WebSphere Application Server security for z/OS
WebSphere® Application Server for z/OS® supports access to resources by clients and servers in a distributed environment. Determine how to control access to these resources and prevent inadvertent or malicious destruction of the system or data.
These are the pieces in the distributed network that you must consider:
- You must authorize servers to the base operating system services
in z/OS. These services include System Authorization
Facility (SAF) security, database management, and transaction management.
- For the server clusters, you must distinguish between controllers and servants. Controllers run authorized system code, so they are trusted. Servants run application code and are given access to resources, so carefully consider the authorization you give servants.
- You must also distinguish between the level of authority for run-time servers and for your own application servers have. For example, the node needs the authority to start other clusters, while your own application clusters do not need this authority.
- You must authorize clients (users) to servers and objects within
servers. The characteristics of each client requires special consideration:
- Is the client on the local system or is it remote? The security of the network becomes a consideration for remote clients.
- Will you allow unidentified (unauthenticated) clients to access the system? Some resources on your system might be intended for public access, while others you might need to protect. To access protected resources, clients must establish their identities and have authorization to use those resources.
- Authentication is the process of establishing the identity
of a client in a particular context. A client can be an end user,
a machine, or an application. The term authentication mechanism in WebSphere Application Server on z/OS refers
more specifically to the facility in which WebSphere identifies
an authenticated identity, using HTTP and Java™ Management
Extensions (JMX) facilities. When configuring a cell, you must select
an authentication mechanism. The choices for authentication mechanism
include:
- Simple WebSphere Authorization Mechanism (SWAM)
- only on Base Application Server, not available on the Network Deployment
configurationNote: SWAM is deprecated in WebSphere Application Server Version 8.5 and will be removed in a future release.
- Lightweight Third Party Authentication (LTPA)
- Kerberos
- Simple WebSphere Authorization Mechanism (SWAM)
- only on Base Application Server, not available on the Network Deployment
configuration
- Information about users and groups reside in a user registry.
In WebSphere Application Server, a user registry
authenticates a user and retrieves information about users and groups
to perform security-related functions, including authentication and
authorization. Implementation is provided to support multiple operating
system or operating environment-based user registries. When configuring
a cell, you must select a single user registry. The user registry
can be local or remote. The choices for user registry include:
- SAF-based local registry (default when a z/OS security product is chosen for administrative security during customization)
- Standalone Lightweight Directory Access Protocol (LDAP) registry - LDAP can be either a local or remote registry
- Stand-alone custom user registry - A custom user registry is set up to meet unique registry needs. WebSphere Application Server provides a simple user registry sample called the FileBasedRegistrySample.
- Federated repositories (default when the WebSphere Application Server is chosen for administrative security during customization)
If you need to protect resources, it is critical that you identify
who accesses those resources. Thus, any security system requires client
(user) identification, also known as authentication. In a distributed
network supported by WebSphere Application Server
for z/OS, clients can access resources from:
- Within the same system as a server
- Within the same sysplex as the server
- Remote z/OS systems
- Heterogeneous systems, such as WebSphere Application Server on distributed platforms, Customer Information Control System (CICS®), or other Java Platform, Enterprise Edition-compliant systems.
Additionally, clients can request a service that requires a server to forward the request to another cluster. In such cases, the system must handle delegation, the availability of the client identity for use by intermediate clusters and target clusters.
Finally, in a distributed network, how do you verify that messages
being passed are confidential and have not been tampered? How do you
verify that clients are who they claim to be? How do you map network
identities to z/OS identities? These issues are addressed
by the following support in WebSphere Application Server
for z/OS:
- The use of Secure Sockets Layer (SSL) and digital certificates
- Kerberos
- Common Secure Interoperability, Version 2 (CSIv2)
- Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- Distributed identity mapping feature in SAF