Enabling trusted applications

From a z/OS® perspective, trusted applications imply that the WebSphere® Application Server started task control (STC) is to be considered a "trusted application" and is allowed to change System Authorization Facility (SAF) identity on the thread of execution. When a z/OS applications (such as WebSphere Application Server) are trusted, the security infrastructure allows the creation of MVS™ credentials without using a password, passticket, or certificate as an authenticator, while still preserving the integrity of the MVS system.

Through the use of the FACILITY class and BBO.TRUSTEDAPPS class profile, trusted applications (as a general rule) are needed when using SAF as the local operating system user registry or when you plan to use SAF authorization. When WebSphere Application Server is configured to use: SAF security for a local operating system user registry, SAF authorization, or Sync to Thread Allowed, trusted applications must be enabled so that MVS system integrity remains preserved. Trusted applications meet the MVS integrity rules so that unauthorized callers are NOT allowed to call sensitive WebSphere Application Server code to perform authorized functions. When using SAF, you must define the trusted application within the Resource Access Control Facility (RACF®) or an equivalent product. The SAF authorization resource rules need to define WebSphere Application Server as the trusted application with the authority to change the identity on thread execution. In this way, WebSphere Application Server and MVS can work together without jeopardizing each other's integrity.