Cell-wide user IDs and groups
The first part of
setting up a security domain is to choose the cell-wide user IDs and group
names. Each name should contain one to eight alphanumeric characters with
an alphabetic first character.
Note: You can also use national characters (#,
$, and @), but these are better avoided as they can lead to compatibility
problems later.
Each user ID will also require a UNIX
® System Services
UID number, and each group will require a UNIX System Services GID number:
Although you can set up several cells using a single security domain
definition, you should not share user IDs and groups between separate security
domains.
If you have enabled automatic UID/GID selection, (refer to
the steps in Preparing the security server (RACF)); you can
have RACF choose unused UID or GID values for the SAF users and groups created
during customization. In the ISPF Customization Dialog, specify an asterisk
for each UID or GID for which RACF is to choose an unused value. In the Profile
Management Tool, select the "Allow OS security to assign" checkbox for each
UID or GID for which RACF is to choose an unused value.
Choose names
and UID values for the following SAF user IDs, and enter them on the worksheet:
- WebSphere Application
Server Administrator
- This user ID is the initial WebSphere Application Server administrator
and also owns most of the cell's files in the configuration HFS. It must have
the WebSphere Application
Server configuration group (below) as its default UNIX System Services group. Certain customization
batch jobs must be run under this user ID.
- WebSphere Application
Server Asynchronous Administration Task
- This user ID is used to run asynchronous administration operations procedure.
It must be a member of the WebSphere Application Server configuration group.
- WebSphere Application
Server Unauthenticated User
- This user ID is associated with unauthenticated client requests. It is
sometimes referred to as the "guest" user ID. It should be given the RESTRICTED
attribute in RACF®,
to prevent it from inheriting UACC-based access privileges, and it must be
a member of the WebSphere Application
Server unauthenticated user group (below).
- WebSphere Application
Server File System Owner
- This user ID owns many of the cell's files in the configuration file system.
It must have the WebSphere Application Server configuration group
(below) as its default UNIX System Services group.
Note: The WebSphere
Application Server File System Owner user ID is included in Websphere Application
Server Version 6.1 and later. This user ID has a default value of WSOWNER.
In earlier versions of the product, the configuration file system is owned
by the WebSphere Application Server Administrator user ID, which has a default
value of WSADMIN.
Choose names and GID values for the following SAF
groups, and enter them on the worksheet:
- WebSphere Application
Server Configuration Group
- This is the default group name for the WebSphere Application Server administrator
user ID and all server user IDs. This is the group owner for most files in
the configuration HFS, so access to this group should be limited.
- WebSphere Application
Server Servant Group
- Connect all servant user IDs to this group. You can use it to assign subsystem
permissions, such as DB2® authorizations, to all servants in the security domain.
- WebSphere Application
Server Local User Group
- Connects all local WAS client user IDs to this group. In unauthenticated
user (guest) ID's are required for WebSphere Application Server, they
should have this as their default group.