Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jar
racfloginmodule.jar 20.4 kB 1 18-Feb-2009 07:44 Harry Metske properly handle return/reason codes
jar
racfrealm.jar 15.6 kB 1 17-Feb-2009 07:38 Harry Metske a new version that uses JUL instead of commons-logging

This page (revision-10) was last changed on 06-May-2013 21:54 by Harry Metske  

This page was created on 11-Feb-2009 08:55 by Harry Metske

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
!!! Running JSPWiki on the Mainframe
!!! Running JSPWiki on the Mainframe (z/OS)
At line 10 changed one line
* z/OS (formerly called OS/390 and MVS
* z/OS (formerly called OS/390 and MVS)
At line 35 added one line
* reuse your existing system management goodies like WLM and SMF
At line 97 changed 11 lines
if [ $ACTION != stop ]
then
echo "using JMX port $JMXPORT"
export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=/var/tomcat$ID/conf/jaas.config \
-Ddb2.jcc.propertiesFile=/var/tomcat$ID/conf/db2.jcc.properties \
-Dcom.sun.management.jmxremote.port=$JMXPORT \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.password.file=/var/tomcat$ID/conf/jmxremote.password \
-Dcom.sun.management.jmxremote.access.file=/var/tomcat$ID/conf/jmxremote.access"
fi
export CATALINA_OPTS="$CATALINA_OPTS -Djava.security.auth.login.config=/var/tomcat$ID/conf/jaas.config \
-Ddb2.jcc.propertiesFile=/var/tomcat$ID/conf/db2.jcc.properties \
-Dcom.sun.management.jmxremote.port=$JMXPORT \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.password.file=/var/tomcat$ID/conf/jmxremote.password \
-Dcom.sun.management.jmxremote.access.file=/var/tomcat$ID/conf/jmxremote.access"
At line 124 changed one line
\\So here are some options to use your SAF security system (RACF, ACF2, TopSecret).
\\So here are some options to use your SAF security system (RACF, ACF2, ~TopSecret).
At line 130 changed one line
Just drop this jar file in tomcat's lib directory and configure the following (example) in your server.xml:
* drop this jar file in tomcat's lib directory
* configure the following (example) in your server.xml:
At line 139 changed one line
<Realm className="nl.rabobank.hdw.tomcat.realm.RACFRealm"/>
<!--Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/-->
<Realm className="nl.rabobank.hdw.tomcat.realm.RACFRealm"/>
At line 144 added 2 lines
So ,you should replace the ~UserDatabaseRealm with the RACFRealm.
* create an EJBROLE class profile with the name <userid>.<roleName> and permit users/groups.\\So if your tomcat runs with userid TOMCAT75, you need profile TOMCAT75.manager for the manager application.
At line 146 changed one line
If you want to use this for JSPWiki, simply enable Container Managed Authentication in the web.xml (see the web.xml for instructions)
If you want to use this for JSPWiki, simply enable Container Managed Authentication in the web.xml (see the web.xml for instructions), and create profiles for the roleNames that are mentioned in JSPWiki's web.xml (Admin / Authenticated)
At line 154 changed one line
The JAAS login module is just what it says. It's an implementation of the ''javax.security.auth.spi.LoginModule''.
The JAAS login module is just what it says. It's an implementation of the ''javax.security.auth.spi.~LoginModule''.
At line 157 changed one line
* drop the attached [racfloginmodule|racfloginmodule.jar] in tomcat's lib directory
* drop the attached [racfloginmodule| racfloginmodule.jar] in tomcat's lib directory
At line 168 added 4 lines
As an alternative you can also use IBM's JAAS loginmodule ''com.ibm.security.auth.module.OS390LoginModule''.
\\You can find more on this in a ~RedBook SG24-7610: [Java Security on z/OS - The Complete View|http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf].
