Pinned topic passticket authentication with JAAS OS390LoginModule
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
We have a Java app which runs under a JBOSS server in the z/OS environment. One of the functions is the ability to generate JCL and save it to a partitioned dataset that belongs to the user. Normally the Java application is running in the context of the user that is running JBOSS, which may not have permission to write the JCL to the partitioned dataset. We are thus implementing the doAsPrivileged() method to switch user context before we save the JCL. In order to do this, we need to authenticate this user to the external security manager, and since this user has already been authenticated internally, we are generating a passticket to perform the JAAS authentication. The problem is that the PTKTDATA profile name that is used by JAAS to verify the passticket changes. The first time we perform the authentication, it uses MVSxxxx, where 'xxxx' is the SMF system id. On subsequent verifications, JAAS appears to be using profile OMVSAPPL. I would like to be able to configure this profile name, or at least see the consistent use of one profile name or another. Is there any way this can be configured?
Updated on 2012-07-06T11:46:23Z at 2012-07-06T11:46:23Z by IEFBR14
IEFBR14 270000WMSP2 Posts
Re: passticket authentication with JAAS OS390LoginModule2012-07-06T11:46:23ZThis is the accepted answer. This is the accepted answer.Yes, the prefix can be altered with exit ICHRIX01. Details are described in RACF Administrators Guide. Choice of PTKTDATA profile name is up to application. In your example, for sure the __passwd() service is called. That one issues RACROUTE REQUEST=VERIFY with OMVSAPPL as PTKTDATA profile. ICHRIX01 can intercept and alter to your wish.
However, implementing an exit is often considered undesirable. You might want to think of a different approach like SURROGAT or BPX.SERVER.