This topic gives an overview of how to use audit support.
Auditing is performed
using SMF records issued by RACF® or an equivalent External
Security Manager. This means that SMF audit records are cut as part
of the WebSphere Application Server use of SAF interfaces and RACROUTE
macros. ![[Updated in August 2012]](../../deltaend.gif)
aug2012
WebSphere Application Server for z/OS makes use of
the following RACROUTE macros, as well as the initACEE (IRRSIA00)
SAF API, which is used to manage ACEEs:
- RACROUTE REQUEST AUTH (and FASTAUTH) - to check if a user is authorized
to a class
- RACROUTE REQUEST=EXTRACT - to extract a RACO from an ACEE
- RACROUTE REQUEST TOKENXTR - to extract the UTOKEN (for CICS)
- RACROUTE REQUEST LIST - to check if the FASTAUTH routines can
use the in-storage copies of the general-resource profiles for authorization
checking
- RACROUTE REQUEST STAT - to determine if certain classes are active
For more information on the SMF auditability
of the RACROUTE and SAF API calls that WebSphere Application Server
uses, refer to the RACROUTE Macro Reference documentation and the
Security Server RACF Callable Services documentation, respectively,
in the z/OS Information Center that is appropriate for your version
of z/OS.
Table 1. Security authentication mechanisms
and the corresponding data that is written to each part of the ACEE
X500NAME field. The following table lists the various
security authentication mechanisms and the corresponding data that
is written to each part of the ACEE X500NAME field (this data is also
in the RACO and SMF records).
Authentication mechanism |
Service name |
Authenticated identity |
Custom
Registry |
WebSphere® Custom Registry |
Custom
registry principal name |
Kerberos |
Kerberos
for WebSphere Application Server |
Kerberos
principal, in the "DCE" format used for extracting the corresponding MVS userid
using IRRSIM00 (/.../realm/principal) |
RunAs
Rolename |
WebSphere Role Name |
Role
name |
RunAs
Server |
WebSphere Server Credential |
MVS userid |
Trust
Interceptor |
WebSphere Authorized Login |
MVS userid |
RunAs
Userid/Password |
WebSphere Userid/Password |
MVS Userid |
|
In addition to tracking by MVS userid,
events need to be traced to an originating userid. This is especially
true for originating userids that are not MVS-based, such as EJB Roles,
Kerberos principals, and Custom Registry principals.