[z/OS]

Specifics about server process authorization checking

You can specify specific access restrictions to z/OS resources.

To control access to WebSphere Application Server for z/OS resources:
  • As a general rule, give greater authority to controllers and less authority to servants.
    Table 1. Level of trust and authority for regions
    Region Level of trust and access authority
    Controller
    Note:
    • Contains WebSphere Application Server for z/OS system code.
    • Trusted, runs APF-authorized
    • Contains communication ports and manipulation of system authorization facility (SAF) client identities
    Servant
    Note:
    • Contains WebSphere Application Server for z/OS system code, application code, and pluggable service providers (such as jdbc drivers)
    • Supports Java 2 Security to protect sensitive data and system services
    • Untrusted
  • Regarding the WebSphere Application Server for z/OS run-time clusters, the general rule is to give less authority to the location service daemon, and greater authority to the node, as explained in the table below:
    Table 2. Assigning authorities to WebSphere Application Server for z/OS run-time cluster control and servants
    Run-time Cluster Region Required Authorities
    Location service daemon Control
    • STARTED class
    • Access to Workload Manager (WLM) services
    • Access to DNS
    • OPERCMDS access to START, STOP, CANCEL, FORCE, and MODIFY other clusters
    • IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING in FACILITY (SSL)
    Node Control STARTED class
    Controller Control
    • SSL
    • Kerberos
    • READ authority to the SERVER class,
    • OPERCMDS access to START, STOP, CANCEL, FORCE and MODIFY other servers
    Servant Control The following classes:
    • OTMA
    • SERVER
    • DSNR,
    • DATASET
    • SURROGAT
    • STARTED
    • LOGSTRM
  • Remember to protect the Resource Recovery Services (RRS) log streams. By default, UACC is READ.
  • Protect the WebSphere Application Server for z/OS properties XML files, especially if they contain passwords. For more information, see the WebSphere Application Server variables in the administrative console or the documentation.
  • Deployment Manager also needs permission to start and stop servers.



Related concepts
Cluster authorizations
Related tasks
Using CBIND to control access to clusters
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=rsecclustauth
File name: rsec_clustauth.html