Resource Access Control Facility Tips for customizing WebSphere Application Server
It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF® (or your security product). This paper describes these mechanisms along with some techniques for managing the security environment.
CBIND
: Access to servers, and access to objects in the serversSERVER
: Access to controller regions by servant regionsSTARTED
: Associate user-ids and groups to started procedures (STCs)
You must add the required RACF profiles and permissions for another server in your cell.
You can define the minimal set of users, groups, and profiles for a testing environment (where security of individual servers is not the main focus or concern).
RACF Profiles (CBIND
, SERVER
,
and STARTED
): Basic information about the RACF profiles
used by WebSphere can be found in the System Authorization Facility classes and profiles. This section adds
some additional details about the CBIND, SERVER,
and STARTED class profiles.
BBOCBRAK
job
generates RACF commands that then can be run with the BBOWBRAK
job.
Key: CR = Controller Region
SR = Servant Region
CFG = Configuration (group)
server = server short name
cluster = generic server (short) name (also called cluster transition name)
<CR_userid> <CR_groupid>, <CFG_groupid>
<SR_userid> <SR_groupid>, <CFG_groupid>
<demn_userid> <demn_groupid>, <CFG_groupid>
<admin_userid> <CFG_groupid>
<client_userid> <client_groupid>
<ctracewtr_userid> <ctracewtr_groupid>
The following various profiles are used to protect the WebSphere servers and resources, along with the permissions and access levels.
CBIND Class profiles - access to generic servers
CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL)
CBIND Class profiles - access to objects in servers
CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)
SERVER Class Profiles: There are currently two formats of the SERVER class profiles for protecting access to the server controller regions. You must define a single format SERVER profile, depending upon whether or not Dynamic Application Environment (DAE) support is enabled. This is done using the WLM DAE APAR OW54622, which is applicable to z/OS V1R2 or higher.
- The following command provides access to controllers using static
Application Environments (without the APAR support):
RDEFINE CB.&<server>.&<cluster> UACC(NONE); PERMIT &<SR_userid> ACC(READ)
For this example,server = server name
,cluster = cluster name
orcluster transition name
if a cluster has not yet been created, andSR = the MVS user ID of the Server Region
. - The following command provides access to controllers using dynamic
Application Environments (with the WLM DAE APAR support):
CB.&<server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ)
For this example,server = server name
,cluster = cluster name
orcluster transition name
if a cluster has not yet been created,cell = cell short name
, andSR = the MVS user ID of the Server Region
.
STARTED
class
profiles used to assign user and group IDs to controller regions and
other STCs based on whether the started task is started with the MGCRE
interface
or the address space create (ASCRE
) interface used
by Workload Manager (WLM) to start servant regions: STARTED Class profiles - (MGCRE)
<<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid))
<demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid))
STARTED Class profiles - (ASCRE)
<SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid))
STARTED Class profiles for IJP - (MGCRE)
<MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid))
Generating new user IDs and Profiles for a new Server: If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.
BBOWBRAK
member
using the WebSphere z/OS Profile
Management Tool or the zpmt command, .DATA
partitioned
data set, and change the following entries to the new users, groups,
and unique New_server
name, and New_cluster
name
profiles: - If unique user IDs for the new servers are desired, define three
new users and connect them to the following groups:
<New_CR_userid> <CR_groupid>, <CFG_groupid> <New_SR_userid> <SR_groupid>, <CFG_groupid> <New_client_userid> <client_groupid>
- CBIND class profiles for the new cluster (generic server short
name):
CB.BIND.<New_cluster> CB.<New_cluster>
- SERVER class profiles for the new server and cluster:
CB.<New_server>.<New_cluster> CB.<New_server>.<New_cluster>.<cell>
- STARTED class profiles for the new server's controller and servant's
regions:
<CR_proc>.<New_CR_jobname> STDATA(USER(New_CR_userid) GROUP(CFG_groupid)) <New_SR_jobname>.* STDATA(USER(New_SR_userid) GROUP(CFG_groupid))
T5USR
), one group (T5GRP
),
and a set of servers in the T5CELL
having server
short names starting with T5SRV*
and generic server
names starting with T5CL*
. This technique can also
be used with Integral JMS provider (IJP) and WebSphere Application Server Network Deployment (ND) configurations. /* CBIND Class profiles (UACC) - access to generic servers */
CB.BIND.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)
/* CBIND Class profiles (UACC) - access to objects in servers */
CB.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)
/* SERVER Class profiles - access to controllers (old style) */
CB.*.T5CL* UACC(NONE); PERMIT ID(T5USR) ACC(READ)
/* SERVER Class profiles - acc to controllers (new style) */
CB.*.*.T5CELL UACC(NONE); PERMIT ID(T5USR) ACC(READ)
/* STARTED Class profiles - (MGCRE) - for STCs, except servants */
T5ACR.* STDATA(USER(T5USR) GROUP(T5GRP)) /* controller*/
T5DMN.* STDATA(USER(T5USR) GROUP(T5GRP)) /* daemon */
T5CTRW.* STDATA(USER(T5USR) GROUP(T5GRP)) /* CTrace WTR*/
WMQX*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* IJP */
/* STARTED Class profiles - (ASCRE - for servants) */
T5SRV*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* servant */