Securing optimized local adapters for inbound support on Liberty for z/OS
Secure your WebSphere® optimized local adapters (WOLA) connections that make inbound calls to the Liberty server.
Before you begin
Run the Liberty servers on z/OS® with server security. For more information, see Security.
Local access to Liberty for z/OS servers is protected by the System Authorization Facility (SAF) CBIND class. When enabled, this class is used to protect Liberty servers when optimized local adapters requests are made. Before you run any application that uses the Register API, grant READ access for the user ID for the job, UNIX System Services process, or Customer Information Control System (CICS®) region to the CBIND class for the target server.
All inbound requests to the Liberty server run under the authority of the current user on thread. This identity is automatically propagated and asserted in the Enterprise JavaBeans (EJB) container, and the application starts under this identity. Inbound requests that drive into a target enterprise bean arrive in the same manner as method invocations do for local EJB requests, and the security options for RunAs work in the same way as local EJB requests.
For passing requests in to Liberty server from CICS, you can indicate that you want to use the current CICS application identity by setting a flag for this with the Register API call.