(ZOS) z/OS security options
Use this page to determine which Global security options to specify for the application server for z/OS .
From the admin console, click...
Security > Global Security > z/OS security options.
We also can view this administrative console page, by completing the following steps:
- Click Servers > Server types > WebSphere application servers > server.
- Under Security, click Server domain.
- Click z/OS security options.
If we are configuring security for the first time, complete the steps in the Global security article prior to making changes. After security is configured, validate any changes to the user registry or authentication mechanism panels. Click Apply to validate the user registry settings. An attempt is made to authenticate the server ID to the configured user registry. Validating the user registry settings after enabling Global security can reduce potential problems when restarting the server for the first time.
Remote identity
The System Authorization Facility (SAF) user ID that is assumed for the Internet Inter-ORB Protocol (IIOP) unauthenticated clients that make requests of this server from another system.
Specifies whether an application remote identity is permitted.
This information applies to v6.0.x and previous servers only that are federated in a v6.1 cell.
Local identity
The SAF user ID that is assumed for the Internet Inter-ORB Protocol (IIOP) unauthenticated clients that make requests of this server from the same system.
Specifies whether an application local identity is permitted.
This information applies to v6.0.x and previous servers only that are federated in a v6.1 cell.
Enable application server and z/OS thread identity synchronization
That application servers can process the SyncToOSThread option for application components that specify it.
Select this option indicates whether an operating system thread identity is enabled for synchronization with the Java EE identity used in the application server runtime when an application is coded to request this function.
Synchronizing the operating system identity to the Java EE identity causes the operating system identity to synchronize with the authenticated caller, or delegated RunAs identity in a servlet or EJB file. This synchronization or association means that the caller or security role identity, rather than the server region identity, is used for z/OS system service requests such as access to files.
For this function to be active, the following conditions must all be true:
- The Sync to OS thread allowed value is true.
- An application includes within its deployment descriptor an env-entry of com.ibm.websphere.security.SyncToOSThread set to true.
- The configured user account repository is the local operating system.
When these conditions are true, the OS thread identity is initially set to the authenticated caller identity of a web or EJB request. The OS thread is modified each time the Java EE identity is modified. The Java EE identity can be modified either by a RunAs specification on the deployment descriptor or a programmatic WSSubject.doAs() request.
If the Sync to OS thread allowed value is false, which is the default setting, the ability to modify the identity on the operating system thread of the deployment descriptor setting in the deployment descriptor of the installed application is disabled. If the server is not configured to accept enable synchronization and the application deployment descriptor, com.ibm.websphere.security.SyncToOSThread, is set to true, a BBOJ0080W warning message indicates that the EJB is requesting the SyncToOSThread option, but the server is not enabled for the SyncToOSThread option.
Important: This option significantly increases the number of SMF 80 records used for security auditing. When security auditing is turned on for SMF 80 records, the amount of DASD used increases significantly.
Enable the connection manager RunAs thread identity
Sets the MVS identity associated with the Java EE identity on the execution thread. Local Java EE Connector architecture (J2CA) connectors may honor the MVS identity for authentication and authorization when an application requests a connection.
When we enable this setting, the method can process a request that modifies the operating system identity to reflect the Java EE identity. This function is required to take advantage of thread identity support. Java EE Connector architecture (J2CA) connectors that access local resources on a z/OS system can use the thread identity support. A set of J2CA connectors that accesses local z/OS resources defaults to the Java EE identity of the application if all of the following conditions are true:
- Resource authorization is set to container-managed (res-auth=container).
- An alias entry is not coded when deploying the application.
- The connection manager Sync to OS thread setting is set to enabled.
For example, if we have a pre-existing DB2 for z/OS security policy that controls which users have access to each table, we want to have that policy enforced when users access WebSphere applications that also access DB2 for z/OS. The Java EE identity (the client identity by default) rather than the operating system identity (server identity) is used to establish connections to DB2 for z/OS when Connection Manager RunAs Identity Enabled is selected. DB2 for z/OS table access for the application is determined using your preexisting DB2 for z/OS security policy.
Any J2CA connector that uses the thread identity support must support thread identity. Customer Information Control System (CICS ), Information Management System (IMS™), and DATABASE 2 (DB2) support thread identity. CICS and IMS support thread identity only if the target CICS or IMS is configured on the same system as the application server for z/OS. DB2 always supports thread identity. If a connector does not support thread identity, the user identity associated with the connection is based on the default user identity supported by the particular connector.
Information Value Data type Boolean Default Disabled Range Enabled or Disabled
Related:
Java thread identity and an operating system thread identity Java Platform, Enterprise Edition identity and an operating system thread identity Application Synch to OS Thread Allowed Connection Manager RunAs Identity Enabled and system security When to use application Synch to OS Thread Allowed Considerations for setting the Sync to OS Thread Allowed option Enable WebSphere Application Server security Administrative console buttons Administrative console scope settings Administrative console preference settings Global security settings