You can authenticate to the IBM® HTTP Server on z/OS® by using HTTP basic authentication or client certificates
with the System Authorization Facility (SAF) security product. Use SAF authentication for
verification of user IDs and passwords or certificates.
Before you begin
The
mod_authz_core and
mod_auth_basic directives provide basic
authentication and authorization support, which is needed in
mod_authnz_saf
configurations. In addition, the
mod_ibm_ssl directive supports SSL client
certificates. If you use SAF authentication, ensure that the first three
LoadModule directives from the following example are activated. If you use SSL
client certificates, also ensure that the
mod_ibm_ssl.so LoadModule directive
is
activated.
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
# mod_authz_core will typically already load by default
LoadModule authz_core_module modules/mod_authz_core.so
# Uncomment mod_ibm_ssl if any type of SSL support is required,
# such as client certificate authentication
#LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
About this task
SAF authentication is provided by the mod_authnz_saf module. The
mod_authnz_saf module allows the use of HTTP basic authentication or client
certificates to restrict access by looking up users, groups, and SSL client certificates in SAF. Use
this module to switch the thread from the server ID to another ID before responding to the request
by using the SAFRunAS directive. For more information, see SAF
directives in the product documentation. Also, see Migrating and installing IBM HTTP Server on z/OS
systems for information about migrating your SAF directives.
Procedure
- If you are using SAFRunAs, permit the IBM HTTP Server
user ID to the BPX.SERVER FACILITY class profile in RACF®, and
provide the target user ID with an OMVS segment.
- If the APPL class is active in the security product (SAF), users who
authenticate via this module must be permitted to the OMVSAPPL application
ID.
- Determine the directory location that you want to limit access to. For example:
<Location "/admin-bin">.
- Add directives in the httpd.conf file to the directory or location to be
protected with values specific to your environment. If you want to restrict access to files under the /secure directory to only
users who provide a valid SAF user ID and password, consider this
example.
<Directory /secure>
AuthName protectedrealm_title
AuthType Basic
AuthBasicProvider saf
Require valid-user
</Directory>
You can also restrict access based on user ID or SAF group membership by replacing the
Require directive in the previous example, as
follows:
require saf-user USERID
require saf-group GROUPNAME
Avoid trouble: The SAF group must have a group identification number (GID) defined in the OMVS
segment to restrict access based on SAF group membership. Use the following Time Sharing Option
(TSO) command to determine whether an OMVS GID is defined for a SAF group.
LISTGRP
NOGIDGRP OMVS NORACF
gotcha
- Optional: Specify Require saf-user or Require saf-group to restrict access to a specific SAF user or
group.