![[z/OS]](../images/ngzos.gif)
System Authorization Facility classes and profiles
- Using roles for enterprise beans and web applications, and servlets
- Using RACF class profiles
- Using CBIND to access servers and objects in the servers
- Using SERVER to access controllers using servant regions
- Using STARTED to associate user IDs and groups with started procedures
- Using APPL to restrict access of authenticated users to applications in the server
- Using FACILITY to establish permission to enable Synch to OS Thread Allowed and allow mapping of distributed identities to SAF identities using the JAAS mapping login modules.
- Using SURROGAT to optionally establish permission to enable Synch to OS Thread Allowed
- Creating multiple security configurations within a sysplex
- Generating new user IDs and Profiles for a new server
- Using minimalist profiles
Roles for Enterprise JavaBeans and web applications, and servlets
Roles are associated with Java™ Platform, Enterprise Edition (Java EE) applications. Modules within the applications refer to roles using the role reference that points to the application role. Access to web applications, servlets, or EJB methods is based upon the user or caller. Roles are associated with web applications, and servlets or enterprise beans at assembly time. The role needed to use a servlet or EJB method is named in the application's deployment descriptors.
Which users and groups have which roles is determined using RACF profiles in the EJBROLE class (if SAF authorization is selected). If a user is in the access list of an EJBROLE profile, the user has that role. If a group is in the access list of an EJBROLE profile, users in that group have that role. If the EJBROLE profile has ACCESS(READ), all users have that role.
The SAF profile prefix (previously referred to as z/OS® security domain), if specified, becomes a prefix used by WebSphere® Application Server for z/OS and RACF when checking EJBROLE profiles. This provides WebSphere SAF profile prefix-level granularity of roles.
Test Cell has Security Domain=TEST Production Cell has Security Domain=PROD
For example, an application using role Clerk is deployed on both cells. On the test cell, users need READ access to the EJBROLE profile TEST.Clerk. On the production cell, users need READ access to the EJBROLE profile PROD.Clerk.
The following profiles are defined in the RACF EJBROLE class for administrative authorization: administrator, configurator, monitor, operator, deployer, adminsecuritymanager, and auditor.
Refer to System Authorization Facility para Autorização Baseada em Função for more information on how SAF can be used for Java EE-based role authorization.
Using the RACF profiles
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF (or your equivalent security product). You must also understand the techniques for managing the security environment.
- CBIND: Use this class to access to servers, and access to objects in the servers
- SERVER: Use this class to access to controllers by servant regions
- STARTED: Use this class to associate user IDs and groups to started procedures
- APPL: Use this class to restrict access of authenticated users to applications running on the server
- FACILITY: Use this class to:
- associate user IDs and groups to the Synch to OS Thread Allowed option
- control which security configurations are allowed to map distributed identities to SAF identities using the JAAS mapping login modules
- SURROGAT: Use this optional class to associate user IDs and groups to the Synch to OS Thread Allowed option
Basic information about the RACF profiles used by WebSphere Application Server for z/OS can be found in the SAF-based authorization. This section adds some additional details about the CBIND, SERVER, FACILITY, SURROGAT, and STARTED class profiles.
User IDs and Group IDs
CR = Controller Region SR = Servant Region CFG = Configuration (group) server = server short name cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid> <SR_userid> <SR_groupid>, <CFG_groupid> <demn_userid> <demn_groupid>, <CFG_groupid> <admin_userid> <CFG_groupid> <client_userid> <client_groupid> <ctracewtr_userid> <ctracewtr_groupid>
The following are the various profiles used to protect the WebSphere Application Server for z/OS resources, along with the permissions and access levels.
Using CBIND class profiles
CBIND Class profiles - access to generic servers CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL) CBIND Class profiles - access to objects in servers CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
CBIND Class profiles - access to generic servers CB.BIND.<profilePrefix>.<cluster> UACC(READ) CBIND Class profiles - access to objects in servers CB.<profilePrefix>.<cluster> UACC(READ)
CB.CBIND.<cluster> CB.CBIND.<SAF profile prefix>.<cluster>
CB.<cluster> CB.<SAF profile prefix>.<cluster>
Using SERVER class profiles
SERVER class profiles – access to controllers using static Application Environments CB.<server>.<cluster> UACC(NONE) PERMIT <SR_userid> ACC(READ) SERVER class profiles – access to controllers using dynamic Application Environments CB.<server>.<cluster>.<cell> UACC(NONE) PERMIT <SR_userid> ACC(READ)
RDEFINE CB.&<server<cluster> UACC(NONE); PERMIT &<SR_userid> ACCESS(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, and SR is the MVS™ user ID for the server region.
CB.& <server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, cell = cell short name, and SR is the MVS user ID for the server region.
SERVER class profiles control whether a servant can call authorized routines in the associated controller.
CB.<server>.<cluster> CB.<SAF profile prefix>.<server>.<cluster>
CB.<server>.<cluster>.<cell> 22
Using STARTED class profiles
STARTED Class profiles - (MGCRE) - for control regions, daemons, and Node agents <<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid)) <demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid)) STARTED Class profiles - (ASCRE) - for servant regions and adjuncts <SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid)) STARTED Class profiles for IJP - (MGCRE) <MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid)) - These IJPs don't exist in WAS 6.1
- Daemon
- Deployment Manager (controller and servant)
- Node Agent
- Application Servers (controller, servant and ajunct)
- Admin agents (controller and servant)
- Job managers (controller and servant)
Using APPL class profiles
An APPL class profile controls whether an authenticated user can use any applications in the cell. If a SAF profile prefix is specified, the APPL class profile name will be the SAF profile prefix name. If SAF profile prefix is not specified, the APPL class profile name will be CBS390. Refer to Considerações do System Authorization Facility para os Níveis de Sistema Operacional e Aplicativo.
