Hi Sue,
Thanks for the clarification. Please can SMF123S1_USER_NAME_MAPPED have the userid regardless of where it came from.
I am trying to process the SMF records, and instead of printing out the "userid" I currently have to do
If SMF123S1_USER_NAME_MAPPED is not blank, and SMF123S1_USER_NAME is blank
then use SMF123S1_USER_NAME_MAPPED
else use SMF123S1_USER_NAME.
This makes it difficult if you are using tools like ICETOOL which just prints the records, and has no if then logic.
For the certificate authentication, I can see from the trace, that Liberty knows about the DN in the certificate. Would it be possible to extract this, and put it in the SMF123S1_USER_NAME.
I cannot get a mapping from RACF of the certificate to userid, so currently I do not know the identification of the requestor. Many users can map to the same SAF userid. z/OS Connect does not meet the strictest security standards where you have to be able to uniquely identify the requestor.
------------------------------
Colin Paice
------------------------------
Original Message:
Sent: Fri September 25, 2020 03:56 AM
From: Sue BAYLISS
Subject: SMF data has wrong user information
Hi Colin,
When using a TLS certificate and a safRegistry to authenticate to a z/OS Connect EE server the SMF values will be as you are seeing:
- SMF123S1_USER_NAME = the authenticated user name (SAF user ID) associated with the certificate
- SMF123S1_USER_NAME_MAPPED = will be blank
This is because z/OS Connect EE uses WebSphere Liberty function for SAF authentication, which does not consider the fact that a TLS certificate is associated with a SAF user ID as a user mapping.
If instead, you had used a distributed ID (for example an LDAP identity) and a safRegistry to authenticate to a z/OS Connect EE server then the SMF values will be as follows:
- SMF123S1_USER_NAME = the Distributed ID
- SMF123S1_USER_NAME_MAPPED = the authenticated user name (SAF user ID) mapped (e.g. using RACMAP) to the Distributed ID
We will review the product documentation, to try to make it clearer what values these fields will contain.
Regards, Sue
------------------------------
Sue Bayliss
IBM z/OS Connect EE
Original Message:
Sent: Thu September 24, 2020 06:21 AM
From: Colin Paice
Subject: SMF data has wrong user information
I used certificates to connect to z/OSConnect and use services
The sample program reports
SMF123S1_USER_NAME = ADCDC
SMF123S1_USER_NAME_MAPPED =
which is not wha tI would expect I identify using a certificate... which is mapped using RACDCERT Mapping to ADCDC
I would expect
SMF123S1_USER_NAME="CN=ADCDD.O=cpwebuser.C=GB"
SMF123S1_USER_NAME_MAPPED = ADCDC
regards
Colin