websphere on z/os and racf security
TRANSCRIPT
05/01/23 07:38 PM 5864_ER_WHITE.1
WebSphere on z/OSand RACF Security
Michael Erichsen & Adam Mazhar, CSCMarch 2006
05/01/23 07:38 PM 5864_ER_WHITE. 2
Purpose and contents of the Presentation• It is assumed that mainframe and Java people each on their
side have a much deeper knowledge than the writer of this presentation
– The ambition is solely to try to translate the two sides to each other to help better communicate and, consequently, to plan and execute the necessary work
• The presentation begins at the traditional RACF model and the normal Java Sign-on Model
– It then shows how the Java model is implemented in RACF– It finally compares this new model to the traditional CICS
security model
05/01/23 07:38 PM 5864_ER_WHITE. 3
What is RACF?• RACF means Resource Access Control Facility• RACF is really just a data base sitting passively, waiting for
someone to ask questions• RACF stores lists of groups of users, each having a
password and a number of profiles– Groups can contain groups
• RACF also stores lists of resource classes, each having a number of profiles and members
• The programming interface to inquire RACF is called SAF (System Authorization Facility) and consists of a number of macro calls
– The main macro calls are• RACROUTE,REQUEST=VERIFY to verify user IDs• RACROUTE,REQUEST=AUTH to check against access to a
secure profile
05/01/23 07:38 PM 5864_ER_WHITE. 4
Some RACF Class ExamplesDefault RACF Classes Description
CBIND Controls the client’s ability to bind to the server. With WebSphere we need to control access to the server
DATASET Access to data sets
DIGTCERT Contains digital certificates and information related to them
DSNR Controls access to DB2 subsystems (CONNECT)
EJBROLE Member class for J2EE authorization roles. The APPLDATA field in an EJBROLE profile defines the target Java identity when running in RUNAS ROLE mode
FACILITY Can be used for anything you want
GCICSTRN Grouping class for CICS Transactions
GEJBROLE Grouping class for Enterprise Java Beans authorization roles
MDSNDB MDSNPK MDSNPN MDSNBP MDSNCL MDSNTS MDSNSG MDSNTB MDSNSM MDSNSC MDSNUT MDSNUF MDSNSP MDSNJR DSNADM
Default Classes for DB2 External Security. Special classes exist forBuffer pools, collections, databases, packages, plans, storage groups, subsystems, tables, table spaces, etc
TCICSTRN CICS Transactions
SERVAUTH Can be used to protect TCP/IP ports
SERVER Used in WebSphere to control whether a server region can call authorized programs in the control region
05/01/23 07:38 PM 5864_ER_WHITE. 5
Traditional RACF Profiles and Permission Levels• TCICSTRN profiles typically contain all transactions in an
application or part of an application– Can be named whatever is appropriate
• DSNR profiles have names of the form subsystem.environment
– Subsystem is the name of a DB2 subsystem– Environment denotes the environment like SASS for CICS,
DIST for Distributed, BATCH for batch and some other types of workload
• User profiles consists of one or more segments:– A mandatory RACF segment, which holds basic information like
name, password etc.– Optional segments with system-specific data including CICS,
LANGUAGE and many others• Groups of users (or single users) are permitted access to a
profile in a class in levels, each of which include lower levels:
– ALTER, CONTROL, UPDATE. READ, EXECUTE, NONE
05/01/23 07:38 PM 5864_ER_WHITE. 6
Java Security• Authentication
– Basically checks the user's login name and password and allows access to step inside the application realm
• Authorization– Allows access to specific functions of a given application like:
• Screens (for example only a select people might be able to access Create New Person screen)
• Fields (For example only a select people might be able to see all fields on a query result screen or Create screen)
• Buttons (For example on a screen where there is an Update and Delete buttons, only certain people can do Deletes)
• Data (For example cases for a certain region can only be seen by users of that region, in other words restricting the where clauses of the queries based on certain key data elements)
05/01/23 07:38 PM 5864_ER_WHITE. 7
EJBROLES• Roles, as defined by J2EE, are not inherent in the
