Setting up Kerberos as the authentication mechanism for WebSphere Application Server
You must perform the steps to set up Kerberos as the authentication mechanism for WebSphere® Application Server.
About this task
You must first ensure that the KDC is configured. For more information, see your Kerberos Administrator and User's guide.
To
configure a KDC on z/OS®, you
must activate the APPL class in RACF®.
This action has the effect of enabling the APPL class profile that
is defined for WebSphere and
might restrict the ability of authenticated users to access applications
that run on WebSphere.
If your security configuration is using an SAF profile prefix, the
profile name is the SAF profile prefix. Otherwise, the profile name
is CBS390. To control whether the APPL profile is checked for WebSphere authorization, you
can configure the checkbox that is labeled "Use APPL profile to
restrict access to the server" on the SAF authorization panel in
the administrative console. This setting can be configured at a WebSphere security domain
level.

You must perform the following steps to set up Kerberos as the authentication mechanism for WebSphere Application Server.