Add the Login Module
- Navigate to ;
- Expand Java Authentication and Authorization Service entry under the Authentication heading and select System logins;
- Select the relevant Alias from the list. The login module should be configured for the DEFAULT, WEB_INBOUND and RMI_INBOUND aliases as follows:
- Click the New button to configure a new Login Module;
- Set the Module class name field to be curam.util.security.CuramLoginModule;
- Check the Use login module proxy option;
- Select REQUIRED in the Authentication strategy field;
- Click the OK button to confirm the addition of the new login module;
- Select the newly added curam.util.security.CuramLoginModule from the list;
- Select the Custom properties link under the Additional Properties heading;
- Click the New button to add the required
properties as listed below.
Table 1. CuramLoginModule Custom Properties Name
Example Value
Description
exclude_usernames
websphere, db2admin
Required. A list of usernames to be excluded from authentication. This list should include the WebSphere Application Server for z/OS administration user (as specified in Configure Administration Security) and the database user (as specified in Creating the Data Source Login Alias). The default delimiter is a comma, but may be overridden by exclude_usernames_delimiter. Any users listed here should be defined in the WebSphere Application Server for z/OS user registry.
exclude_usernames_delimiter
|
Optional. A delimiter for the list of usernames provided in exclude_usernames. A delimiter other than the default comma can be useful when usernames have embedded commas as with LDAP users.
login_trace
true
Optional. This property should be set to true to debug the authentication process. If set to true the invocation of the login module will result in tracing information being added to the WebSphere Application Server for z/OS SystemOut.log file.
module_name
DEFAULT, WEB_INBOUND or RMI_INBOUND
Optional. This property should be set to one of DEFAULT, WEB_INBOUND or RMI_INBOUND depending on the configuration the login module is being defined for. It is used only when login_trace is set to true for tracing purposes.
check_identity_only
true
Optional. If this property is set to true the login module will not perform the usual authentication verifications. Instead it will simply ensure that the user exists on the database table. In this case the configured WebSphere Application Server for z/OS user registry will not be by-passed and will be queried after the login module. This option is intended where LDAP support is required or an alternative authentication mechanism is to be used.
user_registry_enabled
true
Optional. This property is used to override the behavior of by-passing the user registry. If this property is set to true the WebSphere Application Server for z/OS user registry will be queried during the authentication process. If this property is set to false, the WebSphere Application Server for z/OS user registry will not be queried.
Note: If you are specifying identity only and using LDAP you may need to perform additional configuration steps; please see Special Configuration Steps When Using Identity Only and LDAP.user_registry_enabled_types
EXTERNAL
Optional. This property is used to specify a comma-delimited list of external user types that will be processed against the WebSphere Application Server for z/OS user registry (e.g. LDAP). See WebSphere Application Server User Registry for more information on the processing of the WebSphere Application Server for z/OS user registry.
user_registry_disabled_types
EXTGEN,EXTAUTO
Optional. This property is used to specify a comma-delimited list of external user types that will not be processed against the WebSphere Application Server for z/OS user registry (e.g. LDAP). See WebSphere Application Server User Registry for more information on the processing of the WebSphere Application Server for z/OS user registry.
- Click OK to confirm the addition of the new login module;