This topic gives an overview of how to use audit support.
Auditing is performed
using SMF records issued by RACF® or an equivalent External
Security Manager. This means that SMF audit records are cut as part
of the WebSphere Application Server use of SAF interfaces and RACROUTE
macros. ![[Updated in August 2012]](../../deltaend.gif)
aug2012
WebSphere Application Server for z/OS makes use of
the following RACROUTE macros, as well as the initACEE (IRRSIA00)
SAF API, which is used to manage ACEEs:
- RACROUTE REQUEST AUTH (and FASTAUTH) - to check if a user is authorized
to a class
- RACROUTE REQUEST=EXTRACT - to extract a RACO from an ACEE
- RACROUTE REQUEST TOKENXTR - to extract the UTOKEN (for CICS)
- RACROUTE REQUEST LIST - to check if FASTAUTH class is RACLIST'ed
- RACROUTE REQUEST STAT - to determine if certain classes are active
The table below lists the
various security authentication mechanisms and the corresponding data
that is written to each part of the ACEE X500NAME field (this data
is also in the RACO and SMF records). The information under "Service
Name" is the constant string that is included in the "Issuer's Distinguished
Name" field of X500NAME. The information under "Authenticated Identity"
is the principal that is recorded in the "Subject's Distinguished
Name" field.
Table 1. Security authentication mechanisms and the corresponding data
that is written to each part of the ACEE X500NAME field
Authentication mechanism |
Service name |
Authenticated identity |
Custom
Registry |
WebSphere
Custom Registry |
Custom
registry principal name |
Kerberos |
Kerberos
for WebSphere Application Server |
Kerberos
principal, in the "DCE" format used for extracting the corresponding
MVS userid using IRRSIM00 (/.../realm/principal) |
RunAs
Rolename |
WebSphere
Role Name |
Role
name |
RunAs
Server |
WebSphere
Server Credential |
MVS
userid |
Trust Interceptor |
WebSphere
Authorized Login |
MVS
userid |
RunAs
Userid/Password |
WebSphere
Userid/Password |
MVS
Userid |
|
In addition to tracking by MVS userid, events need to be
traced to an originating userid. This is especially true for originating
userids that are not MVS-based, such as EJB Roles, Kerberos principals,
and Custom Registry principals.