Feature Focus Week: Distributed identity mapping and propagation for z/OS
z/OS 1.11 introduced a new function in SAF called distributed identity mapping, also referred to as distributed identity propagation. This function allows you to map distributed identities to SAF identities using filters defined in your SAF database. And more importantly, you can keep track of distributed users as you access other z/OS subsystems. When audit records are generated in SMF for a distributed user that has been mapped using this function, the records contain information about both the distributed user who originally logged into the system, as well as the SAF user id.
The beta3 refresh for WebSphere on z/OS v8 includes exploitation for this function so that you can log in to your application server for z/OS with a distributed identity and seamlessly be mapped to a SAF identity, never losing track of the original identity.
How to use it:
There are several scenarios where you can take advantage of this new feature. They all involve mapping distributed identities to SAF identities, and having the capability to audit both users.
Usage Scenario #1: LDAP user repository with SAF authorization
You've configured your application server to use an LDAP server as the user repository and SAF for authorizing your users. Before, you had to configure a JAAS login module to map an LDAP user to a SAF user. Now that your SAF database can understand distributed identities, you just need to define the mapping filters in your SAF database. You don't need to configure anything else on your application server.
Usage Scenario #2: Asserting a DN name to SAF
You've configured your application server to use your Local Operating System as the user repository. Another server is asserting a DN name (e.g. CN=testLDAPUser1,O=ibm,C=us) over CSIv2 to your server. Before, the first attribute of the DN name (testLDAPUser1) would get mapped to the SAF user-- and if this wasn't a valid SAF user, you'd have to configure additional CSIv2 mapping login configurations! Now that your SAF database can understand distributed identities, you just need to define the mapping filters in your SAF database. On your application server, just check the box for "Map certificate and DN using SAF distributed identity mapping" in the administrative console panel "Common Secure Interoperability Version 2 inbound communications settings".
See the demo:
Join us for our Feature Focus Week Reflections teleconference scheduled for Thursday, April 21st, 2011. To receive invitations to our CEP sessions, simply email cep<at>us<dot>ibm<dot>com requesting to join. By return, you will receive a confirmation with a few questions about you and your interests. After that, you will start to receive regular invitations to our live demos.
Here are links to useful articles in the Info Center:
WebSphere Security Development