The preferable security scheme is the SAF/RACF-based authentication
and authorization. Many z/OS systems use SAF/RACF security and only
a few additional steps are necessary to make use of it for web service
authorization.
- Download the latest version of "Tomcat SAF Security 5.5" from:
www.dovetail.com/downloads/jzos/index.html
- Extract saf_realm.jar from the zip-file and upload it as binary
to:
$CATALINA_HOME/server/lib
- Extract saf-roles.xml from the zip-file and upload it as binary
to:
$CATALINA_HOME/conf
- Set the Program Control bit on for the following files and libraries:
extattr +p $JAVA_HOME/bin/java
extattr +p $JAVA_HOME/bin/lib*.so
extattr +p $JAVA_HOME/bin/classic/libjvm.so
extattr +p $JAVA_HOME/bin/j9vm/libjvm.so
To make the
xml-files editable under z/OS for the next two steps, tag the files
as ASCII and back to EBCDIC again when done, by these commands:
chtag -tc ISO8859-1 file_name
chtag -tc IBM-1047 file_name
Replace file_name by the
actual name of the xml-file.
- Follow the steps as described in www.dovetail.com/docs/jzos/saf.html
to modify the server configuration file $CATALINA_HOME/conf/server.xml.
In particular steps 4. - 6.
In the end, server.xml should look
like this:
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/>
<Listener className="com.dovetail.zos.tomcat.SafLifecycleListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
<GlobalNamingResources>
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<Resource name="UserDatabase"
auth="Container"
type="org.apache.catalina.UserDatabase"
description="z/OS Role database"
factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
pathname="conf/saf-roles.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8009"
enableLookups="false"
redirectPort="8443"
protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="com.dovetail.zos.tomcat.SafRealm"
resourceName="UserDatabase" />
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="false"
xmlValidation="false"
xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
- Modify $CATALINA_HOME/conf/saf-roles.xml according to step 11.
Add the desired mappings. Authenticated users must have the SAF/RACF
authority described by this entry, in order to use the Tomcat web
service.
The content of saf-roles.xml finally can look like this:
<?xml version='1.0' encoding='utf-8'?>
<saf-roles>
<role rolename="admin" safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
<role rolename="manager" safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
<role rolename="master" safclass="FACILITY" safentity="STGADMIN.EDG.MASTER" saflevel="CONTROL"/>
</saf-roles>
In this example, all users, that have
CONTROL authority for STGADMIN.EDG.MASTER, are authorized to use the
DFSMSrmm web service. Users with READ authority to BPX.SERVER can
access the "Tomcat Manager" and "Tomcat Administration" page.
Restart Tomcat to activate the changes.