An application that uses the pthread_security_np service
can customize the RACF® identity
of a thread. The server initiates a thread that processes the client's
request. If the server customizes the thread initiated for the client
with the client's RACF identity,
any resource access decisions to RACF protected
resources are made using the client's RACF identity
and authorizations.
Depending on the trust you place in an application, you have the
option of enforcing whether to use both the application server's RACF identity and the RACF identity of the client in
resource access control decisions.
You can choose one of the following:
- Only the RACF user ID of
the client is used in local resource access control decisions made
by RACF.
- Both the RACF user ID of
the server and the RACF user
ID of the client are used in local resource access control decisions.
The use of the
pthread_security_np service is
in part protected by the RACF FACILITY
class profile BPX.SERVER.
- If the RACF user ID that
is associated with an application server is permitted with UPDATE
access to this profile, the application server is allowed to establish
a thread-level (task-level) security environment for clients connecting
to the server. With UPDATE authority to BPX.SERVER in the RACF FACILITY class, the server
can act as a surrogate of the client. This means
that the identity of the thread associated with the request from the
server's client executes with the RACF user
ID of the server's client.
The RACF identity
of the client determines the type of access allowed to system resources
(such as data sets) and z/OS UNIX resources
(such as file system resources), which are accessed by the client's
thread in the server.
- READ access allows the server to establish a thread-level security
environment for the clients it services. However, the user ID of the
server and the user ID of the client must be authorized to the resources
the server accesses. A thread level security environment in which
both the client's and server's identities are used in the access control
decision, but a password was not supplied by the client, is called
an unauthenticated client security environment.
Depending
on the design and implementation of the client/server application,
a client might need to supply an authenticator to the server.
For
example, the client might be prompted to supply a password or a password
substitute, such as a RACF PassTicket,
to the server to prove its identity. If a RACF password or PassTicket is specified as
a option on the pthread_security_np service, and
the password or PassTicket is valid for the client user ID, only the RACF user ID of the client is used
in rendering access control decisions. This task level security environment
created by an application server is called an authenticated
client security environment. Because the client has trusted
the application server sufficiently to supply a RACF password or PassTicket to the server, the
server is granted the capability of acting as a surrogate for that
client.
This capability enables you to determine:
- On behalf of which user IDs the server can act
- What resources the server can access when acting on behalf of
one of its clients
Potentially, for additional security checking, two audit records
can be produced to audit:
- The client accessing the resource
- The server accessing the resource on behalf of the client
If you choose to implement this additional security checking, you
might need to authorize the identity associated with the application
server to the resource profiles that protect the resources accessed
by the server on behalf of its clients.
See z/OS UNIX System Services Planning for
a complete description of the administrative planning steps and requirements
for using the pthread_security_service.