The System Authorization Facility (SAF) registry holds
information required to perform security-related functions such as
authenticating users and retrieving information about users, groups,
or groups associated with users. You activate and configure the SAF
registry through the configuration file server.xml.
In addition, you can configure your Liberty server to use SAF authorization.
About this task
By adding the appropriate features to the
server.xml file,
you can accomplish the following tasks:
- Activate the SAF user registry
- Configure the SAF user registry to use authorized
services
- Enable applications to use the SAF user registry
- Configure the SAF user registy
By default, the SAF registry uses unauthorized UNIX System Services (USS) to perform authentication.
For better performance, you can enable the authorized SAF services
by configuring the SAFCRED resources. For more information, see
Enabling z/OS authorized services on the Liberty profile for z/OS.
For information
on how to configure your Liberty server to use SAF authorization,
see Configuring authorization for applications on the Liberty profile
Procedure
- Activate the SAF user registry. Add the zosSecurity-1.0 feature
to the server.xml file:
<feature>zosSecurity-1.0</feature>
Note: By
default, the SAF user registry uses unauthorized USS services such
as __passwd to perform authentication.
- For better performance, configure the SAF user registry
to use authorized services such as initACEE to perform authentication
by configuring the SAFCRED resources. For more information, see Enabling z/OS authorized services on the Liberty profile for z/OS.
- Enable application security by adding the feature appSecurity-2.0,
along with either the servlet-3.0 feature for web
application, or the ejbLite-3.1 feature for EJB applications.
<feature>zosSecurity-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>servlet-3.0</feature>
<feature>ejbLite-3.1</feature>
- Configure the SAF registry by adding a safRegistry element
in the server.xml file:
<safRegistry id="saf" realm="myrealm" />
The safRegistry element
has the following attributes:- ID
- The ID that uniquely identifies this registry instance. The ID
can be anything you want, but must be unique with respect to other
configured registries such as the basic registry and the LDAP registry.
You can use the ID to refer to this registry instance in other elements
of the server.xml file.
- realm
- The realm associated with the SAF registry. If you do not specify
a realm, the default is the plex name (ECVTSPLX). If the
server is authorized to use the SAFCRED resources, then the default
realm is read from the SAF product by extracting the APPLDATA field
in the SAFDFLT profile under the REALM class. If that field is empty,
then the default realm is used.