At line 1 changed one line |
!!! Running JSPWiki on the Mainframe |
!!! Running JSPWiki on the Mainframe (z/OS) |
At line 10 changed one line |
* z/OS (formerly called OS/390 and MVS |
* z/OS (formerly called OS/390 and MVS) |
At line 35 added one line |
* reuse your existing system management goodies like WLM and SMF |
At line 97 changed 11 lines |
if [ $ACTION != stop ] |
then |
echo "using JMX port $JMXPORT" |
export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=/var/tomcat$ID/conf/jaas.config \ |
-Ddb2.jcc.propertiesFile=/var/tomcat$ID/conf/db2.jcc.properties \ |
-Dcom.sun.management.jmxremote.port=$JMXPORT \ |
-Dcom.sun.management.jmxremote.ssl=false \ |
-Dcom.sun.management.jmxremote.authenticate=true \ |
-Dcom.sun.management.jmxremote.password.file=/var/tomcat$ID/conf/jmxremote.password \ |
-Dcom.sun.management.jmxremote.access.file=/var/tomcat$ID/conf/jmxremote.access" |
fi |
export CATALINA_OPTS="$CATALINA_OPTS -Djava.security.auth.login.config=/var/tomcat$ID/conf/jaas.config \ |
-Ddb2.jcc.propertiesFile=/var/tomcat$ID/conf/db2.jcc.properties \ |
-Dcom.sun.management.jmxremote.port=$JMXPORT \ |
-Dcom.sun.management.jmxremote.ssl=false \ |
-Dcom.sun.management.jmxremote.authenticate=true \ |
-Dcom.sun.management.jmxremote.password.file=/var/tomcat$ID/conf/jmxremote.password \ |
-Dcom.sun.management.jmxremote.access.file=/var/tomcat$ID/conf/jmxremote.access" |
At line 124 changed one line |
\\So here are some options to use your SAF security system (RACF, ACF2, TopSecret). |
\\So here are some options to use your SAF security system (RACF, ACF2, ~TopSecret). |
At line 140 changed one line |
<Realm className="nl.rabobank.hdw.tomcat.realm.RACFRealm"/> |
<!--Realm className="org.apache.catalina.realm.UserDatabaseRealm" |
resourceName="UserDatabase"/--> |
|
<Realm className="nl.rabobank.hdw.tomcat.realm.RACFRealm"/> |
At line 144 added one line |
So ,you should replace the ~UserDatabaseRealm with the RACFRealm. |
At line 156 changed one line |
The JAAS login module is just what it says. It's an implementation of the ''javax.security.auth.spi.LoginModule''. |
The JAAS login module is just what it says. It's an implementation of the ''javax.security.auth.spi.~LoginModule''. |
At line 159 changed one line |
* drop the attached [racfloginmodule|racfloginmodule.jar] in tomcat's lib directory |
* drop the attached [racfloginmodule| racfloginmodule.jar] in tomcat's lib directory |
At line 168 added 4 lines |
|
As an alternative you can also use IBM's JAAS loginmodule ''com.ibm.security.auth.module.OS390LoginModule''. |
\\You can find more on this in a ~RedBook SG24-7610: [Java Security on z/OS - The Complete View|http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf]. |
\\This module however does not pass back messages on failed logins. |
At line 199 changed one line |
\\The easiest way to check this is use your favorite Editor (UltraEdit or something else) and convert them to Unix format. |
\\The easiest way to check this is use your favorite Editor (~UltraEdit or something else) and convert them to Unix format. |
At line 215 added 52 lines |
|
! MVS Program Control |
|
To validate a userid/password you have to call an MVS authorized function (RACINIT). |
\\For this to succeed, the environment must be "program controlled", see the chapter on the __BPX.DAEMON FACILITY__ in the __UNIX System Services Planning__ guide : |
{{{ |
If the BPX.DAEMON resource in the FACILITY class is defined, your system has z/OS UNIX security. |
Your system can exercise more control over your superusers. |
}}} |
\\If you have chosen for this security level, the following must be set up in advance : |
* all loadlibraries from which modules get loaded in the address space must be RACF PADS protected |
* all dll's loaded from the file system must have their program control bit on (use shellcmd ''extattr +p blabla.so'') |
* all filesystems that have dll's that are loaded must be mounted with the setuid attibute (''mount -s setuid ...''), this the default BTW |
* the userid that runs the wiki must have a READ permit on the FACILITY class BPX.DAEMON |
|
If you fail one of these requirements, check the MVS SYSLOG for the following possible symptoms : |
|
{{{ |
ICH420I PROGRAM CELHV003 FROM LIBRARY CEE.SCEERUN2 CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED. |
}}} |
{{{ |
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING. |
}}} |
{{{ |
BPXP015I HFS PROGRAM /A0/usr/lpp/java/J6.0_64/lib/s390x/libwrappers.so |
IS NOT MARKED PROGRAM CONTROLLED. |
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) |
PROCESSING. |
}}} |
|
You can check with the following : |
* use ''ls -E'' , the "p" (program control) must be present in the mode bits |
{{{ |
metskem@xat1:/usr/lpp/java/J6.0_64>ls -E ./bin/j9vm/libjvm.so |
-rwxr-xr-x aps- 1 $$BPXRT OMVS 225280 Nov 8 06:21 ./bin/j9vm/libjvm.so |
}}} |
* use df -v to check the mount attributes (the second display shows the __no SUID__): |
{{{ |
metskem@xat1:/usr/lpp/java/J6.0_64>df -v . |
Mounted on Filesystem Avail/Total Files Status |
/A0/usr/lpp/java/J6.0_64 (SYS8.OMVS.JAVA16.A0) 11216/868320 4294962897 Available |
HFS, Read Only, Device:14437, ACLS=Y |
File System Owner : XAT1 Automove=Y Client=N |
Filetag : T=off codeset=0 |
|
metskem@xat1:/usr/lpp/java/J6.0_64>df -v /var/tomcat00/ |
Mounted on Filesystem Avail/Total Files Status |
/XAT1/var/tomcat00 (SYSTEM.XAT1.HFS.VAR.TOMCAT00) 736312/1792800 4294966301 Available |
HFS, Read/Write, Device:14533, ACLS=Y, No SUID |
File System Owner : XAT1 Automove=U Client=N |
Filetag : T=off codeset=0 |
}}} |