java EE
identities to SAF. These actions include configuring the active WebSphere® Application Server user registry
and configuring pluggable mapping modules.
Procedure
- Configure the active WebSphere Application
Server user registry as an Lightweight Directory Access Protocol (LDAP)
registry or a Custom registry, and use System Authorization Facility
(SAF) services such as:
- You must configure a pluggable mapping module followed
by a WebSphere Application Server for z/OS-supplied
module in appropriate system login configurations to use pluggable
login modules. If a registry other than local OS is selected and no
mapping is done or no valid mapping is available for a particular
identity:
- SAF authorization is not supported: If SAF authorization
is selected and a method is protected the method fails.
- Application Synch to OS thread is not supported: Requests
always run using the user ID of the servant.
- When res-auth=container is specified to native connectors
and no alias is identified, a connection management request runs under
the servant user ID.
- Pluggable login modules can be used when:
- The WebSphere Application Server authentication
mechanism specified is Simple WebSphere Authentication Mechanism
(SWAM) or Lightweight Third-Party Authentication (LTPA). SWAM is deprecated
in WebSphere Application Server Version 8.5 and will be removed
in a future release.
- The Internet Inter-ORB protocol (IIOP) authentication protocol
negotiated uses Common Secure Interoperability Version 2 (CSIV2).
- A web request is issued.