![[z/OS]](../images/ngzos.gif)
Enabling pluggable login modules to map Java EE identities to System Authorization Facility (SAF)
You need to perform several actions to enable any pluggable login modules to correctly map Java™ EE identities to SAF. These actions include configuring the active WebSphere® Application Server user registry and configuring pluggable mapping modules.
Before you begin
About this task
Procedure
- Configure the active WebSphere Application
Server user registry as an Lightweight Directory Access Protocol (LDAP)
registry or a Custom registry, and use System Authorization Facility
(SAF) services such as:
- System Authorization Facility (SAF) EJBROLE profiles to control WebSphere Application Server authorization. Refer to Role-based authorization for more information.
- Enabling an application to run a WebSphere Application Server application and set the operating system (OS) identity to match the Java EE identity. This is known as application Sync to OS Thread. Refer to Application Synch to OS Thread Allowed and When to use application Synch to OS Thread Allowed for more information.
- Using the Java EE client identity as the identity when issuing a Connection Management request for a local native connector such as CICS®, Information Management System (IMS™), Database 2 (DB2®), or Java Messaging Service (JMS). Refer to Java Platform, Enterprise Edition identity and an operating system thread identity for more information.
- Auditing using SMF audit. Refer to the information about using SMF type 80 to prepare for audit support.
- You must configure a pluggable mapping module followed
by a WebSphere Application Server for z/OS-supplied
module in appropriate system login configurations to use pluggable
login modules. If a registry other than local OS is selected and no
mapping is done or no valid mapping is available for a particular
identity:
- SAF authorization is not supported: If SAF authorization is selected and a method is protected the method fails.
- Application Synch to OS thread is not supported: Requests always run using the user ID of the servant.
- When res-auth=container is specified to native connectors and no alias is identified, a connection management request runs under the servant user ID.
- Pluggable login modules can be used when:
- The WebSphere Application Server authentication mechanism specified is Simple WebSphere Authentication Mechanism (SWAM) or Lightweight Third-Party Authentication (LTPA). SWAM is deprecated in WebSphere Application Server Version 9.0 and will be removed in a future release.
- The Internet Inter-ORB protocol (IIOP) authentication protocol negotiated uses Common Secure Interoperability Version 2 (CSIV2).
- A web request is issued.
Related concepts:


File name: tsec_pluglogmodsracf.html