System Authorization Facility (SAF) user registries are used for several purposes in WebSphere Application Server for z/OS.
Using a Local OS or non-Local OS user registry implementation, the WebSphere Application Server for z/OS authentication mechanism can use SAF interfaces. SAF interfaces are defined by MVS to enable applications to use system authorization services or user registries to control access to resources such as data sets and MVS commands. SAF either processes security authorization requests directly or works with RACF, or other security products, to process the requests. Note that a Local OS SAF user registry is not a centralized user registry like Lightweight Directory Access Protocol (LDAP), but it is a centralized registry within a sysplex.
With WebSphere Application Server for z/OS, SAF user registries provide digital certificate to user ID mappings using the Resource Access Control Facility (RACF) RACDCERT command. For more information on the RACDCERT command, refer to z/OS Security Server RACF Command Language Reference (SA22-7687-05), available at http://www.ibm.com/servers/eserver/zseries/zos/bkserv/r5pdf/secserv.html.
WebSphere Application Server for z/OS localOS User Registry (SAF User Registry) implementation sets the registry realm name from the SAFDFLT profile in the REALM class when the REALM class is active and the SAFDFLT profile is defined. This realm name is specified as the APPLDATA property of the SAFDFLT profile. If the realm name cannot be obtained from the OS security product (such as RACF), the value of protocol_iiop_daemon_listenIPAddress is used instead. This can happen, for example, if the REALM class is not active, or if the SAFDFLT profile is not defined.
For any realm name changes to take effect, the entire cell, including the Daemon Address Space, must be recycled for the changes to be effective. There is a UNIX System Services restriction, however. If you list user and group information, only those users with an OMVS segment (where the user and group information is stored) are shown. Refer to Summary of controls for more information.
Refer to User registries for general information about selecting user registries.