System Authorization Facility user registries
System Authorization Facility (SAF) user registries are used for several purposes in WebSphere® Application Server for z/OS®.
- Authenticate using basic authentication, identity assertion, or client certificates
- Store information about users and groups
- Retrieve information about users and groups to perform security-related administrative functions including mapping users and groups to security roles.
- Control access to resources such as datasets, commands and ports
Using a local operating system or non-local operating system registry implementation, the WebSphere Application Server for z/OS authentication mechanism can use SAF interfaces. SAF interfaces are defined by MVS™ to enable applications to use system authorization services or user registries to control access to resources such as data sets and MVS commands. SAF either processes security authorization requests directly or works with RACF®, or other security products, to process the requests. Note that a local operating system SAF user registry is not a centralized registry like Lightweight Directory Access Protocol (LDAP), but it is a centralized registry within a sysplex.
With WebSphere Application Server for z/OS, SAF user registries provide digital certificate to user ID mappings using the Resource Access Control Facility (RACF) RACDCERT command. For more information about the RACDCERT command, see the z/OS Security Server RACF Command Language Reference for your z/OS version in the z/OS Internet Library.
WebSphere Application Server for z/OS localOS User Registry (SAF User Registry) implementation sets the registry realm name from the SAFDFLT profile in the REALM class when the SAFDFLT profile is defined, whether the REALM class is active or inactive. The realm name is specified as the APPLDATA property of the SAFDFLT profile. If the realm name cannot be obtained from the OS security product (such as RACF), the value specified for the protocol_iiop_daemon_listenIPAddress property is used as the realm name. For example, the value of protocol_iiop_daemon_listenIPAddress is used if the SAFDFLT profile or APPLDATA property is not defined.
Refer to Selecting a registry or repository for general information about selecting user registries.