JAAS frequently asked questions

General Debugging

You can enable trace output for the JAAS component. To enable diagnostic tracing for JAAS, include the java.security.debug option when you start the Java™ VM, as shown in the following example (which also redirects the output to a file):
java -Djava.security.debug=all MyTest >MyTest_trace.log 2>&1

Can I use the z/OS JAAS LoginModule with protected user IDs?

The z/OS® JAASLoginModule API can create a LoginContext object for protected user IDs if the following items are both true:
  1. When you use the JAASLoginModule class that is provided by IBM® Semeru Runtime Certified Edition for z/OS, the LoginContext object is created with only the name (userid) parameter (no callback handler).
  2. One of the following statements is true about the user ID that runs the application:
    • The user ID is a superuser.
    • The user ID is defined to RACF® as a SURROGAT of the protected userid under which authentication is run and the user ID is granted READ permission to the BPX.SERVER FACILITY class.

Is it possible to purchase the JAAS LoginModule for RACF separately and run it on another operating system?

No, the JAAS LoginModule (JAASLoginModule class) for RACF cannot be purchased separately. JAAS modules are only available in the JAAS component of IBM Semeru Runtime Certified Edition for z/OS. You cannot run the JAASLoginModule for RACF on any other operating system because the support is compiled specifically for z/OS. Also, JAAS, as provided in IBM Semeru Runtime Certified Edition for z/OS, contains no support for remote authentication by using the JAASLoginModule on z/OS.

What differences exist between z/OS JAAS and the version of JAAS that is supplied by Oracle?

The major differences are in how native security influences the default behavior on z/OS. For more information, see Differences between IBM and Sun versions of JAAS.

Is a JAAS application on z/OS required to run as an authorized program?

Nothing that is implemented in z/OS JAAS requires running the calling applications as authorized programs. However, because JAAS uses controlled services to run authentication and authorization, all program modules that are part of an application that uses JAAS on z/OS must be marked as program-controlled. To learn more about protecting programs on z/OS, see Protecting programs in the documentation for your version of z/OS. To learn more about the effects of uncontrolled programs and how to define modules to program control, see Handling dirty address spaces in the documentation for your version of z/OS. For information about defining programs as program controlled, see Defining programs in UNIX files to program control and Steps for defining programs from load libraries to program control in the documentation for your version of z/OS.

Why does ThreadSubject.doAs(...) not run successfully under JZOS?

z/OS JAAS requires that the doAs(...) method runs on the Initial Program Thread (IPT), as it does during normal Java runtime. However, when you run a Java program with JAAS using JZOS, the Java program does not run on this thread. To bypass this restriction, run the doAs(...) code in a Java thread. For example:
new Thread(new Runnable()
{
    public void run()
    {
        Object obj =  OS390ThreadSubject.doAs(subject, new SAFAction());
        System.out.println("\n>>>>>FINISHED calling SAFACTION: OBJ:" + obj + "\r");
    }
        
}).start();