API requester authentication and identification

Learn how requests in API requester scenarios are authenticated and identified.

Before you study this topic, you should be familiar with the information in Overview of IBM z/OS Connect security.

zosConnect-2.0 Applies to zosConnect-2.0.

Requests can be authenticated
  • Between the CICS®, IMS or the z/OS application, and the IBM® z/OS Connect server.
  • Between the z/OS Connect server and the RESTful API endpoint.

Refer to API requester authentication options for details of the authentication options.

Authentication and identification between the client application and the IBM z/OS Connect server

When implementing authentication and identification, you can consider
  • User registries. These store information about users and groups that can be used for authentication and authorization. Typically a System Authorization Facility (SAF) registry is used with z/OS Connect, although IBM z/OS Connect also supports Basic user registry and Lightweight Directory Access Protocol (LDAP) user registry. For more information about configuring user registries, see User registries.
  • Caching authentication credentials. An authentication cache is provided to store a subject after successful authentication of a user to reduce the potential performance impact of creation of a subject. For more information, see A launch icon to indicate a link opens a new tab or window.Configuring the authentication cache in Liberty in the WebSphere Application Server for z/OS Liberty documentation.
  • Identity assertion. If you want to invoke an API requester from a z/OS application by using the ID that is provided in the application context, you can use the identity assertion function. For more information, see Identity assertion for API requesters.

By default, z/OS Connect requires that all requests are authenticated. Successful authentication that uses any of the supported authentication methods results in an authenticated user ID being associated with the request. The authenticated user ID is also checked to ensure that it is authorized to access IBM z/OS Connect.

Authentication is governed by the requireAuth attribute of the zosconnect_zosConnectManager element in the server.xml configuration file. If this attribute is set to true, all requests to an IBM z/OS Connect server are authenticated. You can override this global setting by specifying the requireAuth attribute on the zosconnect_apiRequesters for all API requesters or on the apiRequester element for a particular API requester. The setting for a particular requester takes precedence over the setting for all API requesters.

Authentication between the z/OS Connect server and the RESTful API endpoint

Credentials can be supplied by the client application, configured in server.xml, obtained from a third-party authorization server by IBM z/OS Connect, or generated by IBM z/OS Connect.