The APPL class profile only takes effect when both the APPL class is active in RACF and when the option to use the APPL profile is enabled in WebSphere. The WebSphere option can be enabled or disabled from the administrative console by navigating to the SAF authorization options panel and setting the checkbox Use APPL profile to restrict access to the server. For more information on this setting, read about Autorização do z/OS System Authorization Facility.
Creating multiple security configurations within a cell
You might require distinct sets of profiles within a given cell to separate logical WebSphere security domains in your enterprise, (for example, test, and production users).
You can define a SAF profile prefix during customization using the z/OS Profile Management Tool, the zpmt command, or the SAF Authorization options panel in the administration console.
Use the WebSphere Application Server for z/OS administrative console to set a SAF profile prefix under , which creates the following property in the security.xml file.
xmi:id="Property_47" name="com.ibm.security.SAF.profilePrefix" value="<profile_prefix>" required="false"/>
Class | No SAF profile prefix | With a SAF profile prefix |
---|---|---|
CBIND |
|
|
EJBROLE | ApplicationRoleName | <profilePrefix>.ApplicationRoleName |
APPL | CBS390 | <profilePrefix> |
Generating new user IDs and Profiles for a new Server
If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
- If unique user IDs for the new servers are desired, define three
new users and connect them to the following groups:
- <New_CR_userid> <CR_groupid>, <CFG_groupid>
- <New_SR_userid> <<SR_groupid>, <CFG_groupid>
- <New_ADJUNCT_userid> <<ADJUNCT_groupid>, <CFG_groupid>
- <New_client_userid> <client_groupid>
- CBIND class profiles for the new cluster (generic server short
name):
- CB.BIND.<New_cluster>
- CB.<New_cluster>
- SERVER class profiles for the new server and cluster:
- CB.<New_server>.<New_cluster>
- CB.<New_server>.<New_cluster>.<cell>
- STARTED class profiles for the new server's controller and servant's
regions:
- <CR_proc>.<New_CR_jobname> STDATA(USER(New_CR_userid) GROUP(CFG_groupid))
- <New_SR_jobname>.* STDATA(USER(New_SR_userid) GROUP(CFG_groupid))
- <New_ADJUNCT_jobname>.* STDATA(USER(New_ADJUNCT_userid) GROUP(CFG_groupid))
Using FACILITY and SURROGAT class profiles (Synch to OS Thread Allowed Option and the connection manager RunAs thread identity option)
- FACILTY class profile BBO.SYNC.<cell short name>.<cluster
short name>
- If the WebSphere controller does not have access to the profile, Synch to OS Thread Allowed will be disabled.
- If the WebSphere controller has READ access to profile. Sync to OS Thread Allowed can be used, but it is limited to security environments that represent certain users. The SURROGATE class profile needs to be defined.
- The WebSphere controller has CONTROL access to the profile. Sync to OS Thread Allowed can be used to build security environments to represent any user. The SURROGATE class profile will not be checked.
- SURROGAT class profile BBO.SYNC.<user ID>
- If the WebSphere controller only has READ access to the FACILITY class profile of BBO.SYNC.<cell short name>.<cluster short name> that enables Synch to OS Thread Allowed, the SURROGAT class profile check is used to verify that the WebSphere servant is authorized to establish a security environment for the target user.
- Class profile checks are consistent with other products that perform similar functions.
RDEF FACILITY BBO.SYNC.<cell short name>.<cluster short name> UACC(NONE) PE BBO.SYNC.<cell short name>.<cluster short name> CLASS(FACILITY)ID(<CR user ID>) ACC(READ or CONTROL) RDEF SURROGAT BBO.SYNC.<Run-As user ID> UACC(NONE) PE BBO.SYNC.<Run-As user ID> CLASS(SURROGAT) ID(<SR user ID>) ACC(READ)
RDEF FACILITY BBO.SYNC.SY1.BBOC001 UACC(NONE) PE BBO.SYNC.SY1.BBOC001 CLASS(FACILITY) ID(CBSYMCR) ACC(READ) RDEF SURROGAT BBO.SYNC.J2EEID UACC(NONE) PE BBO.SYNC.J2EEID CLASS(SURROGAT) ID(CBSYMSR) ACC(READ)
Using FACILITY class profiles (Enabling Trusted Applications)
RDEF FACILITY BBO.TRUSTEDAPPS.<cell short name>.<cluster short name> UACC NONE PE BBO.TRUSTEDAPPS.<cell short name>.<cluster short name> CLASS(FACILITY) ID(CR userid) ACC(READ)The following generic example can be user for all servers:
RDEFINE FACILITY BBO.TRUSTEDAPPS.mycell01.**UACC(NONE) PERMIT BBO.TRUSTEDAPPS.mycell01.** CLASS(FACILITY) ID(MYCBGROUP) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESHThe following example is for a specific server, that is, a system with a cell short name of SY1, a cluster short name (the server generic short name) or BBOC001, and a controller region userid of CBSYMCR:
RDEF FACILITY BBO.TRUSTEDAPPS.SY1.BBOC001 UACC NONE PE BBO.TRUSTEDAPPS.SY1.BBOC001 CLASS(FACILITY) ID(CBSYMCR) ACC(READ)
Using minimalist profiles
To minimize the number of users, groups, and profiles in the RACF data set, you can use one user ID, one group ID, and very generic profiles so they cover multiple servers in the same cell. This technique can also be used with Integral Java Message Service provider and WebSphere Application Server, Network Deployment configurations.
- Profile definitions to define
- Digital certificates to consider for interprocess Secure Sockets Layer communication