© 2014 IBM CorporationIBM Advanced Technical Skills
ZCONN1WebSphere Application Server Liberty Profile z/OS
z/OS Connect Security
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD2
Agenda
Features …
Overview of z/OS Connect SecuritySecurity features for designers and architects.
Securing our Lab ImplementationDetails for the security administrator.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD3
Big Picture View of Mobile Environment and z/OSz/OS Connect provides the mobile environment with a secure interface to z/OS applications and data. We anticipate the following to be a common architectural model:
Shift Right…
Internet
Access Clients
Proxy
Server
Proxy
Server
z/OS Connect and Systems
of Record
(e.g. CICS, IMS, Batch
Systems of Engagement(e.g. IBM MobileFirst Platform, WebSphere,etc.)
Firewall Firewall
Linux on System z, z/OS or Other
z/OS
Corporate intranetDMZ
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD4
z/OS Connect Security Featuresz/OS Connect and the Liberty Profile utilize z/OS to provide mainframe quality security.
Confidentiality …
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatch
z/OS
SAF
Remote clients include Systems of Engagement like
IBM MobileFirst Platform, other mid-tier devices, or
even other mainframe programs.
Remote
Client
Remote
Client
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD5
z/OS Connect Security Features: Confidentiality
Authentication …
SAF
Secure Sockets Layer (SSL)
● SAF keyrings and certificates
● Java-based keyfiles and certificates
“Protecting the conversation between client and server.”
Remote
Client
Remote
Client
Quick and easy.
Under security admin control.
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
Also known as Transport Layer Security (TLS).
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD6
z/OS Connect Security Features: Authentication
Registry…
● Client Certificate Authentication
● Trust Association Interceptor (TAI)
“Making the client prove its identity.”
● Basic Authentication
● LTPA TokenWebSphere credentials in a cookie.
Mapping the client's certificate to a local userid.
For customized authentication solutions.
Userid/password in the http header
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
Remote
Client
Remote
Client
SAF
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD7
z/OS Connect Security Features: Registries
Authorization …
● SAF
“Where the clients are defined.”
● basicRegistryDefine users, groups in server.xml.Remote
Client
Remote
ClientLiberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
SAF
RACF, CA-ACF2, CA-Top Secret.
LDAP
● LDAPLocal or remote.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD8
z/OS Connect Security Features: Authorization
Authorization …
● EJBROLE
“Controlling what the authenticated client can do.”
● APPL
To use z/OS Connect.
To use z/OS Connect.
● Authorization InterceptorUsing groups for finer grained authority.
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
Remote
Client
Remote
Client
SAF
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD9
z/OS Connect Security Features: Authorization
Propagation …
● SERVER
“Controlling what z/OS Connect and CICS can do.”
● CBIND For CICS to register with z/OS Connect's WOLA.
For Liberty Profile to use z/OS authorized services, e.g. SAF authorization, WOLA, etc.
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
SAF
Remote
Client
Remote
Client
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD10
z/OS Connect Security Features: Propagation
Audit …
“What identity is passed to CICS?”
● The CICS Link Server task.
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
SAF
Remote
Client
Remote
Client
● An identity asserted by the remote client.
● The remote client.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD11
z/OS Connect Security Features: Audit
Lab so far …
● Liberty log files.
“What record is there of security events?”
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
SAF
Remote
Client
Remote
Client
Authentication, Authorization (EJBROLE, CBIND, APPL, TCICSTRN, SURROGAT).
SMF
● SMF type 80.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD12
A Sample Security ScenarioSecurity requirements vary based upon the nature of the application. This diagram might serve as a starting point for further discussion.
Internet
Auth/Proxy
Server
Auth/Proxy
Server
z/OS Connect and Systems
of Record
(e.g. CICS, IMS, Batch
Systems of Engagement
(e.g. IBM MobileFirst Platform, WebSphere,etc.)
