For z/OS platforms

Mapping management roles for Liberty on z/OS

You must configure SAF key ring and RACF® authorization to map a z/OS® user to an administrator or reader role for Liberty on z/OS.

About this task

For z/OS users that use SAF key ring and RACF authorization, the SSL definition must point to SAF, and the administrator role is defined in RACF.

For more information about granting server permissions to SAF application domains and resource profiles, see Accessing z/OS security resources using WZSSAD.

Procedure

  • Configure SSL definitions with SAF. Here is a sample configuration: 
    <featureManager>
        <feature>zosSecurity-1.0</feature>
        <feature>restConnector-2.0</feature>
    </featureManager>

    <sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings" keyStoreRef="CellDefaultKeyStore" 
         trustStoreRef="CellDefaultTrustStore" /> 
    <keyStore id="CellDefaultKeyStore" location="safkeyring:///WASKeyring2048" type="JCERACFKS"
              password="keystorepassword" fileBased="false" readOnly="true" /> 
    <keyStore id="CellDefaultTrustStore" location="safkeyring:///WASKeyring2048" type="JCERACFKS"
              password="truststorepassword" fileBased="false" readOnly="true" />
  • Configure administrator role by using RACF authorization.

    To assign a user to the administrator role, you must grant the user access to the SAF profile associated with the role. See Controlling how roles are mapped to SAF Profiles for more details.

    By default, the SAF profile name for the administrator role is BBGZDFLT.com.ibm.ws.management.security.resource.Administrator. That profile must exist in the EJBROLE SAF class, and the admin user must be granted READ access to it.

    Here are the example RACF commands for user mstone1:
    RDEFINE EJBROLE BBGZDFLT.com.ibm.ws.management.security.resource.Administrator UACC(NONE)
PERMIT BBGZDFLT.com.ibm.ws.management.security.resource.Administrator ID(MSTONE1) ACCESS(READ) CLASS(EJBROLE)
  • Configure reader role by using RACF authorization.

    To assign a user to the reader role, you must grant the user access to the SAF profile that is associated with the role. For more information, see Controlling how roles are mapped to SAF Profiles.

    By default, the SAF profile name for the reader role is BBGZDFLT.com.ibm.ws.management.security.resource.Reader. That profile must exist in the EJBROLE SAF class, and the admin user must be granted READ access to it.

    The following example shows RACF commands for a user mstone1.

    RDEFINE EJBROLE BBGZDFLT.com.ibm.ws.management.security.resource.Reader UACC(NONE)
PERMIT BBGZDFLT.com.ibm.ws.management.security.resource.Reader ID(MSTONE1) ACCESS(READ) CLASS(EJBROLE)