| At line 1 changed one line |
| !!! Running JSPWiki on the Mainframe |
| !!! Running JSPWiki on the Mainframe (z/OS) |
| At line 10 changed one line |
| * z/OS (formerly called OS/390 and MVS |
| * z/OS (formerly called OS/390 and MVS) |
| At line 35 added one line |
| * reuse your existing system management goodies like WLM and SMF |
| At line 97 changed 11 lines |
| if [ $ACTION != stop ] |
| then |
| echo "using JMX port $JMXPORT" |
| export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=/var/tomcat$ID/conf/jaas.config \ |
| -Ddb2.jcc.propertiesFile=/var/tomcat$ID/conf/db2.jcc.properties \ |
| -Dcom.sun.management.jmxremote.port=$JMXPORT \ |
| -Dcom.sun.management.jmxremote.ssl=false \ |
| -Dcom.sun.management.jmxremote.authenticate=true \ |
| -Dcom.sun.management.jmxremote.password.file=/var/tomcat$ID/conf/jmxremote.password \ |
| -Dcom.sun.management.jmxremote.access.file=/var/tomcat$ID/conf/jmxremote.access" |
| fi |
| export CATALINA_OPTS="$CATALINA_OPTS -Djava.security.auth.login.config=/var/tomcat$ID/conf/jaas.config \ |
| -Ddb2.jcc.propertiesFile=/var/tomcat$ID/conf/db2.jcc.properties \ |
| -Dcom.sun.management.jmxremote.port=$JMXPORT \ |
| -Dcom.sun.management.jmxremote.ssl=false \ |
| -Dcom.sun.management.jmxremote.authenticate=true \ |
| -Dcom.sun.management.jmxremote.password.file=/var/tomcat$ID/conf/jmxremote.password \ |
| -Dcom.sun.management.jmxremote.access.file=/var/tomcat$ID/conf/jmxremote.access" |
| At line 124 changed one line |
| \\So here are some options to use your SAF security system (RACF, ACF2, TopSecret). |
| \\So here are some options to use your SAF security system (RACF, ACF2, ~TopSecret). |
| At line 140 changed one line |
| <Realm className="nl.rabobank.hdw.tomcat.realm.RACFRealm"/> |
| <!--Realm className="org.apache.catalina.realm.UserDatabaseRealm" |
| resourceName="UserDatabase"/--> |
|
| <Realm className="nl.rabobank.hdw.tomcat.realm.RACFRealm"/> |
| At line 144 added one line |
| So ,you should replace the ~UserDatabaseRealm with the RACFRealm. |
| At line 156 changed one line |
| The JAAS login module is just what it says. It's an implementation of the ''javax.security.auth.spi.LoginModule''. |
| The JAAS login module is just what it says. It's an implementation of the ''javax.security.auth.spi.~LoginModule''. |
| At line 159 changed one line |
| * drop the attached [racfloginmodule|racfloginmodule.jar] in tomcat's lib directory |
| * drop the attached [racfloginmodule| racfloginmodule.jar] in tomcat's lib directory |
| At line 168 added 4 lines |
|
| As an alternative you can also use IBM's JAAS loginmodule ''com.ibm.security.auth.module.OS390LoginModule''. |
| \\You can find more on this in a ~RedBook SG24-7610: [Java Security on z/OS - The Complete View|http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf]. |
| \\This module however does not pass back messages on failed logins. |
| At line 199 changed one line |
| \\The easiest way to check this is use your favorite Editor (UltraEdit or something else) and convert them to Unix format. |
| \\The easiest way to check this is use your favorite Editor (~UltraEdit or something else) and convert them to Unix format. |
| At line 215 added 52 lines |
|
| ! MVS Program Control |
|
| To validate a userid/password you have to call an MVS authorized function (RACINIT). |
| \\For this to succeed, the environment must be "program controlled", see the chapter on the __BPX.DAEMON FACILITY__ in the __UNIX System Services Planning__ guide : |
| {{{ |
| If the BPX.DAEMON resource in the FACILITY class is defined, your system has z/OS UNIX security. |
| Your system can exercise more control over your superusers. |
| }}} |
| \\If you have chosen for this security level, the following must be set up in advance : |
| * all loadlibraries from which modules get loaded in the address space must be RACF PADS protected |
| * all dll's loaded from the file system must have their program control bit on (use shellcmd ''extattr +p blabla.so'') |
| * all filesystems that have dll's that are loaded must be mounted with the setuid attibute (''mount -s setuid ...''), this the default BTW |
| * the userid that runs the wiki must have a READ permit on the FACILITY class BPX.DAEMON |
|
| If you fail one of these requirements, check the MVS SYSLOG for the following possible symptoms : |
|
| {{{ |
| ICH420I PROGRAM CELHV003 FROM LIBRARY CEE.SCEERUN2 CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED. |
| }}} |
| {{{ |
| BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING. |
| }}} |
| {{{ |
| BPXP015I HFS PROGRAM /A0/usr/lpp/java/J6.0_64/lib/s390x/libwrappers.so |
| IS NOT MARKED PROGRAM CONTROLLED. |
| BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) |
| PROCESSING. |
| }}} |
|
| You can check with the following : |
| * use ''ls -E'' , the "p" (program control) must be present in the mode bits |
| {{{ |
| metskem@xat1:/usr/lpp/java/J6.0_64>ls -E ./bin/j9vm/libjvm.so |
| -rwxr-xr-x aps- 1 $$BPXRT OMVS 225280 Nov 8 06:21 ./bin/j9vm/libjvm.so |
| }}} |
| * use df -v to check the mount attributes (the second display shows the __no SUID__): |
| {{{ |
| metskem@xat1:/usr/lpp/java/J6.0_64>df -v . |
| Mounted on Filesystem Avail/Total Files Status |
| /A0/usr/lpp/java/J6.0_64 (SYS8.OMVS.JAVA16.A0) 11216/868320 4294962897 Available |
| HFS, Read Only, Device:14437, ACLS=Y |
| File System Owner : XAT1 Automove=Y Client=N |
| Filetag : T=off codeset=0 |
|
| metskem@xat1:/usr/lpp/java/J6.0_64>df -v /var/tomcat00/ |
| Mounted on Filesystem Avail/Total Files Status |
| /XAT1/var/tomcat00 (SYSTEM.XAT1.HFS.VAR.TOMCAT00) 736312/1792800 4294966301 Available |
| HFS, Read/Write, Device:14533, ACLS=Y, No SUID |
| File System Owner : XAT1 Automove=U Client=N |
| Filetag : T=off codeset=0 |
| }}} |