Linux on System z, z/OS or Other
z/OS
Corporate intranetDMZ
SSL
SSL
SSLSSLSSL SSL
IBM® Security Access Manager
for Web
IBM® Security Access Manager
for Mobile
Client cert=ID/PW= LTPA Token=
SSL
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD13
Unit 2 Lab…
Securing our Lab Implementation
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD14
The RACF Commands from Unit 2 Lab
● In Unit 2 Lab you defined the Server and Angel userids and a guest userid, and groups to own them.
● USER1.WAS.CNTL(ZCRACF1):
Angel and server…
ADDGROUP LIBGRP OMVS(AUTOGID) OWNER(SYS1)
ADDGROUP WSGUESTG OMVS(AUTOGID) OWNER(SYS1)
ADDUSER LIBANGE DFLTGRP(LIBGRP) OMVS(AUTOUID HOME(/u/libange/) -
PROGRAM(/bin/sh)) NAME('LIBERTY ANGEL') NOPASSWORD NOOIDCARD
ADDUSER LIBSERV DFLTGRP(LIBGRP) OMVS(AUTOUID HOME(/u/libserv/) -
PROGRAM(/bin/sh)) NAME('LIBERTY SERVER')
ALTUSER LIBSERV PASSWORD(LIBSERV) NOEXPIRED
ADDUSER FRED DFLTGRP(LIBGRP) OMVS(AUTOUID HOME(/u/fred/) -
PROGRAM(/bin/sh)) NAME('USER FRED')
ADDUSER WSGUEST RESTRICTED DFLTGRP(WSGUESTG) OMVS(AUTOUID -
HOME(/u/wsguest) PROGRAM(/bin/sh)) NAME('UNAUTHENTICATED USER') -
NOPASSWORD NOOIDCARD
Continued on next page....
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD15
Liberty Profile Started Tasks The Liberty Profile consists of one or more servers and optionally one Angel.
More Unit 2 …
Angel
The Angel Process runs in an authorized key and provides facilities to Liberty Server Processes to load and access z/OS system services in a way that protects the integrity of the operating system.
Server
Applications like z/OS Connect may need access to z/OS system services like SAF, WLM, dump, and WOLA. Access is not the default.
The Liberty Server is where z/OS Connect runs.
The Angel provides SAF controlled access
to z/OS services.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD16
The RACF Commands from Unit 2 Lab (continued)
● You also assigned the Server and Angel userids to the started procedures.
Unit 3 Lab ...
RDEFINE STARTED BBGZSRV.* UACC(NONE) -
STDATA(USER(LIBSERV) GROUP(LIBGRP) -
PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEFINE STARTED BBGZANGL.* UACC(NONE) -
STDATA(USER(LIBANGE) GROUP(LIBGRP) -
PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
SETROPTS RACLIST(STARTED) REFRESH
● After you built the server, you made LIBSERV a PROTECTED userid.
ALTUSER LIBSERV NOPASSWORD NOOIDCARD
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD17
The RACF Commands from Unit 3 Lab
● In Unit 3 Lab you permitted the Liberty Server to use several z/OS authorized services protected by SERVER class profiles.
● USER1.WAS.CNTL(ZCRACF2):
More Unit 3…
RDEFINE SERVER BBG.ANGEL UACC(NONE) OWNER(SYS1)
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE) OWNER(SYS1)
PERMIT BBG.AUTHMOD.BBGZSAFM -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
Continued on next page....
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD18
The RACF Commands from Unit 3 Lab (continued)
● Server class profiles control the use of the Angel, SAF, WLM, RRS, SVC dump, the security prefix and WOLA.
More Unit 3…
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.SECPFX.BBGZDFLT UACC(NONE)
PERMIT BBG.SECPFX.BBGZDFLT -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE) OWNER(SYS1)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
Continued on next page....
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD19
The RACF Commands from Unit 3 Lab (continued)
● An EJBROLE protects z/OS Connect.
