Changes to RACF Authorization Processing
Extensions have been introduced to RACF's processing of authorization requests in
which
both
the RACF identity of the server
and
the RACF identity of a client of the
server application are used in a resource access decision.
RACF support for OpenEdition DCE introduces new indicators in the ACEE. These
indicators mark the ACEE as a
client ACEE
. Client ACEEs are created by OS/390
OpenEdition and RACF on behalf of multithreaded unauthorized application servers
on OS/390.
Client ACEEs can only be created through the OS/390 OpenEdition
pthread_security_np callable service or pthread_security_np() C language
function call.
There are two types of client ACEEs:
Unauthenticated client ACEE
When an unauthenticated client ACEE is used in an access control decision,
two authorization checks occur.
– The first check uses the client ACEE. This is the ACEE that is associated
with the current task. If the request is successful, the second check is
performed.
– The second check uses the ACEE associated with the server. This is the
same ACEE that is associated with the application server's address space.
The automatic checking of both the client's identity and the server's identity is
performed for RACF resources defined to RACF via profiles and for OS/390
OpenEdition resources, such as hierarchical file system files (HFS), whose
access is governed by POSIX permission bits.
Authenticated client ACEE
When an authenticated client ACEE is used in an access control decision, only
this ACEE is used in the access control decision. Audit records contain an
additional relocate section, indicating that this authorization request was
processed using an ACEE which was created on behalf of an unauthorized
application.
An authenticated client ACEE is created when the client of the server
application has supplied its RACF password (or RACF PassTicket) to the
application server. The application server specifies the client's RACF password
(or RACF PassTicket) on the pthread_security_np OS/390 OpenEdition
callable service or on the C language pthread_security_np() function call.
Restrictions
The security administrator must be aware of the restrictions of the RACF client
ACEE support, in which both the application server's RACF identity and the client's
RACF identity are used in resolving access decisions.
RACROUTE REQUEST=FASTAUTH processing has not been enhanced to
automatically check both the server and client RACF identities.
Ideally, application servers on OS/390 do not have to run APF-authorized, or in
supervisor state or in a system storage protection key. Unauthorized
application servers on OS/390 are therefore unable to use the RACROUTE
REQUEST=LIST instruction to build in-storage profiles for RACF-defined
Chapter 7. Administration Considerations 41