Securing your applications

To secure your applications, identify and resolve any security vulnerabilities, and work with your security administrator to grant users access to your applications. When the required security controls are established on your system, a user can begin using z/OSMF to perform system management tasks.

Verifying the security of applications

Before importing applications into z/OSMF, ensure that the vendor or developer who supplied the application adhered to security best practices for Web applications. If the software installed is not secure, it is possible to expose your system or company to security issues.

Controlling access to applications

After importing your plug-in into z/OSMF, work with your security administrator to authorize users to your applications. z/OSMF security is based on the following concepts:

user authentication

When a user attempts to log in to z/OSMF through a web browser, the user’s credentials are verified by the z/OS host system through the SAF interface or a security management product (for example, RACF). This processing ensures that the user ID is known to the z/OS system, and the password is valid.

user authorization

Access to your application is controlled through SAF resource profile <safPrefix>.<taskSAFResourceName>, where <safPrefix> is configured in z/OSMF and is by default IZUDFLT and <taskSAFResourceName> is the SAF resource name you specified for the task in the plug-in property file. The SAF resource profile is defined in the ZMFAPLA class.

If your installation is using RACF and you want to assign administrators CONTROL access and users READ access to your application, you can create a profile like the following:

RDEFINE ZMFAPLA +
(IZUDFLT.ZOSMF.IBM_COMMANDS.COMMANDS.Commands) UACC(NONE)
PERMIT +
IZUDFLT.ZOSMF.IBM_COMMANDS.COMMANDS.Commands +
CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(CONTROL)
PERMIT +
IZUDFLT.ZOSMF.IBM_COMMANDS.COMMANDS.Commands +
CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

z/OSMF automatically manages the authorization of non-authenticated guests (not logged in) and authenticated guests (logged in, but are not defined to a z/OSMF SAF security group). By default, a non-authenticated guest user can access the z/OSMF Welcome task and access the default links. An authenticated guest can access everything a non-authenticated guest can, and also view the online help.

To authorize authenticated guest users to your task, in the plug-in property file, set the task-authenticated-guest-eligible property to true. Extending task authorization to users who are not logged into z/OSMF is not supported.

Actions for security update

Changes to your security setup require applicable refreshes of the security product and a restart of the z/OSMF server for them to take effect.