Front cover -- Contents -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Who should read this book -- Notice -- Comments welcome -- Summary of changes -- August 2003, Second Edition -- Part 1 Getting started -- Chapter 1. Security design -- 1.1 Overview of security concerns -- 1.2 Finding the right level of security for your enterprise -- 1.2.1 Logon to z/OS -- 1.2.2 One userid fits all -- 1.2.3 Userid and password in a database -- 1.2.4 Reverse proxy -- 1.2.5 Security model selection -- 1.2.6 Additional security considerations -- Putting the pieces together -- 1.2.7 Basic security setup -- 1.2.8 Basic reverse proxy setup -- 1.2.9 A business-to-business variation -- 1.3 Finding the right balance for your application -- 1.3.1 A little background -- 1.3.2 Container-managed security -- 1.3.3 Application-managed security -- 1.4 Summary -- Chapter 2. The security investigation application -- 2.1 The SWIPE Application -- 2.1.1 SWIPE Application structure -- 2.1.2 SWIPE Application architecture and description -- 2.2 SWIPE's authentication features -- 2.3 Authorization features -- 2.3.1 EJBRoles in the sample -- 2.3.2 Declarative security -- 2.3.3 Programmatic security -- 2.3.4 The RunAs concept -- 2.3.5 The "Sync to OS Thread" concept -- 2.4 The downloadable SWIPE package -- 2.4.1 The Windows subdirectory -- 2.4.2 The z/OS subdirectory -- 2.4.3 The Trust-AI subdirectory -- 2.5 Deploying SWIPE -- 2.6 Running SWIPE -- 2.6.1 SWIPE - input Part A -- 2.6.2 SWIPE - input Part B -- Chapter 3. The sandbox infrastructure -- 3.1 Physical integration into the network infrastructure -- 3.2 Logical and z/OS TCP/IP view -- 3.3 System setup and Service Levels -- 3.3.1 Server infrastructure, Application Server, backends, product levels, PTF levels -- Part 2 J2EE security concepts and implementation.

Chapter 4. Introduction to J2EE and WebSphere Application Server for z/OS and OS/390 runtime conc... -- 4.1 J2EE concepts -- 4.1.1 J2EE components -- 4.1.2 Application programs -- 4.1.3 Runtime environments -- 4.1.4 Development and deployment process -- 4.2 Overview of J2EE implementation in WebSphere Application Server for z/OS and OS/390 -- 4.2.1 WebSphere Application Server for z/OS and OS/390 runtime -- 4.2.2 Sources of requests -- 4.2.3 Developing and deploying J2EE applications for WebSphere Application Server for z/OS and OS... -- Chapter 5. Introduction to J2EE security concepts -- 5.1 Overview of J2EE security -- 5.2 Terminology used for J2EE security -- 5.3 Authentication and authorization in J2EE containers -- 5.3.1 Role-based authorization -- 5.3.2 Web container authentication and authorization -- 5.3.3 EJB container authentication and authorization -- 5.4 Resource authentication -- Chapter 6. WebSphere and J2EE security -- 6.1 WebSphere architecture review -- 6.2 Relationship of WebSphere Application Server for z/OS and OS/390 to System Authorization Faci... -- 6.2.1 EJBROLES -- 6.2.2 GEJBROLE: grouping EJBROLEs -- 6.3 Web container authentication and authorization -- 6.4 EJB container authentication and authorization -- 6.4.1 The RunAs concept -- 6.4.2 The ThreadID concept -- 6.4.3 Enabling ThreadID -- 6.5 Authenticating to J2EE resources -- 6.6 Authorization and serialization in the Administration Application (SMEUI) -- 6.7 System Management Scripting API (SMAPI) -- Part 3 z/OS security foundation -- Chapter 7. Beginner's guide to z/OS security -- 7.1 System Authorization Facility - concept -- 7.2 Resource Access Control Facility (RACF) -- 7.2.1 Identifying and verifying users -- 7.2.2 User and Group base resource protection -- 7.2.3 RACF PassTicket -- 7.2.4 Auditing and reporting -- 7.3 Authorization and program protection.

