[z/OS]

Resource Access Control Facility Tips for customizing WebSphere Application Server

It is important to understand the security mechanisms used to protect the server resources using the CBIND, SERVER, and STARTED classes in RACF® (or your security product). This paper describes these mechanisms along with some techniques for managing the security environment.

Details about the RACF profiles that are used to protect the WebSphere® servers and resources use the following classes:
  • CBIND: Access to servers, and access to objects in the servers
  • SERVER: Access to controller regions by servant regions
  • STARTED: Associate user-ids and groups to started procedures (STCs)

You must add the required RACF profiles and permissions for another server in your cell.

You can define the minimal set of users, groups, and profiles for a testing environment (where security of individual servers is not the main focus or concern).

RACF Profiles (CBIND, SERVER, and STARTED): Basic information about the RACF profiles used by WebSphere can be found in the System Authorization Facility classes and profiles. This section adds some additional details about the CBIND, SERVER, and STARTED class profiles.

User IDs and Group IDs: As part of using the WebSphere z/OS® Profile Management Tool or the zpmt command, the BBOCBRAK job generates RACF commands that then can be run with the BBOWBRAK job. Key: 
CR = Controller Region
SR = Servant Region
CFG = Configuration (group)
server = server short name
cluster = generic server (short) name (also called cluster transition name)
First, six users and six groups are defined as follows, which are shown symbolically to help you understand how they are used in the various permissions later on: 
<CR_userid> <CR_groupid>, <CFG_groupid>
<SR_userid> <SR_groupid>, <CFG_groupid>
<demn_userid> <demn_groupid>, <CFG_groupid>
<admin_userid> <CFG_groupid>
<client_userid> <client_groupid>
<ctracewtr_userid> <ctracewtr_groupid>

The following various profiles are used to protect the WebSphere servers and resources, along with the permissions and access levels.

CBIND Class Profiles: There are two formats and levels of CBIND class profiles for protecting access to application servers and objects in those servers: 
CBIND Class profiles - access to generic servers
CB.BIND.<cluster> UACC(READ); PERMIT <CR_group> ACC(CONTROL)

CBIND Class profiles - access to objects in servers
CB.<cluster> UACC(READ) PERMIT <CR_group> ACC(CONTROL)

SERVER Class Profiles: There are currently two formats of the SERVER class profiles for protecting access to the server controller regions. You must define a single format SERVER profile, depending upon whether or not Dynamic Application Environment (DAE) support is enabled. This is done using the WLM DAE APAR OW54622, which is applicable to z/OS V1R2 or higher.

In the WebSphere z/OS Profile Management Tool or the zpmt command, both formats are predefined, and one of these is actually required at runtime. The required format is determined dynamically by the WebSphere Application Server for z/OS Runtime based on the availability of Dynamic Application Environment (DAE) support.
  • The following command provides access to controllers using static Application Environments (without the APAR support): RDEFINE CB.&<server>.&<cluster> UACC(NONE); PERMIT &<SR_userid> ACC(READ) For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, and SR = the MVS user ID of the Server Region.
  • The following command provides access to controllers using dynamic Application Environments (with the WLM DAE APAR support): CB.&<server>.&<cluster>.<cell> UACC(NONE); PERMIT &<SR_userid> ACC(READ) For this example, server = server name, cluster = cluster name or cluster transition name if a cluster has not yet been created, cell = cell short name, and SR = the MVS user ID of the Server Region.
STARTED Class Profiles: There are two formats of STARTED class profiles used to assign user and group IDs to controller regions and other STCs based on whether the started task is started with the MGCRE interface or the address space create (ASCRE) interface used by Workload Manager (WLM) to start servant regions: 
STARTED Class profiles - (MGCRE)
<<CR_proc>.<CR_jobname> STDATA(USER(CR_userid) GROUP(CFG_groupid))
<demn_proc>.* STDATA(USER(demn_userid) GROUP(CFG_groupid))

STARTED Class profiles - (ASCRE)
<SR_jobname>.<SR_jobname> STDATA(USER(SR_userid) GROUP(CFG_groupid))

STARTED Class profiles for IJP - (MGCRE)
<MQ_ssname>.* STDATA(USER(IJP_userid) GROUP(CFG_groupid))

Generating new user IDs and Profiles for a new Server: If you want to use unique user IDs for each new application server, you must define these users, groups, and profiles in the RACF database.

One technique is to edit a copy of the BBOWBRAK member using the WebSphere z/OS Profile Management Tool or the zpmt command, .DATA partitioned data set, and change the following entries to the new users, groups, and unique New_server name, and New_cluster name profiles:
  • If unique user IDs for the new servers are desired, define three new users and connect them to the following groups: 
    <New_CR_userid> <CR_groupid>, <CFG_groupid>
<New_SR_userid> <SR_groupid>, <CFG_groupid>
<New_client_userid> <client_groupid>
  • CBIND class profiles for the new cluster (generic server short name): 
    CB.BIND.<New_cluster>
CB.<New_cluster>
  • SERVER class profiles for the new server and cluster: 
    CB.<New_server>.<New_cluster>
CB.<New_server>.<New_cluster>.<cell>
  • STARTED class profiles for the new server's controller and servant's regions: 
    <CR_proc>.<New_CR_jobname> STDATA(USER(New_CR_userid)
                                        GROUP(CFG_groupid))
<New_SR_jobname>.* STDATA(USER(New_SR_userid) GROUP(CFG_groupid))
Minimalist Profiles: To minimize the number of users, groups, and profiles in the RACF data set, you can use one user ID, one group ID, and very generic profiles so they cover multiple servers in the same cell. Here is an example of profiles with one user (T5USR), one group (T5GRP), and a set of servers in the T5CELL having server short names starting with T5SRV* and generic server names starting with T5CL*. This technique can also be used with Integral JMS provider (IJP) and WebSphere Application Server Network Deployment (ND) configurations. 
/* CBIND Class profiles (UACC) - access to generic servers */
CB.BIND.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)

/* CBIND Class profiles (UACC) - access to objects in servers */
CB.T5CL* UACC(READ); PERMIT ID(T5GRP) ACC(CONTROL)

/* SERVER Class profiles - access to controllers (old style) */
CB.*.T5CL* UACC(NONE); PERMIT ID(T5USR) ACC(READ)

/* SERVER Class profiles - acc to controllers (new style) */
CB.*.*.T5CELL UACC(NONE); PERMIT ID(T5USR) ACC(READ)

/* STARTED Class profiles - (MGCRE) - for STCs, except servants */
T5ACR.* STDATA(USER(T5USR) GROUP(T5GRP)) /* controller*/
T5DMN.* STDATA(USER(T5USR) GROUP(T5GRP)) /* daemon */
T5CTRW.* STDATA(USER(T5USR) GROUP(T5GRP)) /* CTrace WTR*/
WMQX*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* IJP */

/* STARTED Class profiles - (ASCRE - for servants) */
T5SRV*.* STDATA(USER(T5USR) GROUP(T5GRP)) /* servant */