\\This module however does not pass back messages on failed logins.
At line 197 changed one line
\\The easiest way to check this is use your favorite Editor (UltraEdit or something else) and convert them to Unix format.
\\The easiest way to check this is use your favorite Editor (~UltraEdit or something else) and convert them to Unix format.
At line 215 added 52 lines
! MVS Program Control
To validate a userid/password you have to call an MVS authorized function (RACINIT).
\\For this to succeed, the environment must be "program controlled", see the chapter on the __BPX.DAEMON FACILITY__ in the __UNIX System Services Planning__ guide :
{{{
If the BPX.DAEMON resource in the FACILITY class is defined, your system has z/OS UNIX security.
Your system can exercise more control over your superusers.
}}}
\\If you have chosen for this security level, the following must be set up in advance :
* all loadlibraries from which modules get loaded in the address space must be RACF PADS protected
* all dll's loaded from the file system must have their program control bit on (use shellcmd ''extattr +p blabla.so'')
* all filesystems that have dll's that are loaded must be mounted with the setuid attibute (''mount -s setuid ...''), this the default BTW
* the userid that runs the wiki must have a READ permit on the FACILITY class BPX.DAEMON
If you fail one of these requirements, check the MVS SYSLOG for the following possible symptoms :
{{{
ICH420I PROGRAM CELHV003 FROM LIBRARY CEE.SCEERUN2 CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
}}}
{{{
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
}}}
{{{
BPXP015I HFS PROGRAM /A0/usr/lpp/java/J6.0_64/lib/s390x/libwrappers.so
IS NOT MARKED PROGRAM CONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON)
PROCESSING.
}}}
You can check with the following :
* use ''ls -E'' , the "p" (program control) must be present in the mode bits
{{{
metskem@xat1:/usr/lpp/java/J6.0_64>ls -E ./bin/j9vm/libjvm.so
-rwxr-xr-x aps- 1 $$BPXRT OMVS 225280 Nov 8 06:21 ./bin/j9vm/libjvm.so
}}}
* use df -v to check the mount attributes (the second display shows the __no SUID__):
{{{
metskem@xat1:/usr/lpp/java/J6.0_64>df -v .
Mounted on Filesystem Avail/Total Files Status
/A0/usr/lpp/java/J6.0_64 (SYS8.OMVS.JAVA16.A0) 11216/868320 4294962897 Available
HFS, Read Only, Device:14437, ACLS=Y
File System Owner : XAT1 Automove=Y Client=N
Filetag : T=off codeset=0
metskem@xat1:/usr/lpp/java/J6.0_64>df -v /var/tomcat00/
Mounted on Filesystem Avail/Total Files Status
/XAT1/var/tomcat00 (SYSTEM.XAT1.HFS.VAR.TOMCAT00) 736312/1792800 4294966301 Available
HFS, Read/Write, Device:14533, ACLS=Y, No SUID
File System Owner : XAT1 Automove=U Client=N
Filetag : T=off codeset=0
}}}
Version Date Modified Size Author Changes ... Change note
10 06-May-2013 21:54 11.905 kB Harry Metske to previous restored previous version
9 11-Jul-2012 16:26 11.905 kB 217.111.83.124 to previous | to last
8 27-Oct-2009 22:45 11.905 kB Harry Metske to previous | to last few corrections / enhancements
7 15-Apr-2009 19:00 11.826 kB Harry Metske to previous | to last use CATALINA_OPTS instead of JAVA_OPTS (is used only with startup)
6 28-Feb-2009 17:16 11.896 kB Harry Metske to previous | to last com.ibm.security.auth.module.OS390LoginModule
5 18-Feb-2009 08:12 11.561 kB Harry Metske to previous | to last typo
4 18-Feb-2009 08:12 11.56 kB Harry Metske to previous | to last additional instructions for program control
3 13-Feb-2009 11:33 8.916 kB Harry Metske to previous | to last
2 11-Feb-2009 09:08 8.727 kB Harry Metske to previous | to last added ejbrole instructions
1 11-Feb-2009 08:55 8.424 kB Harry Metske to last
« This page (revision-10) was last changed on 06-May-2013 21:54 by Harry Metske