Installing and configuring a custom System Authorization Facility mapping module for WebSphere Application Server
Use this task to add a custom System Authorization Facility (SAF) mapping module to one of the system login modules by using the administrative console.
Before you begin
To use a pluggable login module to perform Java™ Platform, Enterprise Edition (Java EE) identity to Resource Access Control Facility (RACF®) user mapping, you must configure a pluggable mapping module, followed by configuring the WebSphere® Application Server for z/OS-supplied module, com.ibm.ws.security.common.auth.module.MapPlatformSubject, in the appropriate Java Authentication and Authorization Service (JAAS) system login configurations. When SAF Authorization or Synch to OS Thread is configured, this approach enables an installation to configure the active WebSphere Application Server registry as either a standalone Lightweight Directory Access Protocol (LDAP) registry or a standalone custom registry.
WebSphere Application Server does not support a local operating system registry on any platform under the federated repository functionality. Thus, a SAF-managed RACF registry is not supported under the federated repository functionality.
Before proceeding, make sure you know how to write a mapping module to get a SAF identity. For more information, refer to Writing a custom System Authorization Facility (SAF) mapping module with non-local operating system. If you use anything other than the sample, you must build the relevant classes and install them into the <WAS_HOME>/classes directory for each node in the cell, including the deployment manager node in a cell. If Java 2 security is enabled, ensure that the server.policy file is updated to provide appropriate permissions.
About this task
- For Simple WebSphere Authentication
Mechanism (SWAM), add the entry to the SWAM login module.Note: SWAM is deprecated in WebSphere Application Server Version 8.5 and will be removed in a future release.
- For Lightweight Third Party Authentication (LTPA), add the entry
to the WEB_INBOUND, RMI_INBOUND, and DEFAULT login
modules.
LTPA is the default authentication mechanism for WebSphere Application Server Version 8.5.
Procedure
What to do next
Make these changes for each of the system login modules needed for your WebSphere Application Server for z/OS® configuration. The choice of which system login modules are needed is based on your authentication mechanism (SWAM or LTPA).
- Click Security > Global security.
- Under Java Authentication and Authorization Service, click System logins > login_module_name.
- Under Additional properties, click JAAS login modules > com.ibm.websphere.security.SampleSAFMappingModule.
- Under Additional properties, click Custom Properties > New.
- Enter the custom property name useWSPrincipalName and the value false.
- Click Apply, Save, and Save.
Repeat this process for each of the system login modules that use the modified SampleSAFMappingModule.