Use this task to add a custom System Authorization Facility (SAF) mapping module to one
of the system login modules by using the administrative console.
Before you begin
To use a pluggable login module to perform Java™ Platform,
Enterprise Edition (Java EE) identity to Resource Access
Control Facility (RACF®) user mapping, you must configure a
pluggable mapping module, followed by configuring the WebSphere® Application Server for z/OS-supplied module,
com.ibm.ws.security.common.auth.module.MapPlatformSubject, in the appropriate Java Authentication and Authorization Service (JAAS) system login
configurations. When SAF Authorization or Synch to OS Thread is configured, this
approach enables an installation to configure the active WebSphere Application Server registry as either a standalone Lightweight
Directory Access Protocol (LDAP) registry or a standalone custom registry.
WebSphere Application Server does not support a local operating system
registry on any platform under the federated repository functionality. Thus, a SAF-managed RACF registry is not supported under the federated repository
functionality.
Update: A SAF-managed RACF
registry is supported under the federated repository functionality. In previous releases, it was not
supported. To configure the SAF mapping module to use federated repositories with a SAF user
registry adapter for SAF authorization, see Configuring a custom System Authorization Facility
mapping module for federated repositories.
Before proceeding, make sure you know how to write a mapping module to get a SAF identity. If you use anything other than the sample, you
must build the relevant classes and install them into the <WAS_HOME>/classes
directory for each node in the cell, including the deployment manager node in a cell. If Java 2 security is enabled, ensure that the server.policy
file is updated to provide appropriate permissions.
Note: If you are using the SAF distributed identity mapping feature, you do not need to configure a
mapping module.
About this task
The custom SAF mapping module (either com.ibm.websphere.security.SampleSAFMappingModule or
a customer-written mapping module) must be added to each of the following system login module
entries and must be changed manually to the second-to-last position in the order for the system
login modules as indicated:
Note: For base configuration, if you select SWAM as your authentication mechanism, update the
SWAM entry. However, if you plan to use LTPA as your authentication mechanism, set up all
four system login module entries. For a WebSphere Application Server Network Deployment
configuration, you only need to configure the LTPA authentication mechanism configuration
entries.
Procedure
- Configure the custom mapping module:
- Click Security > Global security.
- Under Java Authentication and Authorization
Service, click System logins >
login_module_name.
- Under Additional properties, click JAAS login modules > New.
- Enter the class name of the custom login module in the Module Classname file.
(Use com.ibm.websphere.security.SampleSAFMappingModule for the shipped sample
module).
- Click Apply to add the new module to the login module list.
- Configure the supplied com.ibm.ws.security.common.auth.module.MapPlatformSubject login
module:
- Click Security > Global security.
- Under Java Authentication and Authorization
Service, click System logins >
login_module_name
- Under Additional properties, click JAAS login modules > New.
- Enter the class name:
com.ibm.ws.security.common.auth.module.MapPlatformSubject
.
- Click Apply to add the new module to the login module list.
- Click Security > Global security.
- Under Authentication, expand Java Authentication
and Authorization Service and click System logins >
login_module_name.
- Under Additional properties, click JAAS login modules > Set Order, and verify
that the new mapping module comes before com.ibm.ws.security.common.auth.module.MapPlatformSubject
and after com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.
The new mapping module must come before com.ibm.ws.security.common.auth.module.MapPlatformSubject
and after com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.
- Select the box next to the new mapping module and then click Move up. When the
mapping modules are in the correct order, click Apply, then Save, and Save (be
sure to select Synchronize changes with Nodes if you are working with a WebSphere Application Server Network Deployment cell).
What to do next
Make these changes for each of the system login modules needed for your WebSphere Application Server for z/OS®
configuration. The choice of which system login modules are needed is based on your authentication
mechanism (SWAM or LTPA).
Note: If the SAF identity mapping module you installed has configurable properties, you can update
them by creating custom properties in the JAAS system logins panel in the administrative console.
Use this example to update properties if you used the SampleSAFMapping module as a prototype and
updated the else clause to provide custom mapping logic. In this case, you must create the
useWSPrincipleName custom property and set it to false for each affected JAAS login
configuration that uses the modified SampleSAFMappingModule.
- Click Security > Global security.
- Under Java Authentication and Authorization Service, click
System logins >
login_module_name.
- Under Additional properties, click JAAS login modules >
com.ibm.websphere.security.SampleSAFMappingModule.
- Under Additional properties, click Custom Properties > New.
- Enter the custom property name useWSPrincipalName and the value false.
- Click Apply, Save, and Save.
Repeat this process for each of the system login modules that use the modified
SampleSAFMappingModule.