7.4 z/OS UNIX security -- 7.5 Accessor Environment Element (ACEE) and RACF objects -- 7.6 Storage keys -- 7.7 Secure Sockets Layer and Transport Layer security -- Chapter 8. z/OS security - advanced topics -- 8.1 Cryptographic support -- 8.1.1 Securing and maintaining cryptography -- 8.2 TCP/IP -- 8.2.1 TCP/IP stacks -- 8.2.2 Protecting TCP/IP -- 8.3 Firewalls -- 8.4 Intrusion Detection Services (IDS) -- Chapter 9. Integration of WebSphere into z/OS security mechanisms -- 9.1 WebSphere infrastructure security and integrity -- 9.2 Securing the WebSphere runtime environment -- 9.3 Administration Application -- Chapter 10. Securing WebSphere using RACF -- 10.1 Introduction -- 10.2 Classes and profiles -- 10.3 Enabling WebSphere Application Server V4.0.1 for z/OS and OS/390 runtime in RACF -- 10.3.1 Activating EJBROLE for J2EE security constraints -- 10.3.2 Activating the CBIND class for client access to servers -- 10.3.3 Activating the SERVER class for server access to the daemon -- 10.3.4 Activating the SERVAUTH class to control z/OS Communication Server resources -- 10.3.5 Activating the PTKTDATA class to enable PassTickets support -- 10.3.6 BPX profiles in the Facility class -- Chapter 11. Securing WebSphere using eTrust CA-ACF2 -- 11.1 Introduction to eTrust CA ACF2 -- 11.2 Classes and profiles -- 11.3 Enablement of WebSphere in eTrust CA ACF2 -- 11.3.1 WebSphere Application Server for z/OS and OS/390 -- 11.3.2 Authorization checking -- 11.3.3 Level of Trust and Access Authority for regions -- 11.3.4 User identification, authentication and network security -- 11.3.5 Resource managers -- 11.3.6 Protection and Protect directives -- 11.3.7 Prerequisites -- 11.3.8 Installation steps -- 11.3.9 ACFCSEC -- 11.3.10 Problem determination and debugging -- 11.3.11 Bibliography.

Chapter 12. Securing WebSphere using eTrust CA-Top Secret Security for z/OS and OS/390 -- 12.1 Introduction to eTrust CA-Top Secret -- 12.2 Classes and special records -- 12.3 Enablement of WebSphere in eTrust CA-Top Secret -- 12.3.1 Server authorization checking -- 12.3.2 User identification, authentication and network security -- 12.3.3 WASADM -- 12.3.4 Problem determination and debugging -- 12.3.5 Bibliography -- Part 4 Authentication and authorization -- Chapter 13. Introduction to authentication and authorization -- 13.1 Introduction to authentication -- 13.1.1 Authentication methods -- 13.2 Introduction to authorization -- 13.2.1 Resource authorization at the operating system level -- 13.2.2 Resource authorization at the application level -- Chapter 14. Authentication - details -- 14.1 Introduction to authentication -- 14.1.1 Authentication methods -- 14.2 Authentication in the Web container -- 14.2.1 Unauthenticated -- 14.2.2 HTTP Digest authentication -- 14.2.3 HTTP Basic authentication -- 14.2.4 HTTPS basic authentication -- 14.2.5 Certificate-based authentication -- 14.2.6 Form-based authentication -- 14.2.7 Form-based authentication pragmatics -- 14.2.8 Form-based authentication revision -- 14.3 Authentication in the EJB container -- 14.3.1 Basic authentication -- 14.3.2 Certificate-based authentication -- 14.3.3 Kerberos authentication -- 14.3.4 Asserted identity -- 14.3.5 Unauthenticated -- 14.4 EJB container authentication in a single-system environment -- 14.5 EJB container authentication in a sysplex -- 14.6 Authentication between z/OS systems outside a sysplex -- 14.7 Authentication with EJB applications on non-z/OS platforms -- Chapter 15. Authentication flow -- 15.1 Introduction to authentication flow -- 15.2 The initial decision process -- 15.3 Authentication processing -- 15.4 Basic authentication.

15.5 Form-based authentication -- 15.6 Client certificate-based authentication -- 15.7 Setting the userid -- 15.8 Unauthenticated processing -- 15.9 HTTP Server processing flow -- Chapter 16. Authorization - details -- 16.1 Introduction to authorization -- 16.1.1 Resource authorization at the operating system level -- 16.1.2 Resource authorization at the application level -- 16.2 Resource authorization in J2EE applications -- 16.2.1 Security identities -- 16.2.2 Security roles -- 16.2.3 Web container authorization -- 16.2.4 EJB container authorization -- 16.3 Operating system level resource authorization -- 16.3.1 Synchronizing operating system and container identities -- Part 5 Cross-platform security infrastructures -- Chapter 17. Cross-platform security -- 17.1 Trust Association Interceptor (TAI) -- 17.1.1 Overview -- 17.1.2 What the Trust Association Interceptor is -- 17.1.3 TAI decision flow -- 17.1.4 Coding a Trust Association Interceptor -- 17.1.5 Enabling TAI -- 17.1.6 Configuring the Trust Association Interceptor -- 17.1.7 Multiple Trust Association Interceptors -- 17.2 Tivoli Access Manager integration into WebSphere on z/OS -- 17.2.1 Overview -- 17.2.2 The products -- 17.2.3 Tivoli Access Manager integration into z/OS security -- 17.2.4 More integration scenarios -- Part 6 Security for the Enterprise Integration Tier -- Chapter 18. Security for Enterprise Integration Systems -- 18.1 Overview: backend access in J2EE -- 18.1.1 The difference between JCA and JDBC -- 18.2 Using JCA connectors -- 18.2.1 Accessing an EIS via a JCA connector -- 18.2.2 Comparing CCF and JCA -- 18.3 Using JDBC -- 18.3.1 Accessing a database via JDBC -- 18.4 Important attributes in the deployment descriptor -- 18.4.1 Transactions -- 18.4.2 RunAs -- 18.4.3 ThreadID -- 18.4.4 Resource Reference attribute: Authentication.

18.4.5 Resource reference attribute: Connection Management.