IC SunsetThe developerWorks Connections Platform is now in read-only mode and content is only available for viewing. No new wiki pages, posts, or messages may be added. Please see our FAQ for more information. The developerWorks Connections platform will officially shut down on March 31, 2020 and content will no longer be available. More details available on our FAQ. (Read in Japanese.)
Topic
  • 4 replies
  • Latest Post - ‏2017-03-06T14:12:25Z by JibinJacob
JibinJacob
JibinJacob
30 Posts

Pinned topic How to authenticate userID and Password with RACF?

‏2017-02-22T11:34:01Z |

Hi,

 

I have done the basic authentication with server.xml (hard coded the userID and password in server.xml) and its working.

Now i just want to explore how can we do the authentication with RACF?

Scenario:  Accepting a user id password from an UI screen. Need to validate this user id and password with RACF. (beacsue we can't hard code all the userids and passwords in server.xml)

 

Note: I have asked another question in the same forum related  security through RACF , in the reply its explains about configuring with different access groups. I understood that part. Trying to configure it. 

 

Thanks,

Jibin

Updated on 2017-02-22T11:45:04Z at 2017-02-22T11:45:04Z by JibinJacob
  • bayliss
    bayliss
    37 Posts
    ACCEPTED ANSWER

    Re: How to authenticate userID and Password with RACF?

    ‏2017-02-27T09:20:49Z  

    Thanks Sue.

     

    I have done the authentication with RACF and its working.

    And for authorization i have done the below coding in server.xml.

    <authorization-roles id="zos.connect.access.roles">

             <security-role name="zosConnectAccess">
               <user name = "G719936"/>
               <user name = "G659406"/>
             </security-role>
         </authorization-roles>

    Here  we are hardcoding the userid's for  authorised access.  its working. But for avoiding the hard coding part  I have tried with below option(defining a RACF group), but its throwing error.


         <!-- Authorization interceptor -->
        <zosconnect_authorizationInterceptor id="authInterceptor1" sequence="1"/>
         
         <!-- Interceptor list to include authorization interceptor -->
        <zosconnect_zosConnectInterceptors id="InterceptorList" 
        interceptorRef="authInterceptor1"/>
        
        <zosconnect_zosConnectManager
         globalAdminGroup="ZCONUSR"
         globalOperationsGroup="ZCONUSR"
         globalInvokeGroup="ZCONUSR"
         globalInterceptorsRef="InterceptorList"/>

     

    ZCONUSR is my RACF Group.

    But I am getting " Error 403: AuthorizationFailed"

    We are using beta version, and one of the document says"

    z/OS Connect EE supplies an authorization interceptor that implements the com.ibm.zosconnect.spi.Interceptor SPI, and supports both SAF and LDAP. This interceptor uses the getGroupsforUser() security API internally to determine which groups the current user is in, and then compares these groups to the groups provided in the API definition, service definition, or global definition." 

     

    Will this SPI available in beta version?

    Could you please guide me what is the issue here.

     

    Thanks,

    Jibin

    Hi Jibin,

    This is a confusing area. The configuration elements and steps required differ depending whether you are using a basic or SAF user registry:

    Regards, Sue

  • bayliss
    bayliss
    37 Posts

    Re: How to authenticate userID and Password with RACF?

    ‏2017-02-22T12:53:57Z  

    Hi Jibin,

    Please see the Knowledge Center topic "Configuring security using SAF registries" which explains the steps required to configure a z/OS Connect EE server to use SAF authentication and optionally also authorization. The example is for RACF.

     

    Regards,

    Sue

     

  • JibinJacob
    JibinJacob
    30 Posts

    Re: How to authenticate userID and Password with RACF?

    ‏2017-02-23T10:44:18Z  
    • bayliss
    • ‏2017-02-22T12:53:57Z

    Hi Jibin,

    Please see the Knowledge Center topic "Configuring security using SAF registries" which explains the steps required to configure a z/OS Connect EE server to use SAF authentication and optionally also authorization. The example is for RACF.

     

    Regards,

    Sue

     

    Thanks Sue.

