Threads and security

An application that uses the pthread_security_np service can customize the RACF® identity of a thread. The server initiates a thread that processes the client's request. If the server customizes the thread initiated for the client with the client's RACF identity, any resource access decisions to RACF protected resources are made using the client's RACF identity and authorizations.

Depending on the trust you place in an application, you have the option of enforcing whether to use both the application server's RACF identity and the RACF identity of the client in resource access control decisions.

You can choose one of the following:

Only the RACF user ID of the client is used in local resource access control decisions made by RACF.
Both the RACF user ID of the server and the RACF user ID of the client are used in local resource access control decisions.

The use of the pthread_security_np service is in part protected by the RACF FACILITY class profile BPX.SERVER.

If the RACF user ID that is associated with an application server is permitted with UPDATE access to this profile, the application server is allowed to establish a thread-level (task-level) security environment for clients connecting to the server. With UPDATE authority to BPX.SERVER in the RACF FACILITY class, the server can act as a surrogate of the client. This means that the identity of the thread associated with the request from the server's client executes with the RACF user ID of the server's client.
The RACF identity of the client determines the type of access allowed to system resources (such as data sets) and z/OS UNIX resources (such as file system resources), which are accessed by the client's thread in the server.
READ access allows the server to establish a thread-level security environment for the clients it services. However, the user ID of the server and the user ID of the client must be authorized to the resources the server accesses. A thread level security environment in which both the client's and server's identities are used in the access control decision, but a password was not supplied by the client, is called an unauthenticated client security environment.
Depending on the design and implementation of the client/server application, a client might need to supply an authenticator to the server.

For example, the client might be prompted to supply a password or a password substitute, such as a RACF PassTicket, to the server to prove its identity. If a RACF password or PassTicket is specified as a option on the pthread_security_np service, and the password or PassTicket is valid for the client user ID, only the RACF user ID of the client is used in rendering access control decisions. This task level security environment created by an application server is called an authenticated client security environment. Because the client has trusted the application server sufficiently to supply a RACF password or PassTicket to the server, the server is granted the capability of acting as a surrogate for that client.
This capability enables you to determine:
- On behalf of which user IDs the server can act
- What resources the server can access when acting on behalf of one of its clients

Potentially, for additional security checking, two audit records can be produced to audit:

The client accessing the resource
The server accessing the resource on behalf of the client

If you choose to implement this additional security checking, you might need to authorize the identity associated with the application server to the resource profiles that protect the resources accessed by the server on behalf of its clients.

See z/OS UNIX System Services Planning for a complete description of the administrative planning steps and requirements for using the pthread_security_service.