Configuring local operating system user registries

Use these steps to configure local operating system user registries.

Before you begin

For detailed information about using the local operating system user registry, see Local operating system user registries. These steps set up security based on the local operating system user registry on which WebSphere Application Server is installed.

When a local OS user registry is chosen, the started task identity is chosen as the server identity. A user ID and password are not required to configure the server.

Important: Each started task, for example, a controller, servant, or node agent might have a different identity. The z/OS customization dialog sets up these identities. See the z/OS customization dialog for more information.

About this task

When you set up a user registry for WebSphere Application Server, the System Authorization Facility (SAF) works in conjunction with the user registry to authorize applications to run on the server. For more information on the SAF capabilities, see System Authorization Facility user registries. Complete the following steps to configure additional properties that are associated with the local OS user registry and SAF configuration.

Important: The local operating system is not a valid user account repository when you have a mixed cell environment that includes both z/OS platform and non-z/OS platform nodes.

Procedure

  1. Click Security > Global security.
  2. Under user registries, click Local OS.
  3. Optional: Select the Ignore case for authorization option to enable WebSphere Application Server to perform a case insensitive authorization check when you use the default authorization.
  4. Optional: Click z/OS SAF properties under additional properties to specify the MVS user ID that is used to represent unprotected servlet requests.
  5. Optional: Click the Authorization option to use SAF EJBROLE profiles for user to role authorization.
  6. Optional: Return to the configuration panel for the local OS user registry. To return to the configuration panel for the local OS user registry, complete the first two steps for this task.
  7. Under Additional properties, click Custom properties. You can configure the following custom properties for the local OS user registry:
    com.ibm.security.SAF.unauthenticated
    This property indicates the MVS user ID that is used to represent unprotected servlet requests and is used for the following functions:
    • Authorization, if an unprotected servlet invokes an entity bean.
    • Identification of an unprotected servlet for invoking a z/OS connector (Customer Information Control System (CICS), Information Management System (IMS)) that uses a current identity when res-auth=container.
    com.ibm.security.SAF.authorization
    This property can be set to true or false. When this property is set to true, SAF EJBROLE profiles are used for user-to-role authorization for both Java 2 Platform, Enterprise Edition (J2EE) applications and the role-based authorization requests (naming and administration) that are associated with the WebSphere Application Server run time.
    com.ibm.security.SAF.delegation
    This property specifies that SAF EJBROLE definitions are assigned the MVS user ID that becomes the active identity when you select the RunAs specified role.
    com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress
    With this property, you can turn ICH408I messages on or off. The default value for this property is false, which does not suppress messages. You can set this value to true to suppress the ICH408I messages.
    System Management Facility (SMF) records access violations no matter what value is specified for this new property. This property affects access violation message generation for both application-defined roles and for WebSphere Application Server run-time-defined roles for the naming and administrative subsystems. EJBROLE profile checks are done for both declarative and programmatic checks:
    • Declarative checks are coded as security constraints in Web applications, and deployment descriptors are coded as security constraints in Enterprise JavaBeans (EJB) files. This property is not used to control messages in this case. Instead, a set of roles is permitted, and if an access violation occurs, an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation for that role.
    • Program logic checks or access checks are performed using the programmatic isCallerinRole(x) for enterprise beans or isUserInRole(x) for Web applications. The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages generated by this call.

    For more information on SAF authorization, refer toControlling access to console users when using a Local OS Registry. For more information on administrative roles, refer to Administrative roles.

  8. Click OK.

    The administrative console does not validate the user ID and password when you click OK. Validation is only done when you click OK or Apply in the Global Security panel. If you are enabling security for the first time, complete the other steps and navigate to the Global Security panel. Make sure that Local OS is selected as the active user registry. If security was already enabled and you had changed either the user or the password information in this panel, make sure to go to the Global Security panel and click OK or Apply to validate your changes. If your changes are not validated, the server might not start.

    Important: Until you authorize other users to perform administrative functions, you can only access the administrative console with the server user ID and password that you specified. For more information, see Authorizing access to administrative roles.

Results

For any changes in this panel to be effective, you need to save, stop, and start all the product servers, including deployment managers, nodes and application servers. If the server comes up without any problems, the setup is correct.

After completed these steps, you have configured WebSphere Application Server to use the local OS user registry to identify authorized users.

What to do next

Complete any remaining steps for enabling security. For more information, see Enabling security for all application servers.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=tseclocalos
File name: tsec_localos.html