[z/OS]

Configuring to secure Lightweight Directory Access Protocol user registry using Resource Access Control Facility based on z/OS

You can secure the application server by configuring Lightweight Access Directory Protocol (LDAP) on z/OS® with an existing Resource Access Control Facility (RACF®) back end. This integrates the native z/OS security settings defined in RACF with the WebSphere® Application Server security environment.

Before you begin

The following requirements exist when implementing these steps:
  • You must have an LDAP server configured with RACF based on z/OS.
  • You must use LDAP on z/OS v1r3 or higher. For v1r3 or v1r4, you must apply APAR 0A03857 - PTF UA06622 before following these steps.
  • The user logs into WebSphere security with RACF user ID and is authenticated with the LDAP using a password and a Distinguished Name, the Bind DN. The Bind DN incorporates the RACF user ID and the SDBM suffix in the LDAP server configuration file. If the RACF user is johndoe, and the suffix value in the SDBM section of the LDAP configuration file is cn=myRACF, then the bind DN is: racfid=johndoe, profiletype=user, cn=myRACF.
  • Each RACF group, including WebSphere security groups, a user belongs to is stored in a multi-value racfconnectgroupname attribute in the LDAP entry for the user. The attribute is returned when a base or subtree search is performed with the user's DN as the Base DN.
  • The Bind DN must represent an RACF user with Special or Auditor privileges. For more information about the required RACF authority, see the z/OS Security Server RACF Command Language Reference for your z/OS version.
  • You must define the racfconnectgroupname attribute in the LDAP default schema.
    Remember: If you have TBDM defined in the LDAP server configuration file in addition to SDBM, the schema in TDBM is the default schema for the LDAP server. If the TDBM schema does not included the racfconnectgroupname attribute, remove TDBM from the LDAP server configuration file or add the schema in the schema.user.ldif file and schema.IBM.ldif file to the TDBM schema.

Procedure

  1. Click Security > Global security.
  2. Under User account repository, select Standalone LDAP registry and then click Configure.
  3. Under the Type of LDAP server, click Custom.
  4. Complete the fields for your LDAP environment. For more information, see Configuring Lightweight Directory Access Protocol user registries.
    The users and groups must be in the sub tree of the Base DN.
  5. Make sure that Ignore case for authorization is selected.
    RACF user names and group names are not case-sensitive.
  6. Click Apply and then click Save.
  7. Under Additional Properties, click Advanced Lightweight Directory Access Protocol (LDAP) user registry setting.
  8. Change User filter and Group filter to racfid=%v.
  9. Change User ID map and Group ID Map to *:racfid.
  10. Change Group member ID map to racfconnectgroupname:racfgroupuserids.
  11. Click Apply and click Save.
  12. Assign the administrative role to a user.
    See Authorizing access to administrative roles for more information.
  13. Restart WebSphere Application Server.

Results

Your environment is now protected by LDAP on z/OS with a RACF back end.