Configuring security for a Liberty JVM server

You can use the CICS® Liberty security feature to authenticate users and authorize access to web applications through Java™ Platform, Enterprise Edition roles, providing integration with CICS transaction and resource security. You can also use CICS resource security to authorize the appropriate users to manage the lifecycle of both the JVMSERVER resource and Java web applications that are deployed in a CICS BUNDLE resource.

Before you begin

Ensure that the CICS region is configured to use SAF security and is defined with SEC=YES as a system initialization parameter. Next, authorize application developers and system administrators to create, view, update, and remove JVMSERVER and BUNDLE resources in order to deploy web applications into a Liberty JVM server. The JVMSERVER resource controls the availability of the JVM server, and the BUNDLE resource is a unit of deployment for the Java applications and controls the availability of the applications. The default behavior of the CICS TS security feature, cicsts:security-1.0, is to use the SAF registry. If you use an LDAP registry, a SAF registry will not be created. For more information, see Configuring security for a Liberty JVM server by using distributed identity mapping. The basic user registry (which is also used by quickStartSecurity) is only suitable for simple security testing. Be aware that if you configure and run with basic user registry and you need to switch to cicsts:security-1.0, you will need to delete the session tokens.

About this task

This task explains how to configure security for a Liberty JVM server and integrate Liberty security with CICS security. For information about how to configure security for Link to Liberty, see Invoking a Java EE application from a CICS program.

The default transaction ID for running web requests is CJSA. However, you can configure CICS to run web requests under a different transaction ID by using a URIMAP of type JVMSERVER. Typically, you might specify a URIMAP to match the generic context root (URI) of a web application to scope the transaction ID to the set of servlets that make up the application. Or you might choose to run each individual servlet under a different transaction with a more precise URI.

The default user ID for running web requests is the CICS default user ID. If a URIMAP is available and contains a static user ID, it is used in preference to the default user ID. If the web request contains a user ID in its security header, it takes precedence over all other mechanisms.

Tasks that emanate from Liberty that are not classified as web requests, runs under the CJSU transaction by default. Although there is no URIMAP style mechanism for these types of tasks, you can override the default transaction ID by using the JVM profile property of com.ibm.cics.jvmserver.unclassified.tranid and the default user ID by using the JVM profile property com.ibm.cics.jvmserver.unclassified.userid.

Note: The defaulted user ID requires CICS resource security permission before the specified transaction can be run.

Procedure

Configure the WebSphere® Liberty profile angel process to provide authentication and authorization services to the Liberty JVM server, see The Liberty server angel process.

Add the cicsts:security-1.0 feature to the featuremanager list in the server.xml,

<featureManager>
   ...
   <feature>cicsts:security-1.0</feature>
</featureManager>
...

Add the System Authorization Facility (SAF) registry to server.xml using the following example:
```
<safRegistry id="saf" enableFailover="false"/>
```
Save the changes to server.xml.
Note: Alternatively if you are autoconfiguring the Liberty JVM server and the SEC system initialization parameter is set to YES in the CICS region, the Liberty JVM server is dynamically configured to support Liberty JVM security when the JVM server is restarted. For more information, see Configuring a Liberty JVM server.
If the SEC system initialization parameter is set to NO, you can still use Liberty security for authentication or SSL support. If CICS security is switched off, and you want to use a Liberty security, you must configure the server.xml file manually:
1. Add the appSecurity-2.0 feature to the featuremanager list.
2. Add a user registry to authenticate users. Liberty security supports SAF and basic user registries. For more information, see Configuring a user registry for the Liberty profile.
3. Add security-role definitions to authorize access to application resources, see Authorizing users to run applications in a Liberty JVM server.

Results

When the cicsts:security-1.0 feature is used, the web container is automatically configured to use the z/OS® Security feature of Liberty. Additionally a SAF Registry is used for authentication, and Java Platform, Enterprise Edition roles in an <application-bnd> element are respected for authorization.

What to do next

Note: You can also delegate authentication to another identity by configuring the RunAs specification for Liberty, see Configuring RunAs authentication in Liberty.

Configure Liberty application security authentication rules; see Authenticating users in a Liberty JVM server.
Define authorization rules for web applications; see Authorizing users to run applications in a Liberty JVM server and JEE application role security.
Modify the Liberty authentication cache.

For more information about using Secure Sockets Layer (SSL), see Configuring SSL (TLS) for a Liberty JVM server using a Java keystore.