Roles for Enterprise JavaBeans and Web applications, and servlets
Roles are associated with Java 2 Platform, Enterprise Edition (J2EE) applications. Modules within the applications refer to roles using the role reference that points to the application role. Access to Web applications, servlets, or EJB methods is based upon the user or caller. Roles are associated with Web applications, and servlets or enterprise beans at assembly time. The role needed to use a servlet or EJB method is named in the application's deployment descriptors.
Which users and groups have which roles is determined using RACF profiles in the EJBROLE class (if SAF authorization is selected). If a user is in the access list of an EJBROLE profile, the user has that role. If a group is in the access list of an EJBROLE profile, users in that group have that role. If the EJBROLE profile has ACCESS(READ), all users have that role.
The security domain, if specified, becomes a prefix used by WebSphere Application Server for z/OS and RACF when checking EJBROLE profiles. This provides cell-level granularity of roles. You do not need to modify roles in the applications to achieve this.
Test Cell has Security Domain=TEST Production Cell has Security Domain=PROD
For example, an application using role Clerk is deployed on both cells. On the test cell, users need READ access to the EJBROLE profile TEST.Clerk. On the production cell, users need READ access to the EJBROLE profile PROD.Clerk.
There are six profiles defined in the RACF EJBROLE class for administrative authorization. They are administrator, configurator, monitor, operator, deployer and adminsecuritymanager. When using RACF for role mapping, you need to define RACF user ID or group READ access for one of these profiles, depending on the administrative authority you give to the user.
Refer to System Authorization Facility for role-based authorization for more information on how SAF can be used for J2EE-based role authorization.
Using the RACF profiles
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF (or your equivalent security product). You must also understand the techniques for managing the security environment.
Basic information about the RACF profiles used by WebSphere Application Server for z/OS can be found in the SAF-based authorization. This section adds some additional details about the CBIND, SERVER, FACILITY, SURROGAT, and STARTED class profiles.
User IDs and Group IDs
CR = Controller Region SR = Servant Region CFG = Configuration (group) server = server short name cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid> <SR_userid> <SR_groupid>, <CFG_groupid> <demn_userid> <demn_groupid>, <CFG_groupid> <admin_userid> <CFG_groupid> <client_userid> <client_groupid> <ctracewtr_userid> <ctracewtr_groupid>
Below are the various profiles used to protect the WebSphere Application Server for z/OS resources, along with the permissions and access levels.
Using CBIND class profiles
CBIND Class profiles - access to generic servers CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL) CBIND Class profiles - access to objects in servers CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
CBIND Class profiles - access to generic servers CB.BIND.<domainId>.<cluster> UACC(READ) CBIND Class profiles - access to objects in servers CB.<domainId>.<cluster> UACC(READ)
CB.CBIND.<cluster> CB.CBIND.<security domain>.<cluster>
CB.<cluster> CB.<security domain>.<cluster>
Using SERVER class profiles
SERVER class profiles – access to controllers using static Application Environments CB.<server>.<cluster> UACC(NONE) PERMIT <SR_userid> ACC(READ) SERVER class profiles – access to controllers using dynamic Application Environments CB.<server>.<cluster>.<cell> UACC(NONE) PERMIT <SR_userid> ACC(READ)
RDEFINE CB.&<server<cluster> UACC(NONE); PERMIT &<SR_userid> ACCESS(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, and SR is the MVS user ID for the server region.
CB.& <server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ)For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, cell = cell short name, and SR is the MVS user ID for the server region.
SERVER class profiles control whether a servant can call authorized routines in the associated controller.
CB.<server>.<cluster> CB.<security domain>.<server>.<cluster>
CB.<server>.<cluster>.<cell> 22
Using STARTED class profiles
STARTED Class profiles - (MGCRE) - for control regions, daemons, and Node agents <<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid)) <demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid)) STARTED Class profiles - (ASCRE) - for servant regions and adjuncts <SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid)) STARTED Class profiles for IJP - (MGCRE) <MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid)) - These IJPs don't exist in WAS 6.1
An APPL class profile controls whether an authenticated user can use any applications in the cell. If a security domain is specified, the APPL class profile name will be the security domain name. If security domain is not specified, the APPL class profile name will be CBS390. Refer to System Authorization Facility considerations for the operating system and application levels.
Creating multiple security configurations within a sysplex
You might require distinct sets of profiles within a given RACF database to separate logical WebSphere Application Server for z/OS security domains in your enterprise, (for example, test, and production users).
Use Security Domain Identifier in RACF Definitions: <Y/N> Security Domain Identifier....................: <domainId>
Use the WebSphere Application Server for z/OS administrative console to set these variables under Security > Secure administration, applications, and infrastructure > Custom Properties, which creates the following properties in the security.xml file in the cell’s directory:
xmi:id="Property_47" name="security.zOS.domainType" value="cellQualified" required="false"/> xmi:id="Property_48" name="security.zOS.domainName" value="<domain_name>" required="false"/>
This creates the following variables in was.env file in the server’s directory: security_zOS_domainName=<domain_name> security_zOS_domainType=1
Class domainType=None domainType=cellQualified CBIND CB.clustername CB.domainId.clustername CB.BIND.clustername CB.BIND.domainId.clustername APPL CBS390 domainId EJBROLE ApplicationRoleName domainId.ApplicationRoleName
Generating new user IDs and Profiles for a new Server
If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
Using FACILITY and SURROGAT class profiles (Synch to OS Thread Allowed Option)
BBO.SYNC.<cell short name>.<cluster short name> RDEF FACILITY BBO.SYNC.<cell short name or security domain prefix>.<cluster short name> UACC NONE PE BBO.SYNC.<cell short name or security domain prefix>.<cluster short name> CLASS(FACILITY) ID<CR userid> ACC(READ or CONTROL) RDEF SURROGAT BBO.SYNC.<SR userid> UACC NONE PE BBO.SYNC.<application userid> CLASS(SURROGAT) ID(<SR userid>) ACC(READ)
RDEF FACILITY BBO.SYNC.SY1.BBOC001 UACC NONE PE BBO.SYNC.SY1.BBOC001 CLASS(FACILITY) ID(CBSYMCR) ACC(READ) RDEF SURROGAT BBO.SYNC.J2EEID UACC NONE PE BBO.SYNC.J2EEID CLASS(SURROGAT) ID(CBSYMSR) ACC(READ)
Using FACILITY class profiles (Enabling Trusted Applications)
RDEF FACILITY BBO.TRUSTEDAPPS.<cell short name or security domain prefix>.<cluster short name> UACC NONE PE BBO.TRUSTEDAPPS.<cell short name or security domain prefix>.<cluster short name> CLASS(FACILITY) ID(CR userid) ACC(READ)The following generic example can be user for all servers:
RDEFINE FACILITY BBO.TRUSTEDAPPS.mycell01.**UACC(NONE) PERMIT BBO.TRUSTEDAPPS.mycell01.** CLASS(FACILITY) ID(MYCBGROUP) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESHThe following example is for a specific server, that is, a system with a cell short name of SY1, a cluster short name (the server generic short name) or BBOC001, and a controller region userid of CBSYMCR:
RDEF FACILITY BBO.TRUSTEDAPPS.SY1.BBOC001 UACC NONE PE BBO.TRUSTEDAPPS.SY1.BBOC001 CLASS(FACILITY) ID(CBSYMCR) ACC(READ)
Using minimalist profiles
To minimize the number of users, groups, and profiles in the RACF data set, you can use one user ID, one group ID, and very generic profiles so they cover multiple servers in the same cell. This technique can also be used with Integral Java Message Service provider and Network Deployment configurations.