The security administrator has the option of enforcing the use of bot application server's RACF identityand the RACF identity of the client in resourc access control decisions.
RACF | support | for OS/390 OpenEdition DCE introduces new indicators in the |
ACEE. | These | indicators mark the ACEE clientas a ACEE. Client ACEEs are |
created by OS/390 OpenEdition and RACF on behalf of multithreaded unauth
application servers | on OS/390. | Client ACEEs can only be created through the | |
OS/390 OpenEdition | pthread_security_np | callable service or | |
pthread_security_np() | C | language | function call. |
There are two types of client ACEEs:
ŸUnauthenticated client ACEE
When an | unauthenticated client | ACEE | is | used | in | an | access | control | dec | ||||||
two | authorization | checks | occur. |
|
|
|
|
|
|
|
|
| |||
– | The | first check uses the client | ACEE. This | is | the ACEE | that | is | ass | |||||||
| with the current task. If the request is successful, the secon | ||||||||||||||
| performed. |
|
|
|
|
|
|
|
|
|
|
|
|
| |
– | The | second check | uses | the | ACEE | associated | with | the | server. This | ||||||
| same | ACEE that | is | associated | with | the | application | server's | addres | ||||||
The automatic checking of both the client's identity and the server performed for RACF resources defined to RACF via profiles and for OpenEdition resources, such as hierarchical file system files (HFS), access is governed by POSIX permission bits.
ŸAuthenticated client ACEE
When an authenticated client ACEE | is used in an access control decis |
this ACEE is used in the access | control decision. |
An authenticated client ACEE is created when the client of the serv application has supplied its RACF password (or RACF PassTicket) to the
application | server. | The | application | server | specifies the client's RACF | ||||||
(or | RACF | PassTicket) | on | pthreadthe _security_np | OS/390 | OpenEdition |
| ||||
callable | service or on | the pthreadC languagesecurity_np() |
| function | call. | ||||||
Possession |
| of the | client's RACF | password | (or | RACF PassTicket) indicates | |||||
the | client | trusts | the | server | to | act | on | the client's | behalf. | ||
New Application Services and Security
Through OS/390 OpenEdition MVS, the C run time library, and RACF, two new services are available that enable application servers on OS/390 to:
ŸMap a DCE identity to a RACF user ID, or map a RACF user ID to a identity
ŸInvoke RACF authorization services
The service convert_id_np (BPX1CID) is the OS/390 OpenEdition MVS callable service that converts a DCE principal's UUID pair (cell UUID and pr the RACF user ID that has been cross linked with the UUID pair. Th accepts a RACF user ID and returns the corresponding DCE UUIDs. This OpenEdition service is also supported through the C runtime library via __convert_id_np() function call. The use of these mapping functions is
52 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration