If you choose the Use built-in mapping module to map Kerberos principals to SAF identities option on the Kerberos panel of the WebSphere® Application Server administrative console, you must have your Local OS users mapped to a specific Kerberos principal.
There are two ways to map a Kerberos principal to a SAF identity, depending on whether the Kerberos principal is local or foreign. A Kerberos principal is local when it exists in the z/OS KDC of the same z/OS system as the RACF database.
For more information on the using the ALTUSER command to configure your KDC, see Z/OS V1R7.0 Integrated Security Services Network Authentication Service Administration.
You must not include the Kerberos realm name when specifying the local Kerberos principal name.
Mapping a local Kerberos principal:
ALTUSER USER1 PASSWORD(security) NOEXPIRED KERB(KERBNAME(kerberosUser1))
LISTUSER USER1 KERB NORACF
KERB INFORMATION ---------------- KERBNAME= kerberosUser1 KEY VERSION= 001 KEY ENCRYPTION TYPE= DES NODES3 NODESD
The ALTUSER command should be issued for every user in RACF who needs to login to WebSphere Application Server using Kerberos.
Mapping a foreign Kerberos principal:
You can map each principal in a foreign realm to its own user ID in RACF, or you can map all principals in a foreign realm to the same user ID in RACF. To map a foreign Kerberos principal to a RACF user, define a general resource profile in the KERBLINK class. Each mapping is defined and modified using the RDEFINE and RALTER commands.
For more information on using the KERBLINK class, see the z/OS Security Server RACF Security Administrator's Guide.
RDEFINE KERBLINK /.../FOREIGN.REALM.IBM.COM/foreignKerberosUser2 APPLDATA('USER2')
RLIST KERBLINK /.../FOREIGN.REALM.IBM.COM/foreignKerberosUser2
CLASS NAME ----- ---- KERBLINK /.../FOREIGN.REALM.IBM.COM/foreignKerberosUser2 LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER NONE ALTER NO INSTALLATION DATA ----------------- NONE APPLICATION DATA ---------------- USER2 AUDITING -------- FAILURES(READ) NOTIFY ------ NO USER TO BE NOTIFIED
In this information ...Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) |