mainframe security model• In order to implement J2EE roles, a new class, EJBROLE,
was created– The name EJBROLE is not adequate, since it is used for J2EE
roles in both EJB’s and Web applications• When an application deployer uses a role in a component’s
deployment descriptor, the role name must be identical to the name of an EJBROLE profile
• A security administrator defines EJBROLE profiles and permits groups of users to the profiles
• In order to be considered as eligible for a role, a user must be connected to a group that has read access to the EJBROLE profile
– You can define single users directly to resources, but that often makes administration very complicated
05/01/23 07:38 PM 5864_ER_WHITE. 8
GEJBROLE• RACF also supports a grouping class for the EJBROLE
class called GEJBROLE• Used when you have a need to give access to the same
groups for several roles• The GEJBROLE grouping class provides a capability not
natively available in other J2EE servers• Probably practical, but certainly not portable
05/01/23 07:38 PM 5864_ER_WHITE. 9
Downstream Propagation of Userids From WebSphere
AuthorizationisCallerIn Role()getCallerPrincipal()
MethodExecution
DownstreamPropagation
RunAs=Server
Identity="Caller"
Identity=Server-IdentityRunAs=Caller Identity="Caller"RunAs=Role(x) Identity=Role(x) mapped to
RACF identity
RunAs is a J2EE option that allows a bean to temporarily run as the server identity or the identity of a role that the user has
This effectively corresponds to the CICS-DB2 interface definition AUTHID, which can be SIGNID (CICS Name), USERID, TERM (terminal id), TXID (Transaction code), or any string
05/01/23 07:38 PM 5864_ER_WHITE. 10
CICS and RACF Security in the 3270 WorldTerminal CICS RACFCICS Sign-On Program
Logon
Sign-On Screen
Not Signed On
Userid/Password
Authenticated
Authentication Message
Userid/Password
Yes, Authenticated
Transaction Request
DB2
DB2 Request
DB2 Response
Transaction Response
Authorized?
Authorized?
Yes, Authorized
Yes, Authorized
05/01/23 07:38 PM 5864_ER_WHITE. 11
Where is all this Stored?• At sign-on time CICS builds a control block in memory
representing the connection between terminal id and userid• This connection is kept until sign-off or time-out• CICS knows that a user is not signed on, when this
connection does not exist in its control blocks• The resource classes and profiles are stored in a memory
area shared by all systems (CICS’s, WebSphere’s, DB2’s, TSO users etc)
05/01/23 07:38 PM 5864_ER_WHITE. 12
WebSphere and RACF SecurityBrowser WebSphere RACFWAS Sign-On Program
HTTP/HTML Request
Sign-On HTML Page (Using Redirect)
Not Signed On
Userid/Password
Authenticated
Userid/Password
Yes, Authenticated
DB2
DB2 Request
DB2 ResponseHTTP/HTML Response
Authorized?
Authorized?
Yes, Authorized
Yes, Authorized
Remember Request
Process Original Request
05/01/23 07:38 PM 5864_ER_WHITE. 13
Where is all this Stored?• At sign-on time WebSphere creates a cookie containing a
security token, which represents the userid• WebSphere knows that a user is not signed on, when this
cookie and token is not in the header of a request• This has been implemented by the WebSphere developers
as a form based authentication– Necessary features like authentication failures, password
expiration and renewal is implemented as a Servlet Filter• A servlet filter is equivalent to a user exit in CICS
• The resource classes and profiles are stored in a memory area shared by all systems (WebSphere’s, CICS’s, DB2’s, TSO users etc)
05/01/23 07:38 PM 5864_ER_WHITE. 14
EJBROLE Implementation• Defining a role in RACF
– RDEFINE EJBROLE My.Web.Application.Role UACC(NONE) • Giving permission to a group of users
– PERMIT My.Web.Application.Role CLASS(EJBROLE) ID(MYUSERS) ACCESS(READ)
• If the user registry custom property com.ibm.security.SAF.authorization is set to true, then EJBROLE profiles are used to authorize J2EE roles
• If the user ID has at least READ access to the defined EJBROLE profile the user ID is considered to be in Role
• If you want to give access to the same groups for several roles, you can groups EJBROLE classes in a GEJBROLE class
05/01/23 07:38 PM 5864_ER_WHITE. 15
Further Reading
• Available online at www.redbooks.ibm.com/abstracts/sg246846.html