Securing your applications
To secure your applications, identify and resolve any security vulnerabilities, and work with your security administrator to grant users access to your applications. When the required security controls are established on your system, a user can begin using z/OSMF to perform system management tasks.
Verifying the security of applications
Before importing applications into z/OSMF, ensure that the vendor or developer who supplied the application adhered to security best practices for Web applications. If the software installed is not secure, it is possible to expose your system or company to security issues.
Controlling access to applications
- user authentication
- When a user attempts to log in to z/OSMF through a web browser, the user’s credentials are verified by the z/OS host system through the SAF interface or a security management product (for example, RACF). This processing ensures that the user ID is known to the z/OS system, and the password is valid.
- user authorization
- Access to your application is controlled through SAF resource
profile <safPrefix>.<taskSAFResourceName>, where <safPrefix>
is configured in z/OSMF and
is by default IZUDFLT and <taskSAFResourceName> is the SAF resource
name you specified for the task in the plug-in property file. The
SAF resource profile is defined in the ZMFAPLA class. If your installation is using RACF and you want to assign administrators CONTROL access and users READ access to your application, you can create a profile like the following:
RDEFINE ZMFAPLA + (IZUDFLT.ZOSMF.IBM_COMMANDS.COMMANDS.Commands) UACC(NONE) PERMIT + IZUDFLT.ZOSMF.IBM_COMMANDS.COMMANDS.Commands + CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(CONTROL) PERMIT + IZUDFLT.ZOSMF.IBM_COMMANDS.COMMANDS.Commands + CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
z/OSMF automatically manages the authorization of non-authenticated guests (not logged in) and authenticated guests (logged in, but are not defined to a z/OSMF SAF security group). By default, a non-authenticated guest user can access the z/OSMF Welcome task and access the default links. An authenticated guest can access everything a non-authenticated guest can, and also view the online help.
To authorize authenticated guest users to your task, in the plug-in property file, set the task-authenticated-guest-eligible property to true. Extending task authorization to users who are not logged into z/OSMF is not supported.
Actions for security update
Changes to your security setup require applicable refreshes of the security product and a restart of the z/OSMF server for them to take effect.