Securing optimized local adapters for inbound support on Liberty for z/OS

Secure your WebSphere® optimized local adapters (WOLA) connections that make inbound calls to the Liberty server.

Before you begin

Run the Liberty servers on z/OS® with server security. For more information, see Security.

Local access to Liberty for z/OS servers is protected by the System Authorization Facility (SAF) CBIND class. When enabled, this class is used to protect Liberty servers when optimized local adapters requests are made. Before you run any application that uses the Register API, grant READ access for the user ID for the job, UNIX System Services process, or Customer Information Control System (CICS®) region to the CBIND class for the target server.

All inbound requests to the Liberty server run under the authority of the current user on thread. This identity is automatically propagated and asserted in the Enterprise JavaBeans (EJB) container, and the application starts under this identity. Inbound requests that drive into a target enterprise bean arrive in the same manner as method invocations do for local EJB requests, and the security options for RunAs work in the same way as local EJB requests.

When inbound or outbound transaction work passes between CICS and Liberty for z/OS, you must take into account some special security considerations. For example, you must determine if the authentication for inbound to the Liberty server work runs with the authority of the specific CICS application or the overall CICS region authority. There are similar concerns when the Liberty server sends outbound work to a CICS application; you must determine if CICS honors the originating application authority or its own CICS current security profile.
Attention: You must make sure that the client applications are authenticated for CICS to process the request.

For passing requests in to Liberty server from CICS, you can indicate that you want to use the current CICS application identity by setting a flag for this with the Register API call.

Procedure

  • Create SERVER profiles for z/OS.
    1. Create SERVER profiles for the optimized local adapter authorized service.
      Use the following Time Sharing Option (TSO) commands:
      RDEF SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA CLASS(SERVER)ACCESS(READ) ID(wlpuser1)
    2. Create a SERVER profile for the authorized client module BBGZSCFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to load the z/OS Authorized client services.
      To enable a server that is running as WLPUSER1 to access the authorized client module:
      RDEF SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSCFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
    3. Create SERVER profiles for optimized local adapter authorized client service.
      Use the following TSO commands:
      RDEF SERVER BBG.AUTHMOD.BBGZSCFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSCFM.WOLA CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
    For more information, see Enabling z/OS authorized services on Liberty for z/OS.
  • If you have CBIND enabled in System Authorization Facility (SAF), grant access to the clients that will use optimized local adapters.
    1. Define a profile for the Liberty server in the CBIND class.
      The profile name is BBG.WOLA.<WOLA1>.<WOLA2>.<WOLA3>, where WOLA1,WOLA2, and WOLA3 are the three parts of the optimized adapter group name that are specified in the <zosLocalAdapters> element in the server.xml file. You can define a profile by using the SAF RDEFINE TSO command.
      For example, the following command creates a profile in the CBIND class for a WOLA group named LIB1.LIB2.LIB3:
      RDEF CBIND BBG.WOLA.LIB1.LIB2.LIB3 UACC(NONE)
    2. Permit READ access to the profile.
      For example, the following command permits read access for the username user name on the bbg.wola.lib1.lib2.lib3 profile:
      PERMIT BBG.WOLA.LIB1.LIB2.LIB3 CLASS(CBIND) ACCESS(READ) ID(username)
      You can use asterisks to permit a user access to multiple profiles. The following example permits READ access to the username user for all profiles that start with bbg.wola in the CBIND class:
      RDEF CBIND BBG.WOLA.* UACC(NONE)
PERMIT BBG.WOLA.* CLASS(CBIND) ACCESS(READ) ID(username)
    For more information about SAF commands and syntax, see the documentation for your version of z/OS.
  • Configure the security settings.
    The security identity propagation type is specified in registration flags when the optimized local adapters connection request is made in the call to the Register API. You can select either the CICS region or application security profile.
    Attention: For security propagation to function, you must enable security at the CICS application level by setting the SEC=Y CICS startup option.