Setting up the System Authorization Facility (SAF) unauthenticated user
If you are using a SAF user registry, it is necessary to specify a SAF user ID that
represents the unauthenticated state. The name of the unauthenticated user ID is specified on the
unauthenticatedUser attribute of the
SAFCredentials element in
server.xml. It is important to define this user ID correctly in your SAF
registry. If you are using a RACF SAF user registry, the unauthenticated user (default WSGUEST)
needs a unique default group (DFLTGRP) with no other user IDs connected to that group, an OMVS
segment, but not a TSO segment, and the options
RESTRICTED. If you have another SAF user registry,
instead of RACF, then find the user ID options that are provided by that SAF registry that are
equivalent to these RACF options.
About this task
By running the appropriate commands, you can correctly set up an unauthenticated user in your SAF user registry. An unauthenticated user that is incorrectly setup might cause a security exposure.
Run the ADDGROUP command.
Use WSGUESTG as the group name.
ADDGROUP WSGUESTG SUPGROUP(SYS1)OWNER(SYS1) DATA('WAS Unauthenticated User Group') OMVS(AUTOGID)
Run the ADDUSER command.
Use WSGUEST as the user ID name.
ADDUSER WSGUEST DFLTGRP(WSGUESTG) OWNER(SYS1) OMVS(AUTOUID HOME(/u/WSGUEST) PROGRAM(/bin/sh)) NAME('WAS unauth') NOPASSWORD NOOIDCARD RESTRICTED
NOOIDCARDprotect this user ID from being revoked by repeated attempts to guess the password.
RESTRICTEDmeans that this user ID cannot gain access to protected resources unless it is explicitly permitted to that resource, even is that resource has a general access setting of
Note: After the unauthenticated user ID (WSGUEST) is defined to the SAF registry, ensure that the user ID is permitted to only the minimum number of SAF resources. If the Liberty server is using SAF APPL resource check to control which users can connect to the Liberty z/OS® System Security Access Domain, then the unauthenticated user ID must be given access to the APPL profile.Run the PERMIT command.
PERMIT BBGZDFLT CLASS(APPL) ID(WSGUEST) ACCESS(READ)
What to do next
EJBROLEprofile. It is nearly always incorrect to permit the unauthenticated user ID to the resource profile to resolve the problem. It usually means that the request is running in an unauthenticated state when it must be running in an authenticated state. The actual problem is probably a failure to authenticate properly. Whenever it appears necessary to permit the unauthenticated user ID to a SAF resource profile consider carefully whether that is the correct action to take. Permitting the unauthenticated user ID to any SAF resource profile makes that resource available to everyone, including users that are not authenticated. There are almost no instances where that is required, however, the APPL profile that controls access to the WZSSAD is one exception.