More Unit 3 …
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE) OWNER(SYS1)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE) OWNER(SYS1)
PERMIT BBG.AUTHMOD.BBGZSCFM -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
RDEFINE SERVER BBG.AUTHMOD.BBGZSCFM.WOLA UACC(NONE) OWNER(SYS1)
PERMIT BBG.AUTHMOD.BBGZSCFM.WOLA -
CLASS(SERVER) ACCESS(READ) ID(LIBSERV)
SETROPTS RACLIST(SERVER) REFRESH
RDEFINE EJBROLE ** OWNER(SYS1) UACC(NONE)
PERMIT ** CLASS(EJBROLE) RESET
SETROPTS RACLIST(EJBROLE) REFRESH
Continued on next page....
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD20
The RACF Commands from Unit 3 Lab (continued)
● A CBIND profile controls which CICS Listener Tasks can register with WOLA. An APPL profile protects z/OS Connect.
Hardening z/OS Connect…
RDEFINE CBIND BBG.WOLA.GROUP.NAME2.NAME3 UACC(NONE) OWNER(SYS1)
PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(USER1)
PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(CICSX)
SETROPTS RACLIST(CBIND) REFRESH
RDEFINE APPL BBGZDFLT UACC(NONE) OWNER(SYS1)
PERMIT BBGZDFLT CLASS(APPL) RESET
PERMIT BBGZDFLT CLASS(APPL) ACCESS(READ) ID(WSGUEST)
RALT APPL BBGZDFLT UACC(READ)
SETROPTS RACLIST(APPL) REFRESH
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD21
WebSphere Optimized Local Adapter (WOLA) Security
...<zosLocalAdapters wolaGroup="GROUP" wolaName2="NAME2" wolaName3="NAME3" />...
server.xml:
The Liberty Profile defines the WOLA adapter in the server.xml.
The WOLA adapter is protected by a CBIND profile in RACF.
The CBIND profile is based on the WOLA definition.
The Link Server task ID of the CICS partners must be permitted to use the adapter.
The Link Server task ID is the userid which starts the Link Server task.
RACF commands:
RDEFINE CBIND BBG.WOLA.GROUP.NAME2.NAME3 UACC(NONE) OWNER(SYS1) PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(USER1) PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(CICSX) SETROPTS RACLIST(CBIND) REFRESH
Local level …
Liberty Profile
z/OS Connect CICSCICSWOLA
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD22
Hardening z/OS Connect with SAF security.
● A SAF keyring/cert for SSL/TLS.
● SAF as the User Registry.
● Enabling Basic or Client Certificate Authentication.
● An EJBROLE to protect z/OS Connect.
● The Authorization Interceptor.
● Passing an Identity to CICS.
SSL …
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD23
Using a SAF keyring/cert for SSL/TLSSAF keyrings are under the control of the SAF administrator.
Registry …
<featureManager> . . <feature>ssl-1.0</feature></featureManager>...<keyStore id="defaultKeyStore" password="Liberty"/>...<sslDefault sslRef="DefaultSSLSettings" /> <ssl id="DefaultSSLSettings" keyStoreRef="CellDefaultKeyStore" trustStoreRef="CellDefaultTrustStore" clientAuthenticationSupported="false" clientAuthentication="false"/> <keyStore id="CellDefaultKeyStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" /> <keyStore id="CellDefaultTrustStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" />
Liberty Profile
z/OS Connect
CICSCICS
IMSIMS
BatchBatchz/OS
Digital ring information for user LIBSERV: Ring: >Keyring.LIBERTY< Certificate Label Name Cert Owner USAGE ---------------------- ------------------- DefaultCert.LIBERTY ID(LIBSERV) PERSONAL LibertyCA.LIBERTY CERTAUTH CERTAUTH
The Server (LIBSERV) owns the keyring.
server.xml:
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD24
Using SAF as the User Registry
Authentication…
<featureManager> . . <feature>zosSecurity-1.0</feature></featureManager>...<basicRegistry id="basic1" realm="zosConnect">
<user name="Fred" password="fredpwd" /></basicRegistry><authorization-roles id="zos.connect.access.roles">
<security-role name="zosConnectAccess"><user name="Fred"/></security-role>
</authorization-roles>...<safRegistry id="saf" /><safAuthorization id="saf" /><safCredentials unauthenticatedUser="WSGUEST"profilePrefix="BBGZDFLT" />
server.xml:
safRegistry uses the SAF database to authenticate clients.
safAuthorization uses the SAF database for role checking using the EJBROLE class.
unauthenticatedUser=”WSGUEST” uses the SAF userid WSGUEST for unauthenticated requests.
profilePrefix=”BBGZDFLT” prefixes EJBROLE profile checks with BBGZDFLT.
