Activating and configuring the SAF registry on z/OS

The System Authorization Facility (SAF) registry holds information that is required to perform security-related functions such as authenticating users and retrieving information about users, groups, or groups associated with users. You activate and configure the SAF registry through the configuration file server.xml. In addition, you can configure your Liberty server to use SAF authorization.

About this task

By adding the appropriate features to the server.xml file, you can accomplish the following tasks:

Activate the SAF user registry.
Configure the SAF user registry to use authorized services.
Enable applications to use the SAF user registry.
Configure the SAF user registry.

By default, the SAF registry uses unauthorized UNIX System Services (USS) to perform authentication. For better performance, you can enable the authorized SAF services by configuring the SAFCRED resources. For more information, see Enabling z/OS authorized services on Liberty for z/OS.

For information on how to configure your Liberty server to use SAF authorization, see Configuring authorization for applications in Liberty

Note:

When you use LDAP and Basic or SAF registries, the user registries are automatically federated. In Liberty, only one realm is supported. If you do not specify a federated repository with a primary realm identified, one of the realm names from one of the defined user registries is used.

When you use multiple registries and are taking actions based on the realm name of the user, define the federatedRepository with a primaryRealm attribute defined.

Procedure

Activate the SAF user registry.
Add the zosSecurity-1.0 feature to the server.xml file:
```
<feature>zosSecurity-1.0</feature>
```
Note: By default, the SAF user registry uses unauthorized UNIX System Services services such as __passwd to perform authentication.
For better performance, configure the SAF user registry to use authorized services such as initACEE to perform authentication by configuring the SAFCRED resources. For more information, see Enabling z/OS authorized services on Liberty for z/OS.
Enable application security by adding the feature appSecurity-3.0, along with either the servlet-3.0 feature for web application, or the ejbLite-3.1 feature for EJB applications.
```
<feature>zosSecurity-1.0</feature>
<feature>appSecurity-3.0</feature>
<feature>servlet-3.0</feature>
<feature>ejbLite-3.1</feature>
```
Configure the SAF registry by adding a safRegistry element in the server.xml file:
```
<safRegistry realm="myrealm" />
```
The safRegistry element has the following attributes:

enableFailover

Enables failover from authorized SAF services (such as initACEE) to unauthorized USS (such as (__passwd) if the server does not have access to the WebSphere Application Server Liberty profile (WLP) z/OS system security access domain.

realm

The realm that is associated with the SAF registry. If you do not specify a realm, the default is the plex name (ECVTSPLX). If the server is authorized to use the SAFCRED resources, then the default realm is read from the SAF product by extracting the APPLDATA field in the SAFDFLT profile under the REALM class. If that field is empty, then the default realm is used.