In this release of WebSphere® Application
Server, you can use z/OS® System
Authorization Facility (SAF) security to associate a SAF user ID with
a distributed identity.
About this task
When you use this feature, you can maintain the original
identity information of a user for audit purposes and have less to
configure in WebSphere Application
Server.
You can log in to a WebSphere Application
Server application with the distributed identity of the user. The
filters defined in the z/OS security
product then determine the mapping of the distributed identity to
a SAF user.
Note: The SAF distributed identity mapping feature
is not supported in a mixed-version cell (nodes prior to WebSphere Application Server Version 8.0).
Procedure
- Review the Distributed identity mapping using SAF topic.
Decide which scenario applies to your configuration and make
any necessary changes.
Note: Before you configure
distributed identity mapping, you must first remove unnecessary Java™ Authentication and Authorization
Service (JAAS) login modules. Ensure that you do not have the com.ibm.ws.security.common.auth.module.MapPlatformSubject
login JAAS module configured in WebSphere Application
Server. Use the administrative console or wsadmin scripting to remove
this login module, or you can use the provided Jython script, removeMapPlatformSubject.py,
which searches for and removes this login module from the appropriate
login entries. For more information about how to use this script,
read the removeMapPlatformSubject script topic.
- Configure the RACMAP filters in the z/OS security product to establish the mapping
of distributed identities to SAF users.
Read the Distributed
identity filters configuration in z/OS security
topic for more information.
![[z/OS]](../images/ngzos.svg)