     

    I have done the authentication with RACF and its working.

    And for authorization i have done the below coding in server.xml.

    <authorization-roles id="zos.connect.access.roles">

             <security-role name="zosConnectAccess">
               <user name = "G719936"/>
               <user name = "G659406"/>
             </security-role>
         </authorization-roles>

    Here  we are hardcoding the userid's for  authorised access.  its working. But for avoiding the hard coding part  I have tried with below option(defining a RACF group), but its throwing error.


         <!-- Authorization interceptor -->
        <zosconnect_authorizationInterceptor id="authInterceptor1" sequence="1"/>
         
         <!-- Interceptor list to include authorization interceptor -->
        <zosconnect_zosConnectInterceptors id="InterceptorList" 
        interceptorRef="authInterceptor1"/>
        
        <zosconnect_zosConnectManager
         globalAdminGroup="ZCONUSR"
         globalOperationsGroup="ZCONUSR"
         globalInvokeGroup="ZCONUSR"
         globalInterceptorsRef="InterceptorList"/>

     

    ZCONUSR is my RACF Group.

    But I am getting " Error 403: AuthorizationFailed"

    We are using beta version, and one of the document says"

    z/OS Connect EE supplies an authorization interceptor that implements the com.ibm.zosconnect.spi.Interceptor SPI, and supports both SAF and LDAP. This interceptor uses the getGroupsforUser() security API internally to determine which groups the current user is in, and then compares these groups to the groups provided in the API definition, service definition, or global definition." 

     

    Will this SPI available in beta version?

    Could you please guide me what is the issue here.

     

    Thanks,

    Jibin

    Updated on 2017-02-23T12:10:47Z at 2017-02-23T12:10:47Z by JibinJacob
  • bayliss
    bayliss
    37 Posts

    Re: How to authenticate userID and Password with RACF?

    ‏2017-02-27T09:20:49Z  

    Thanks Sue.

     

    I have done the authentication with RACF and its working.

    And for authorization i have done the below coding in server.xml.

    <authorization-roles id="zos.connect.access.roles">

             <security-role name="zosConnectAccess">
               <user name = "G719936"/>
               <user name = "G659406"/>
             </security-role>
         </authorization-roles>

    Here  we are hardcoding the userid's for  authorised access.  its working. But for avoiding the hard coding part  I have tried with below option(defining a RACF group), but its throwing error.


         <!-- Authorization interceptor -->
        <zosconnect_authorizationInterceptor id="authInterceptor1" sequence="1"/>
         
         <!-- Interceptor list to include authorization interceptor -->
        <zosconnect_zosConnectInterceptors id="InterceptorList" 
        interceptorRef="authInterceptor1"/>
        
        <zosconnect_zosConnectManager
         globalAdminGroup="ZCONUSR"
         globalOperationsGroup="ZCONUSR"
         globalInvokeGroup="ZCONUSR"
         globalInterceptorsRef="InterceptorList"/>

     

    ZCONUSR is my RACF Group.

    But I am getting " Error 403: AuthorizationFailed"

    We are using beta version, and one of the document says"

    z/OS Connect EE supplies an authorization interceptor that implements the com.ibm.zosconnect.spi.Interceptor SPI, and supports both SAF and LDAP. This interceptor uses the getGroupsforUser() security API internally to determine which groups the current user is in, and then compares these groups to the groups provided in the API definition, service definition, or global definition." 

     

    Will this SPI available in beta version?

    Could you please guide me what is the issue here.

     

    Thanks,

    Jibin

    Hi Jibin,

    This is a confusing area. The configuration elements and steps required differ depending whether you are using a basic or SAF user registry:

    Regards, Sue

  • JibinJacob
    JibinJacob
    30 Posts

    Re: How to authenticate userID and Password with RACF?

    ‏2017-03-06T14:12:25Z  
    • bayliss
    • ‏2017-02-27T09:20:49Z

    Hi Jibin,

    This is a confusing area. The configuration elements and steps required differ depending whether you are using a basic or SAF user registry:

    Regards, Sue

    Thanks Sue.

     

    Done the Configuration. Its working