Roles for Enterprise JavaBeans and Web applications, and servlets
Roles are associated with Java 2 Platform, Enterprise Edition (J2EE) applications. Modules within the applications refer to roles using the role reference that points to the application role. Access to Web applications, servlets, or EJB methods is based upon the user or caller. Roles are associated with Web applications, and servlets or enterprise beans at assembly time. The role needed to use a servlet or EJB method is named in the application's deployment descriptors.
Which users and groups have which roles is determined using RACF profiles in the EJBROLE class (if SAF authorization is selected). If a user is in the access list of an EJBROLE profile, the user has that role. If a group is in the access list of an EJBROLE profile, users in that group have that role. If the EJBROLE profile has ACCESS(READ), all users have that role.
The security domain, if specified, becomes a prefix used by WebSphere Application Server for z/OS and RACF when checking EJBROLE profiles. This provides cell-level granularity of roles. You do not need to modify roles in the applications to achieve this.
Test Cell has Security Domain=TEST Production Cell has Security Domain=PROD
For example, an application using role Clerk is deployed on both cells. On the test cell, users need READ access to the EJBROLE profile TEST.Clerk. On the production cell, users need READ access to the EJBROLE profile PROD.Clerk.
There are four profiles defined in the RACF EJBROLE class for administrative authorization. They are administrator, configurator, monitor, and operator. When using RACF for role mapping, you need to define RACF user ID or group READ access for one of these profiles, depending on the administrative authority you give to the user.
Refer to System Authorization Facility for role-based authorization for more information on how SAF can be used for J2EE-based role authorization.
Using the RACF profiles
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF (or your equivalent security product). You must also understand the techniques for managing the security environment.
Basic information about the RACF profiles used by WebSphere Application Server for z/OS can be found in the SAF-based authorization. This section adds some additional details about the CBIND, SERVER, and STARTED class profiles.
User IDs and Group IDs
CR = Controller Region SR = Servant Region CFG = Configuration (group) server = server short name cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid> <SR_userid> <SR_groupid>, <CFG_groupid> <demn_userid> <demn_groupid>, <CFG_groupid> <admin_userid> <CFG_groupid> <client_userid> <client_groupid> <ctracewtr_userid> <ctracewtr_groupid>
Below are the various profiles used to protect the WebSphere Application Server for z/OS resources, along with the permissions and access levels.
Using CBIND class profiles
CBIND Class profiles - access to generic servers CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL) CBIND Class profiles - access to objects in servers CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
CBIND Class profiles - access to generic servers CB.BIND.<domainId>.<cluster> UACC(READ) CBIND Class profiles - access to objects in servers CB.<domainId>.<cluster> UACC(READ)
CB.CBIND.<cluster> CB.CBIND.<security domain>.<cluster>
CB.<cluster> CB.<security domain>.<cluster>
Using SERVER class profiles
SERVER class profiles – access to controllers using static Application Environments CB.<server>.<cluster> UACC(NONE) PERMIT <SR_userid> ACC(READ) SERVER class profiles – access to controllers using dynamic Application Environments CB.<server>.<cluster>.<cell> UACC(NONE) PERMIT <SR_userid> ACC(READ)
RDEFINE CB.&<server<cluster> UACC(NONE); PERMIT &<SR_userid> ACCESS(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, and SR is the MVS user ID for the server region.
CB.& <server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, cell = cell short name, and SR is the MVS user ID for the server region.
SERVER class profiles control whether a servant can call authorized routines in the associated controller.
CB.<server>.<cluster> CB.<security domain>.<server>.<cluster>
CB.<server>.<cluster>.<cell> 22
Using STARTED class profiles
STARTED Class profiles - (MGCRE) - for control regions, daemons, and Node agents <<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid)) <demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid)) STARTED Class profiles - (ASCRE) - for servant regions and adjuncts <SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid)) STARTED Class profiles for IJP - (MGCRE) <MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid))
An APPL class profile controls whether an authenticated user can use any applications in the cell. If a security domain is specified, the APPL class profile name will be the security domain name. If security domain is not specified, the APPL class profile name will be CBS390. Refer to System Authorization Facility considerations for the operating system and application levels.
Creating multiple security configurations within a sysplex
You might require distinct sets of profiles within a given RACF database to separate logical WebSphere Application Server for z/OS security domains in your enterprise, (for example, test, and production users).
Use Security Domain Identifier in RACF Definitions: <Y/N> Security Domain Identifier....................: <domainId>
Use the WebSphere Application Server for z/OS administrative console to set these variables under Security > Global Security > Custom Properties, which creates the following properties in the security.xml file in the cell’s directory:
xmi:id="Property_47" name="security.zOS.domainType" value="cellQualified" required="false"/> xmi:id="Property_48" name="security.zOS.domainName" value="<domain_name>" required="false"/>
This creates the following variables in was.env file in the server’s directory: security_zOS_domainName=<domain_name> security_zOS_domainType=1
Class domainType=None domainType=cellQualified CBIND CB.clustername CB.domainId.clustername CB.BIND.clustername CB.BIND.domainId.clustername APPL CBS390 domainId EJBROLE ApplicationRoleName domainId.ApplicationRoleName
Generating new user IDs and Profiles for a new Server
If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
Using minimalist profiles
To minimize the number of users, groups, and profiles in the RACF data set, you can use one user ID, one group ID, and very generic profiles so they cover multiple servers in the same cell. This technique can also be used with Integral Java Message Service provider and Network Deployment configurations.