The profilePrefix value will also be used as the APPL name for the server. The unauthenticatedUser userid must have READ access to the APPL name.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD25
Enabling Basic or Client Certificate Authentication
Authorization…
...<webAppSecurity allowFailOverToBasicAuth="true" />...<sslDefault sslRef="DefaultSSLSettings" /> <ssl id="DefaultSSLSettings" keyStoreRef="CellDefaultKeyStore" trustStoreRef="CellDefaultTrustStore" clientAuthenticationSupported="false" clientAuthentication="false"/> <keyStore id="CellDefaultKeyStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" /> <keyStore id="CellDefaultTrustStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" />
clientAuthenticationSupported=”true” the server prompts for a client cert in the SSL handshake.
clientAuthentication=”true” requires that the client have a client cert, or the SSL handshake will fail, and the conversation end.
allowFailOverToBasicAuth=”true” the server reverts to the userid/password prompt if clientAuthentication=”false” or the client has no certificate.
ClientClient z/OS
Connect
z/OS
Connect
“Client cert, please.”
“Huh?”
server.xml:
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD26
An EJBROLE to protect z/OS Connect
<featureManager> . . <feature>zosSecurity-1.0</feature></featureManager>...<authorization-roles id="zos.connect.access.roles">
<security-role name="zosConnectAccess"><user name="Fred"/></security-role>
</authorization-roles>...<safRegistry id="saf" /><safAuthorization id="saf" /><safCredentials unauthenticatedUser="WSGUEST"profilePrefix="BBGZDFLT" />
server.xml:
The z/OS Connect application requires the user have role zosConnectAccess.
The default profilePrefix=”BBGZDFLT”.
The default profile pattern is: %profilePrefix%.%resource%.%role%.
This makes the EJBROLE name: BBGZDFLT.zos.connect.access.roles.zosConnectAccess
To change the profile pattern, see next slide...
RACF commands:
RDEFINE EJBROLE BBGZDFLT.zos.connect.access.roles.zosConnectAccess - OWNER(SYS1) UACC(NONE) PE BBGZDFLT.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) -ID(FRED) ACCESS(READ)
Profile pattern …
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD27
Controlling the EJBROLE profile pattern
<featureManager> . . <feature>zosSecurity-1.0</feature></featureManager>...
<safRegistry id="saf" /><safAuthorization id="saf" /><safCredentials unauthenticatedUser="WSGUEST"profilePrefix="BBGZDFLT" /><safRoleMapper profilePattern="%profilePrefix%.%role%" toUpperCase="false" />
server.xml:
The safRoleMapper statement specifies the EJBROLE profile pattern.
The default profile pattern: %profilePrefix%.%resource%.%role%.
The default EJBROLE profile: BBGZDFLT.zos.connect.access.roles.zosConnectAccess
You can control the profile pattern, for example:
RACF commands:
RDEFINE EJBROLE BBGZDFLT.zosConnectAccess OWNER(SYS1) UACC(NONE) PE BBGZDFLT.zosConnectAccess CLASS(EJBROLE) ID(xxxx) ACCESS(READ)
Front door…
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD28
The EJBROLE as front door.
● The zosConnectAccess EJBROLE protects the “front door” to z/OS Connect.
● But more access granularity is needed.
RACF commands:
Authorization Interceptor…
zosConnectAccess?
