IBM GC28-1920-01 Server User Manual


 
The security administrator has the option of enforcing the use of both the
application server's RACF identity
and
the RACF identity of the client in resource
access control decisions.
RACF support for OS/390 OpenEdition DCE introduces new indicators in the
ACEE. These indicators mark the ACEE as a
client ACEE
. Client ACEEs are
created by OS/390 OpenEdition and RACF on behalf of multithreaded unauthorized
application servers on OS/390. Client ACEEs can only be created through the
OS/390 OpenEdition pthread_security_np callable service or
pthread_security_np() C language function call.
There are two types of client ACEEs:
Unauthenticated client ACEE
When an unauthenticated client ACEE is used in an access control decision,
two authorization checks occur.
The first check uses the client ACEE. This is the ACEE that is associated
with the current task. If the request is successful, the second check is
performed.
The second check uses the ACEE associated with the server. This is the
same ACEE that is associated with the application server's address space.
The automatic checking of both the client's identity and the server's identity is
performed for RACF resources defined to RACF via profiles and for OS/390
OpenEdition resources, such as hierarchical file system files (HFS), whose
access is governed by POSIX permission bits.
Authenticated client ACEE
When an authenticated client ACEE is used in an access control decision, only
this ACEE is used in the access control decision.
An authenticated client ACEE is created when the client of the server
application has supplied its RACF password (or RACF PassTicket) to the
application server. The application server specifies the client's RACF password
(or RACF PassTicket) on the pthread_security_np OS/390 OpenEdition
callable service or on the C language pthread_security_np() function call.
Possession of the client's RACF password (or RACF PassTicket) indicates that
the client trusts the server to act on the client's behalf.
New Application Services and Security
Through OS/390 OpenEdition MVS, the C run time library, and RACF, two new
services are available that enable application servers on OS/390 to:
Map a DCE identity to a RACF user ID, or map a RACF user ID to a DCE
identity
Invoke RACF authorization services
The service convert_id_np (BPX1CID) is the OS/390 OpenEdition MVS callable
service that converts a DCE principal's UUID pair (cell UUID and principal UUID) to
the RACF user ID that has been cross linked with the UUID pair. This service also
accepts a RACF user ID and returns the corresponding DCE UUIDs. This OS/390
OpenEdition service is also supported through the C runtime library via the
__convert_id_np() function call. The use of these mapping functions is
RACF-protected.
52 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration