IC SunsetThe developerWorks Connections Platform is now in read-only mode and content is only available for viewing. No new wiki pages, posts, or messages may be added. Please see our FAQ for more information. The developerWorks Connections platform will officially shut down on March 31, 2020 and content will no longer be available. More details available on our FAQ. (Read in Japanese.)
Topic
  • 1 reply
  • Latest Post - ‏2017-01-25T09:29:53Z by bayliss
JibinJacob
JibinJacob
30 Posts

Pinned topic How the API Security is achieved through RACF

‏2017-01-24T13:50:39Z |

Hi,

Could you please explain how can i achieve  the security through RACF, if I am creating an API with z/OS Connect?

Suppose 10 users are there. Each user has given access to do some Specific functionalities(its in the RACF). Authentication is also done by RACF(by User Id and password which  is stored in RACF).

How can i access RACF to authenticate my user id password, which are the input fields for the Login API. Is there any IBM supplied utility programs for accessing RACF from Application programs?

i have gone through below links, Sorry i am getting confused.

https://developer.ibm.com/mainframe/docs/securing-apis/securing-apis-with-zos-connect-ee/

http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.wlp.zseries.doc/ae/twlp_zconnect_security.html

 

Please explain the process.

Thanks,

Jibin

 

Updated on 2017-01-24T13:51:33Z at 2017-01-24T13:51:33Z by JibinJacob
  • bayliss
    bayliss
    37 Posts
    ACCEPTED ANSWER

    Re: How the API Security is achieved through RACF

    ‏2017-01-25T09:29:53Z  

    Hi Jibin,

    There are several pieces to enabling authentication and authorization of users using RACF in z/OS Connect EE:

    1. Enabling RACF users to be authenticated (basic authentication) with RACF when they connect to a z/OS Connect EE server and be authorized to use the z/OS Connect EE functionality.
    2. Enabling authenticated RACF users/groups to then be authorized in an admin, operations, invoke or reader role for one or more APIs.

    To enable this the systems administrator must perform some prereq actions, which include defining RACF access and ensuring that the Angel process is running. It also requires some elements to be added to the server.xml configuration file. See "Configuring security using SAF registries" https://www.ibm.com/support/knowledgecenter/SS4SVW_beta/com.ibm.zosconnect.doc/securing/config_security_saf.html for more details of the RACF requirements and example configuration.

     

    The key points regarding configuring whether an authenticated RACF user is authorized to perform a specific action on a specific API are:

    1. Indicate that authentication is required when performing actions against a resource (e..g. an API or service):
      • To do this set requireAuth="true" attribute.
        • Either specify this globally to set defaults for all APIs and services on the zosconnect_zosConnectManager element.
        • Alternatively, specify this on the zosConnectAPI element nested in the zosconnect_zosConnectAPIs element. If specified on a zosConnectAPI element, that takes precedence for that API over the global default.
    2. Define which RACF Groups are in the Admin or Operations or Invoke or Reader role (access is defined using RACF groups, any RACF user within that RACF group will be authorized in that role):
      • Either define these globally to set defaults for all APIs and services on the zosconnect_zosConnectManager element, using attributes: globalAdminGroup, globalOperationsGroup, globalInvokeGroup & globalReaderGroup
      • Alternatively, define these for specific APIs on the zosconnectAPI elements, using attributes: adminGroup, operationsGroup, invokeGroup & readerGroup. If specified on a zosConnectAPI element, that takes precedence for that API over the global default.
    3. For authorization to take effect you need to enable the authorization interceptor
      • Define the <zosconnect_authorizationInterceptor id="authInterceptor1" sequence="1"/> element
      • Reference its id in the interceptorRef attribute of a zosconnect_zosConnectInterceptors element
      • Then reference the id of the zosconnect_zosConnectInterceptors element in:
        • Either to set it globally: on the  globalInterceptorsRef attribute of the zosconnect_zosConnectManager element.
        • Alternatively, define these for specific APIs on the interceptorsRef attribute of the zosConnectAPI element.
           

    Regards, Sue

    Updated on 2017-01-26T09:26:04Z at 2017-01-26T09:26:04Z by bayliss
  • bayliss
    bayliss
    37 Posts

    Re: How the API Security is achieved through RACF

    ‏2017-01-25T09:29:53Z  

    Hi Jibin,

    There are several pieces to enabling authentication and authorization of users using RACF in z/OS Connect EE:

    1. Enabling RACF users to be authenticated (basic authentication) with RACF when they connect to a z/OS Connect EE server and be authorized to use the z/OS Connect EE functionality.
    2. Enabling authenticated RACF users/groups to then be authorized in an admin, operations, invoke or reader role for one or more APIs.

    To enable this the systems administrator must perform some prereq actions, which include defining RACF access and ensuring that the Angel process is running. It also requires some elements to be added to the server.xml configuration file. See "Configuring security using SAF registries" https://www.ibm.com/support/knowledgecenter/SS4SVW_beta/com.ibm.zosconnect.doc/securing/config_security_saf.html for more details of the RACF requirements and example configuration.

     

    The key points regarding configuring whether an authenticated RACF user is authorized to perform a specific action on a specific API are:

    1. Indicate that authentication is required when performing actions against a resource (e..g. an API or service):
      • To do this set requireAuth="true" attribute.
        • Either specify this globally to set defaults for all APIs and services on the zosconnect_zosConnectManager element.
        • Alternatively, specify this on the zosConnectAPI element nested in the zosconnect_zosConnectAPIs element. If specified on a zosConnectAPI element, that takes precedence for that API over the global default.
    2. Define which RACF Groups are in the Admin or Operations or Invoke or Reader role (access is defined using RACF groups, any RACF user within that RACF group will be authorized in that role):
      • Either define these globally to set defaults for all APIs and services on the zosconnect_zosConnectManager element, using attributes: globalAdminGroup, globalOperationsGroup, globalInvokeGroup & globalReaderGroup
      • Alternatively, define these for specific APIs on the zosconnectAPI elements, using attributes: adminGroup, operationsGroup, invokeGroup & readerGroup. If specified on a zosConnectAPI element, that takes precedence for that API over the global default.
    3. For authorization to take effect you need to enable the authorization interceptor
      • Define the <zosconnect_authorizationInterceptor id="authInterceptor1" sequence="1"/> element
      • Reference its id in the interceptorRef attribute of a zosconnect_zosConnectInterceptors element
      • Then reference the id of the zosconnect_zosConnectInterceptors element in:
        • Either to set it globally: on the  globalInterceptorsRef attribute of the zosconnect_zosConnectManager element.
        • Alternatively, define these for specific APIs on the interceptorsRef attribute of the zosConnectAPI element.
           

    Regards, Sue

    Updated on 2017-01-26T09:26:04Z at 2017-01-26T09:26:04Z by bayliss