The preferable security scheme is the SAF/RACF-based authentication and authorization. Many z/OS systems use SAF/RACF security and only a few additional steps are necessary to make use of it for web service authorization.

1. Download the latest version of "Tomcat SAF Security 5.5" from:

   www.dovetail.com/downloads/jzos/index.html

2. Extract saf_realm.jar from the zip-file and upload it as binary to:

   $CATALINA_HOME/server/lib

3. Extract saf-roles.xml from the zip-file and upload it as binary to:

   $CATALINA_HOME/conf

4. Set the Program Control bit on for the following files and libraries:

   extattr +p $JAVA_HOME/bin/java
   extattr +p $JAVA_HOME/bin/lib*.so
   extattr +p $JAVA_HOME/bin/classic/libjvm.so
   extattr +p $JAVA_HOME/bin/j9vm/libjvm.so

   To make the xml-files editable under z/OS for the next two steps, tag the files as ASCII and back to EBCDIC again when done, by these commands:

   chtag -tc ISO8859-1 file_name
   chtag -tc IBM-1047 file_name

   Replace file_name by the actual name of the xml-file.
5. Follow the steps as described in www.dovetail.com/docs/jzos/saf.html to modify the server configuration file $CATALINA_HOME/conf/server.xml. In particular steps 4. - 6.
   In the end, server.xml should look like this:

   <Server port="8005" shutdown="SHUTDOWN">
     <Listener className="org.apache.catalina.core.AprLifecycleListener"/>
     <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/>
     <Listener className="com.dovetail.zos.tomcat.SafLifecycleListener"/>
     <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
     <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
     <GlobalNamingResources>
       <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
       <Resource name="UserDatabase"
                 auth="Container"
                 type="org.apache.catalina.UserDatabase"
          description="z/OS Role database"
              factory="com.dovetail.zos.tomcat.SafRoleDatabaseFactory"
             pathname="conf/saf-roles.xml" />
     </GlobalNamingResources>
     <Service name="Catalina">
       <Connector port="8080" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" redirectPort="8443" acceptCount="100"
              connectionTimeout="20000" disableUploadTimeout="true" />
       <Connector port="8009"
              enableLookups="false"
              redirectPort="8443"
              protocol="AJP/1.3" />
       <Engine name="Catalina" defaultHost="localhost">
         <Realm className="com.dovetail.zos.tomcat.SafRealm"
                resourceName="UserDatabase" />
         <Host name="localhost"
            appBase="webapps"
            unpackWARs="true"
            autoDeploy="false"
            xmlValidation="false"
            xmlNamespaceAware="false">
         </Host>
       </Engine>
     </Service>
   </Server>

6. Modify $CATALINA_HOME/conf/saf-roles.xml according to step 11. Add the desired mappings. Authenticated users must have the SAF/RACF authority described by this entry, in order to use the Tomcat web service.
   The content of saf-roles.xml finally can look like this:

   <?xml version='1.0' encoding='utf-8'?>
   <saf-roles>
     <role rolename="admin" safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
     <role rolename="manager" safclass="FACILITY" safentity="BPX.SERVER" saflevel="READ"/>
     <role rolename="master" safclass="FACILITY" safentity="STGADMIN.EDG.MASTER" saflevel="CONTROL"/>
   </saf-roles>

   In this example, all users, that have CONTROL authority for STGADMIN.EDG.MASTER, are authorized to use the DFSMSrmm web service. Users with READ authority to BPX.SERVER can access the "Tomcat Manager" and "Tomcat Administration" page.

Restart Tomcat to activate the changes.