![[z/OS]](../images/ngzos.gif)
Resource Access Control Facility Tips for customizing WebSphere Application Server
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF® (or your security product). This paper describes these mechanisms along with some techniques for managing the security environment.
- CBIND: Access to servers, and access to objects in the servers
- SERVER: Access to controller regions by servant regions
- STARTED: Associate user-ids and groups to started procedures (STCs)
You must add the required RACF profiles and permissions for another server in your cell.
You can define the minimal set of users, groups, and profiles for a testing environment (where security of individual servers is not the main focus or concern).
RACF Profiles (CBIND, SERVER, and STARTED): Basic information about the RACF profiles used by WebSphere can be found in the System Authorization Facility classes and profiles. This section adds some additional details about the CBIND, SERVER, and STARTED class profiles.
CR = Controller Region
SR = Servant Region
CFG = Configuration (group)
server = server short name
cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid>
<SR_userid> <SR_groupid>, <CFG_groupid>
<demn_userid> <demn_groupid>, <CFG_groupid>
<admin_userid> <CFG_groupid>
<client_userid> <client_groupid>
<ctracewtr_userid> <ctracewtr_groupid>
Below are the various profiles used to protect the WebSphere servers and resources, along with the permissions and access levels.
CBIND Class profiles - access to generic servers
CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL)
CBIND Class profiles - access to objects in servers
CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
SERVER Class Profiles: There are currently two formats of the SERVER class profiles for protecting access to the server controller regions. You must define a single format SERVER profile, depending upon whether or not Dynamic Application Environment (DAE) support is enabled. This is done using the WLM DAE APAR OW54622, which is applicable to z/OS V1R2 or higher.
- The following command provides access to controllers using static Application Environments (without the APAR support): RDEFINE CB.&<server>.&<cluster> UACC(NONE); PERMIT &<SR_userid> ACC(READ) For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, and SR = the MVS user ID of the Server Region.
- The following command provides access to controllers using dynamic Application Environments (with the WLM DAE APAR support): CB.&<server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ) For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, cell = cell short name, and SR = the MVS user ID of the Server Region.
STARTED Class profiles - (MGCRE)
<<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid))
<demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid))
STARTED Class profiles - (ASCRE)
<SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid))
STARTED Class profiles for IJP - (MGCRE)
<MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid))
Generating new user IDs and Profiles for a new Server: If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
- If unique user IDs for the new servers are desired, define three
new users and connect them to the following groups:
<New_CR_userid> <CR_groupid>, <CFG_groupid> <New_SR_userid> <SR_groupid>, <CFG_groupid> <New_client_userid> <client_groupid>
- CBIND class profiles for the new cluster (generic server short
name):
CB.BIND.<New_cluster> CB.<New_cluster>
- SERVER class profiles for the new server and cluster:
CB.<New_server>.<New_cluster> CB.<New_server>.<New_cluster>.<cell>
- STARTED class profiles for the new server's controller and servant's
regions:
<CR_proc>.<New_CR_jobname> STDATA(USER(New_CR_userid) GROUP(CFG_groupid)) <New_SR_jobname>.* STDATA(USER(New_SR_userid) GROUP(CFG_groupid))
/* CBIND Class profiles (UACC) - access to generic servers */
CB.BIND.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)
/* CBIND Class profiles (UACC) - access to objects in servers */
CB.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)
/* SERVER Class profiles - access to controllers (old style) */
CB.*.T5CL* UACC(NONE); PERMIT ID(T5USR) ACC(READ)
/* SERVER Class profiles - acc to controllers (new style) */
CB.*.*.T5CELL UACC(NONE); PERMIT ID(T5USR) ACC(READ)
/* STARTED Class profiles - (MGCRE) - for STCs, except servants */
T5ACR.* STDATA(USER(T5USR) GROUP(T5GRP)) /* controller*/
T5DMN.* STDATA(USER(T5USR) GROUP(T5GRP)) /* daemon */
T5CTRW.* STDATA(USER(T5USR) GROUP(T5GRP)) /* CTrace WTR*/
WMQX*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* IJP */
/* STARTED Class profiles - (ASCRE - for servants) */
T5SRV*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* servant */