You can configure a security domain by using a customization dialog.
Security information is stored in a new SavedVariables file because security domain information can span multiple cells (including test and production). You should be able to use the existing variables you have defined previously. (Make sure you save the values and record the location where it is saved.)
/* CBIND profiles in case no server definition is set */ "RDEFINE CBIND CB.BIND.* UACC(NONE)" "RDEFINE CBIND CB.* UACC(NONE)"
/* CBIND CB.BIND.domain_name. */ "RDEFINE CBIND CB.BIND.TESTSYS.* UACC(NONE)" "RDEFINE CBIND CB.TESTSYS.* UACC(NONE)"
Use an APPL profile to protect WebSphere Application Server for z/OS. Sample profiles can grant APPL access to everyone if you use the universal access authority, UACC(NONE), and grant access to the configuration group, unauthenticated user IDs, and all valid WebSphere Application Server for z/OS user IDs.
RDEFINE APPL CB390 UACC(NONE) PERMIT CB390 CLASS(APPL) ID(TSCLGP) ACCESS(READ)
RDEFINE APPL TESTSYS UACC(NONE) PERMIT TESTSYS CLASS(APPL) ID(TSCLGP) ACCESS(READ)
EJBROLE profiles are defined for role-based authorization checks if there is no security domain identifier and the configuration group is defined as TSTCFG. Note that these are default values set at bootstrap, which is the minimum set of users requiring access to naming and administrative roles for a Local OS registry when System Authorization Facility (SAF) authorization is selected.
RDEFINE EJBROLE administrator UACC(NONE) RDEFINE EJBROLE monitor UACC(NONE) RDEFINE EJBROLE configurator UACC(NONE) RDEFINE EJBROLE operator UACC(NONE) RDEFINE EJBROLE deployer UACC(NONE) RDEFINE EJBROLE adminsecuritymanager UACC(NONE) PERMIT administrator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT monitor CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT configurator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT operator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT deployer CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT adminsecuritymanager CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) /* Setting up EJBRoles Profiles for Naming roles */ RDEFINE EJBROLE CosNamingRead UACC(NONE) PERMIT CosNamingRead CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE CosNamingWrite UACC(NONE) RDEFINE EJBROLE CosNamingCreate UACC(NONE) RDEFINE EJBROLE CosNamingDelete UACC(NONE)
RDEFINE EJBROLE TESTSYS.administrator UACC(NONE) RDEFINE EJBROLE TESTSYS.monitor UACC(NONE) RDEFINE EJBROLE TESTSYS.configurator UACC(NONE) RDEFINE EJBROLE TESTSYS.operator UACC(NONE) RDEFINE EJBROLE TESTSYS.deployer UACC(NONE) RDEFINE EJBROLE TESTSYS.adminsecuritymanager UACC(NONE) PERMIT TESTSYS.administrator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.monitor CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.configurator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.operator CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.deployer CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) PERMIT TESTSYS.adminsecuritymanager CLASS(EJBROLE) ID(TSTCFG) ACCESS(READ) /* Setting up EJBRoles Profiles for Naming roles */ RDEFINE EJBROLE TESTSYS.CosNamingRead UACC(NONE) PERMIT TESTSYS.CosNamingRead CLASS(EJBROLE) ID(TSGUEST) ACCESS(READ) RDEFINE EJBROLE TESTSYS.CosNamingWrite UACC(NONE) RDEFINE EJBROLE TESTSYS.CosNamingCreate UACC(NONE) RDEFINE EJBROLE TESTSYS.CosNamingDelete UACC(NONE)
Security server definition
A security domain definition in z/OS provides WebSphere Application Server for z/OS with a set of cell-wide z/OS Security Server (RACF) security definitions.
Assign distinct MVS user IDs to servers in isolatable security domains
RDEFINE STARTED TST5ACR.* STDATA(USER(TSSYMCR1) GROUP(TSTCFG) TRACE( YES))
RDEFINE STARTED BBO*.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES)) RDEFINE STARTED TSTS001S.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES))
RDEFINE STARTED TST*.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES))
RDEFINE STARTED TSTS001S.* STDATA(USER(TSSYMSR1) GROUP(TSTCFG) TRACE(YES)) RDEFINE STARTED TSTS002S.* STDATA(USER(TSSYMSR2) GROUP(TSTCFG) TRACE(YES))
Restrict SERVER access to security domains. In addition, the server class profiles are used to indicate which servant identities can access the appropriate Workload Manager (WLM) queues WebSphere Application Server for z/OS uses. In order to clearly isolate the security domains sets, note the relationship between server names and servant region MVS user IDs.
RDEFINE SERVER CB.* UACC(NONE) RDEFINE SERVER CB.*.BBO* UACC(NONE) RDEFINE SERVER CB.*.BBO*.* UACC(NONE) RDEFINE SERVER CB.*.TSTC001 UACC(NONE)(READ) RDEFINE SERVER CB..*.TSTC001.* UACC(NONE)
PERMIT CB.*.TSTC001 CLASS(SERVER) ID(TSSYMSR1) ACC(READ) PERMIT CB.*.TSTC001.* CLASS(SERVER) ID(TSSYMSR1) ACC(READ)
RDEFINE SERVER CB.*.TST* UACC(NONE)(READ) RDEFINE SERVER CB.*.TST.* UACC(NONE) PERMIT CB.*.TST* CLASS(SERVER) ID(TSSYMSR1) ACC(READ) PERMIT CB.*.TST*.* CLASS(SERVER) ID(TSSYMSR1) ACC(READ)
CBIND profile definitions for servers
RDEFINE CBIND CB.BIND.BBO* UACC(NONE) RDEFINE CBIND CB.BIND.TSTC001 UACC(NONE) PERMIT CB.BIND.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) PERMIT CB.BIND.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.BBO* UACC(NONE) RDEFINE CBIND CB.TSTC001 UACC(NONE)
RDEFINE CBIND CB.BIND.TESTSYS.BBO* UACC(NONE) RDEFINE CBIND CB.BIND.TESTSYS.TSTC001 UACC(NONE) PERMIT CB.BIND.TESTSYS.BBO* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) PERMIT CB.BIND.TESTSYS.TSTC001 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TESTSYS.BBO* UACC(NONE) RDEFINE CBIND CB.TESTSYS.TSTC001 UACC(NONE)
RDEFINE CBIND CB.BIND.TSTC002 UACC(NONE) PERMIT CB.BIND.TSTC002 CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TSTC002 UACC(NONE)
RDEFINE CBIND CB.BIND.TESTSYS.TST* UACC(NONE) PERMIT CB.BIND.TESTSYS.TST* CLASS(CBIND) ID(TSTCFG) ACCESS(CONTROL) RDEFINE CBIND CB.TESTSYS.TST* UACC(NONE)
Refer to Creating a security domain and Planning a security domain for more information on security domains.