Authenticating with SAF on IBM HTTP Server (z/OS systems)
You can authenticate to the IBM® HTTP Server on z/OS® by using HTTP basic authentication or client certificates with the System Authorization Facility (SAF) security product. Use SAF authentication for verification of user IDs and passwords or certificates.
Before you begin
mod_authz_core
and mod_auth_basic
directives provide basic
authentication and authorization support, which is needed in mod_authnz_saf
configurations. In addition, the mod_ibm_ssl
directive supports SSL client
certificates. If you use SAF authentication, ensure that the first three
LoadModule directives from the following example are activated. If you use SSL
client certificates, also ensure that the mod_ibm_ssl.so LoadModule directive
is
activated.LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
# mod_authz_core will typically already load by default
LoadModule authz_core_module modules/mod_authz_core.so
# Uncomment mod_ibm_ssl if any type of SSL support is required,
# such as client certificate authentication
#LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
About this task
SAF authentication is provided by the mod_authnz_saf
module. The
mod_authnz_saf
module allows the use of HTTP basic authentication or client
certificates to restrict access by looking up users, groups, and SSL client certificates in SAF. Use
this module to switch the thread from the server ID to another ID before responding to the request
by using the SAFRunAS directive. For more information, see SAF
directives in the product documentation. Also, see Migrating and installing IBM HTTP Server on z/OS
systems for information about migrating your SAF directives.