You must configure SAF key ring and RACF®
authorization to map a z/OS® user to an administrator or
reader role for Liberty on z/OS.
About this task
For z/OS users that use SAF key ring and RACF authorization, the SSL definition must point to SAF, and the
administrator role is defined in RACF.
For more information about granting server permissions to SAF application domains and resource
profiles, see Accessing z/OS security resources using
WZSSAD.
Procedure
-
Configure SSL definitions with SAF. Here is a sample configuration:
<featureManager>
<feature>zosSecurity-1.0</feature>
<feature>restConnector-2.0</feature>
</featureManager>
<sslDefault sslRef="defaultSSLSettings" />
<ssl id="defaultSSLSettings" keyStoreRef="CellDefaultKeyStore"
trustStoreRef="CellDefaultTrustStore" />
<keyStore id="CellDefaultKeyStore" location="safkeyring:///WASKeyring2048" type="JCERACFKS"
password="keystorepassword" fileBased="false" readOnly="true" />
<keyStore id="CellDefaultTrustStore" location="safkeyring:///WASKeyring2048" type="JCERACFKS"
password="truststorepassword" fileBased="false" readOnly="true" />
-
Configure administrator role by using RACF
authorization.
To assign a user to the administrator role, you must grant the user access to the SAF profile
associated with the role. See Controlling how
roles are mapped to SAF Profiles for more details.
By default, the SAF profile name for the administrator role is
BBGZDFLT.com.ibm.ws.management.security.resource.Administrator
. That profile must
exist in the EJBROLE
SAF class, and the admin user must be granted READ access to
it.
Here are the example RACF commands for user
mstone1:
RDEFINE EJBROLE BBGZDFLT.com.ibm.ws.management.security.resource.Administrator UACC(NONE)
PERMIT BBGZDFLT.com.ibm.ws.management.security.resource.Administrator ID(MSTONE1) ACCESS(READ) CLASS(EJBROLE)
- Configure reader role by using RACF authorization.
To assign a user to the reader role, you must grant the user access to the SAF profile that is
associated with the role. For more information, see Controlling how roles are mapped to SAF Profiles.
By default, the SAF profile name for the reader role is
BBGZDFLT.com.ibm.ws.management.security.resource.Reader
. That profile must exist in
the EJBROLE SAF
class, and the admin user must be granted READ access to it.
The following example shows RACF commands for a user mstone1
.
RDEFINE EJBROLE BBGZDFLT.com.ibm.ws.management.security.resource.Reader UACC(NONE)
PERMIT BBGZDFLT.com.ibm.ws.management.security.resource.Reader ID(MSTONE1) ACCESS(READ) CLASS(EJBROLE)