SMF type 80 requires some preparation in order to be fully utilized
in a WebSphere environment.
Before you begin
As WebSphere Application Server becomes more capable of authentication
and setting or changing the identity on a thread, so arises the need for the
ability to audit these changes. Along with this also comes the need to audit
the accompanying authorization requests made through EJBRoles checking, intending
to produce audit records that include the original authenticated identity.
This auditing in WebSphere Application Server is managed not through WebSphere
Application Server itself, but through its External Security Manager (RACF
or equivalent), where the SMF records are cut.
About this task
In order to take advantage of auditing in WebSphere Application
Server, you need to set up SMF and RACF and have both running.
Procedure
- Set up SMF for audit support. For information on setting up and
starting SMF, see z/OS MVS System Management Facilities (SMF), SA22-7630
- Enable auditing for the EJB Roles by setting the RACF AUDIT attribute.
This will set up RACF for auditing in WebSphere Application Server.
You can turn on auditing for the ADMIN and PAYROLL classes with the
following command:
RALTER EJBROLE (ADMIN,PAYROLL) AUDIT(ALL)
- Alternately, you could modify the RACFROLE job to
put the AUDIT information there.
- For more information and additional parameters for
the AUDIT attribute, see the z/OS Security Server
RACF Auditor's Guide.