For z/OS platforms

Activating and configuring the SAF registry on z/OS

The System Authorization Facility (SAF) registry holds information required to perform security-related functions such as authenticating users and retrieving information about users, groups, or groups associated with users. You activate and configure the SAF registry through the configuration file server.xml. In addition, you can configure your Liberty server to use SAF authorization.

About this task

By adding the appropriate features to the server.xml file, you can accomplish the following tasks:
  • Activate the SAF user registry
  • Configure the SAF user registry to use authorized services
  • Enable applications to use the SAF user registry
  • Configure the SAF user registy
By default, the SAF registry uses unauthorized UNIX System Services (USS) to perform authentication. For better performance, you can enable the authorized SAF services by configuring the SAFCRED resources. For more information, see Enabling z/OS authorized services on the Liberty profile for z/OS.

For information on how to configure your Liberty server to use SAF authorization, see Configuring authorization for applications on the Liberty profile

Procedure

  1. Activate the SAF user registry. Add the zosSecurity-1.0 feature to the server.xml file:
    <feature>zosSecurity-1.0</feature>
    Note: By default, the SAF user registry uses unauthorized USS services such as __passwd to perform authentication.
  2. For better performance, configure the SAF user registry to use authorized services such as initACEE to perform authentication by configuring the SAFCRED resources. For more information, see Enabling z/OS authorized services on the Liberty profile for z/OS.
  3. Enable application security by adding the feature appSecurity-2.0, along with either the servlet-3.0 feature for web application, or the ejbLite-3.1 feature for EJB applications.
    <feature>zosSecurity-1.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>servlet-3.0</feature>
    Fix Pack 8550 <feature>ejbLite-3.1</feature>
  4. Configure the SAF registry by adding a safRegistry element in the server.xml file:
    <safRegistry id="saf" realm="myrealm" />
    The safRegistry element has the following attributes:
    ID
    The ID that uniquely identifies this registry instance. The ID can be anything you want, but must be unique with respect to other configured registries such as the basic registry and the LDAP registry. You can use the ID to refer to this registry instance in other elements of the server.xml file.
    realm
    The realm associated with the SAF registry. If you do not specify a realm, the default is the plex name (ECVTSPLX). If the server is authorized to use the SAFCRED resources, then the default realm is read from the SAF product by extracting the APPLDATA field in the SAFDFLT profile under the REALM class. If that field is empty, then the default realm is used.

Icon that indicates the type of topic Task topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=twlp_config_zos_saf
File name: twlp_config_zos_saf.html