Client
RDEFINE EJBROLE BBGZDFLT.zos.connect.access.roles.zosConnectAccess - OWNER(SYS1) UACC(NONE) PE BBGZDFLT.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) -ID(FRED) ACCESS(READ)
NO
YES
NO Authority
Authority to LIST, START, STOP, INVOKE, get STATISTICS for all RESTful Services.
“All” or “Nothing”
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD29
Authorization Interceptor● Provides three levels of authority for users of your z/OS Connect services:
● Administrator: the authority to query services, perform operational tasks on them, and invoke them.
● Operations: the authority to perform tasks on services such as stop, start, etc. but no authority to invoke services.
● Invoke: the authority to invoke services, but no other authority.
●Represented by membership in groups named in the server.xml.
● Defined at the z/OS Connect global level or for individual services.
Global level …
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD30
Implementing the Authorization Interceptor
...<zosConnectManager globalAdminGroup="GADMIN" globalOperationsGroup="GOPERS" globalInvokeGroup="GINVOKE" globalInterceptorsRef="interceptorList_g" />
<authorizationInterceptor id="auth" />
<zosConnectInterceptors id="interceptorList_g" interceptorRef="auth,audit"/>
server.xml:
Users in RACF group GADMIN have Administrator authority at the global level.
Users in RACF group GOPERS have Operations authority at the global level.
Users in RACF group GINVOKE have Invoke authority at the global level.
RACF commands:
ADDGROUP GADMIN OMVS(AUTOGID) ADDGROUP GOPERS OMVS(AUTOGID)ADDGROUP GINVOKE OMVS(AUTOGID)CONNECT USER1 GROUP(GADMIN)CONNECT FRED GROUP(GINVOKE)
Service level …
At the global level:
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD31
Implementing the Authorization Interceptor
...
<zosConnectService id="CICS" invokeURI="/myCICSBackend" serviceName="CICS-backend" dataXformRef="xformJSON2Byte" serviceRef="wolaCICS" adminGroup="SADMIN" operationsGroup="SOPERS" invokeGroup="SINVOKE" />
server.xml:
Users in RACF group SADMIN have Administrator authority at the local level.
Users in RACF group SOPERS have Operations authority at the local level.
Users in RACF group SINVOKE have Invoke authority at the local level.
RACF commands:
ADDGROUP SADMIN OMVS(AUTOGID) ADDGROUP SOPERS OMVS(AUTOGID)ADDGROUP SINVOKE OMVS(AUTOGID)CONNECT USER1 GROUP(SADMIN)CONNECT FRED GROUP(SINVOKE)
Passing an identity…
At the service level:
Service level takes precedence over Global.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD32
Passing the Client's Identity to CICS
Propagation Checklist…
Starting the Link Server task (BBOC):
z/OS
...SEC=YXTRAN=YESXUSER=YES...
CICS SIP:
Liberty Profile
z/OS Connect CICSCICSWOLA
server.xml:...<zosLocalAdapters useCicsTaskUserId="true" wolaGroup="GROUP" wolaName2="NAME2" wolaName3="NAME3" /> ...
BBOC START_TRUEBBOC START_SRVR RGN=CICSREG DGN=GROUP NDN=NAME2 SVN=NAME3 SVC=* MNC=1 MXC=10 TXN=N SEC=Y REU=N TRC=1
Passes the SAF identity of the z/OS Connect client to CICS.
CICS security enabled.
Transactions protected.
Link Server's userid checked for surrogate authority to the passed userid.
CICS uses the passed userid instead of the Link Server task userid.
© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD33
RACF Checklist for Passing an Identity to CICS ● The Link Server ID needs:
● READ access to the CBIND profile: BBG.WOLA.GROUP.NAME2.NAME3
● READ access to TCICSTRN profiles BBOC and BBO$ (Link server task)
● READ access to SURROGAT profile <passedid>.DFHSTART
● The identity being flowed/asserted needs:
● READ access to TCICSTRN profile BBO# (Link invocation task)
● READ access to EJBROLE profile: BBGZDFLT.zos.connect.access.roles.zosConnectAccess
Time for Unit 4 Lab…