350 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
SampleSAFMappingModule is in search order 3, as shown in Figure 10-10.
You can also click the Module order column to have the login modules
displayed in ascending search order.
Figure 10-10 JAAS login modules on a system login alias (WAS v6.0.2 illustration)
5. Make sure that the EJBROLE class is active and RACLISTed. Optionally,
configure the grouping class GEJBROLE. Define all administrative and
naming roles as explained in 13.1.3, “Administrative security with SAF
authorization” on page 450, and 13.3.2, “Mapping users or groups to
CosNaming roles” on page 468, and permit the appropriate user IDs and
groups to the profiles. If you already have applications deployed, examine the
J2EE roles and define them as well in the EJBROLE class, with the
appropriate access list. Both administrative and application security must be
enabled. Remove all WebSphere bindings from the configuration. If you are
migrating from WebSphere bindings to SAF authorization (SAF bindings), we
recommend that you define all EJBROLE class profiles and permits in
Now bring down the cell or base server and restart. One difference between
WebSphere and SAF bindings to be aware off is the possibility that more than
one application could specify the same J2EE role name. In the case of SAF
bindings, authorization checks to the roles in those applications would result in a
SAF call to one and the same profile in the EJBROLE class, and therefore would
grant access to all applications with identical role names. In the case of
WebSphere bindings the mapping is at application level. We always recommend
having development discuss role naming with RACF security administrators.
10.3.2 WebSphere and z/OS LDAP TDBM back end (DB2)
z/OS LDAP can handle many different types of back ends. One of them is TDBM,
and it uses DB2 z/OS as a data repository.
Chapter 10. User registries 351
z/OS LDAP TDBM configuration
The z/OS LDAP installation is described in Distributed Security and High
Availability with Tivoli Access Manager and WebSphere Application Server for
z/OS, SG24-6760. In this section we focus on the configuration part.
1. For configuring z/OS LDAP with an TDBM back end, find the LDAP
configuration that should be in the SLAPDCNF member of the LDAP
customization data set. In our environment, the z/OS LDAP configuration file
is WTSC58.LDAP1.CNTL(SLAPDCNF). In this LDAP configuration file,
uncomment or set up the following parameters:
database tdbm GLDBTDBM
suffix "ou=itsotdbm,o=itso"
servername DB2B
dbuserid GLDSRV
databasename GLDDB
attroverflowsize 255
where the suffix is the top of the LDAP tree that you want for your
organization. We choose ou=itsotdbm,o=itso in our environment. the suffix
does not necessarily need to have an organization unit (ou=). It may contain
an organization only (o=). The DB2 back-end configuration refers to the DB2
setup made at z/OS LDAP installation time.
Example 10-3 shows an extract of our z/OS LDAP configuration for using a
TDBM back end.
Example 10-3 z/OS LDAP configuration with a TDBM back end
listen ldap://:3389
maxConnections 60
adminDN "cn=LDAP Administrator"
adminPW "secret"
database tdbm GLDBTDBM
suffix "ou=itsotdbm,o=itso"
servername DB2B
dbuserid GLDSRV
databasename GLDDB
attroverflowsize 255
352 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
2. Restart the z/OS LDAP server from SDSF, for instance. If your LDAP server is
configured properly with a TDBM back end, there should be a message
similar to Example 10-4 in the LDAP log at startup.
Example 10-4 z/OS LDAP log with a TDBM back end
Backend type: tdbm, Backend ID: TDBM BACKEND
TDBM BACKEND manages the following suffixes:
Backend suffix: OU=ITSOTDBM,O=ITSO
End of suffixes managed by TDBM BACKEND.
Capability: LDAP_Backend_ID Value: TDBM BACKEND
Capability: LDAP_Backend_BldDateTime Value:
Capability: LDAP_Backend_APARLevel Value: OA17138
Capability: LDAP_Backend_Release Value: R 6.0
Capability: LDAP_Backend_Version Value: V 1.0
Capability: LDAP_Backend_Dialect Value: DIALECT 1.0
Capability: LDAP_Backend_BerDecoding Value: BINARY
Capability: LDAP_Backend_ExtGroupSearch Value: YES
Capability: LDAP_Backend_krbIdentityMap Value: YES
Capability: supportedControl Value: 2.16.840.1.113730.3.4.2
Capability: supportedControl Value:
Capability: LDAP_Backend_SupportedCapabilities Value:
Capability: LDAP_Backend_SupportedCapabilities Value:
Capability: LDAP_Backend_EnabledCapabilities Value:
End of capability listing for Backend type: tdbm, Backend ID: TDBM
3. Copy the following files to the LDAP working directory /etc/ldap:
4. Edit these files and change the line cn=schema,<suffix> to reflect the TDBM
suffix that is defined in the z/OS LDAP configuration file. For example:
dn: cn=schema,ou=itsotdbm,o=itso
Attention: There are no spaces between the comma (,) and o=. Those
schema files contain the objects and attributes used to organize data
following IBM schema and for the SAF native authentication object class.

Get Security in WebSphere Application Server V6.1 and J2EE 1.4 on z/OS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.