IC SunsetThe developerWorks Connections Platform is now in read-only mode and content is only available for viewing. No new wiki pages, posts, or messages may be added. Please see our FAQ for more information. The developerWorks Connections platform will officially shut down on March 31, 2020 and content will no longer be available. More details available on our FAQ. (Read in Japanese.)
Topic
  • 4 replies
  • Latest Post - ‏2017-02-08T12:09:40Z by bayliss
JibinJacob
JibinJacob
30 Posts

Pinned topic How to authenticate userID and Password with server.xml

‏2017-02-06T07:43:33Z |

Hi,

 

I am trying to  create an API for Login functionality with below details:

      User ID

      Password

      Domain

My requirement is to validate the User id and password entered in the Application screen with server.xml (expecting a basic validation) and validate the domain in the application program (User Id and domain stored in DB2 table).

Could you please explain "How can I get the User ID and password entered in Application screen  (UI screen )to server.xml" to do the below validation

<basicRegistry id="basic1" realm="zosConnect">   

        <user name="Fred" password="fredpwd"/>

</basicRegistry>

 

Thanks,

Jibin

  • bayliss
    bayliss
    37 Posts
    ACCEPTED ANSWER

    Re: How to authenticate userID and Password with server.xml

    ‏2017-02-08T12:09:40Z  

    Hi,

     

    Can anyone please reply back to my question. I have setup below things in server.xml:

    featureManager>

            <feature>zosconnect:zosconnect-2.0</feature>

            <feature>appSecurity-2.0</feature>

            <feature>zosLocalAdapters-1.0</feature>

        </featureManager>

          <webAppSecurityallowFailOverToBasicAuth="true" /> 

        <basicRegistryid="basic1" realm="zOSConnect">

        <username="Jibin" password="Jibin" />

        </basicRegistry>

     

    <zosconnect_zosConnectManagerrequireSecure="false" requireAuth="true"/>

     

    I am getting a popup window while trying the API URL from the Google Chrome browser, and its accepting My user id and password,  but i am not able to test this with any of the REST Test tools like Postman/SOAPUI  etc... 

    Please let me know the issue here.

     

    And  for enabling this  roles id access, do we have to update any cofiguration setup in RCAF?

    <authorization-rolesid="zos.connect.access.roles">

                 <security-rolename="zosConnectAccess">

                <username = "Jibin"/>

              </security-role>

          </authorization-roles> 

    Please let me know  your valid comments.

     

    thanks,

    Jibin

    Hi Jibin

    To cause the z/OS Connect EE server to authenticate a User ID and Password when invoking your API (for example the User ID and Password entered in your Application UI screen), you will need to add the following elements into server.xml:

    <featureManager>    
        <feature>zosconnect:zosconnect-2.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>
    
    <!-- Fail over to basic authentication -->
    <webAppSecurity allowFailOverToBasicAuth="true"/>
    
    <!-- You will need to pre-populate this with ALL your userids and passwords -->
    <basicRegistry id="basic1" realm="zosConnect">   
       <user name="
    user1" password="
    password1"/>
       <user name="
    user2" password="
    password2"/>
    </basicRegistry>
    
    <!-- You will need to add each user to be authorized to access the z/OS Connect EE application  -->
    <authorization-roles id="zos.connect.access.roles">
       <security-role name="zosConnectAccess">           
          <user name="
    user1"/>
          <user name="
    user2"/>  
       </security-role>  
    </authorization-roles>
    
    <!-- If you do not require authentication or SSL for every API add this element to set the global defaults -->
    <zosconnect_zosConnectManager requireAuth="false" requireSecure="false"/>
    
    <zosconnect_zosConnectAPIs>
        <zosConnectAPI name="
    your API name" requireAuth="true" />
    </zosconnect_zosConnectAPIs>
    


    This info from the Knowledge Center topic "Configuring security using a basic user registry".
    Notes:
    - It is recommended that you also enable SSL on the connection between your web application and the z/OS Connect EE server, so that the user ID and password are not sent in clear text on the HTTP connection.
    - I have only included the elements and attributes specific to configure the basic authentication using a basic registry for an API, you will still need your other elements and attributes.
    - You can encode the passwords in the basicRegistry element (so they are not in clear text in server.xml) using the  Liberty server securityUtility command. For example:  securityUtility encode password1. This utility is located in the <installation_path>/wlp/bin directory. For more info see the Liberty Knowledge Center https://www.ibm.com/support/knowledgecenter/en/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/rwlp_command_securityutil.html


    Regards, Sue
     

  • bayliss
    bayliss
    37 Posts

    Re: How to authenticate userID and Password with server.xml

    ‏2017-02-06T09:29:25Z  

    Hi Jibin,

    I just want to check I understand your requirement:
    - Are you saying you have a web application which presents a UI requesting a user enter their userid and password, and that you want to use those credentials to perform basic authentication when the web app makes an invoke request to your login API in the z/OS Connect EE server. Also that you want to use a basic registry (rather than SAF or LDAP) in the z/OS Connect EE server to validate the userid and password against.
    - When you say "validate the domain in the application program", is this in your web application before calling z/OS Connect EE or in another application in your System Of Record (SOR) (called by the invoke API request)?
    - Which service provider are you using (e.g. WOLA, REST Client or IMS)?
    - Which SOR are you using (e.g. CICS or IMS)?

     

    Regards, Sue

  • JibinJacob
    JibinJacob
    30 Posts

    Re: How to authenticate userID and Password with server.xml

    ‏2017-02-06T11:54:11Z  
    • bayliss
    • ‏2017-02-06T09:29:25Z

    Hi Jibin,

    I just want to check I understand your requirement:
    - Are you saying you have a web application which presents a UI requesting a user enter their userid and password, and that you want to use those credentials to perform basic authentication when the web app makes an invoke request to your login API in the z/OS Connect EE server. Also that you want to use a basic registry (rather than SAF or LDAP) in the z/OS Connect EE server to validate the userid and password against.
    - When you say "validate the domain in the application program", is this in your web application before calling z/OS Connect EE or in another application in your System Of Record (SOR) (called by the invoke API request)?
    - Which service provider are you using (e.g. WOLA, REST Client or IMS)?
    - Which SOR are you using (e.g. CICS or IMS)?

     

    Regards, Sue

    Hi,

     

     - Are you saying you have a web application which presents a UI requesting a user enter their userid and password, and that you want to use those credentials to perform basic authentication when the web app makes an invoke request to your login API in the z/OS Connect EE server. Also that you want to use a basic registry (rather than SAF or LDAP) in the z/OS Connect EE server to validate the userid and password against. - Yes . need to use those credentials to perform basic authentication  when the web app invokes login API.  Looking for Basic registry  to validate the user id and password. 

     

    - When you say "validate the domain in the application program", is this in your web application before calling z/OS Connect EE or in another application in your System Of Record (SOR) (called by the invoke API request)?  - After the password validation. API has to get  the domain for this user. This information is stored in DB2 tables. So thought of creating a cobol program for creating it. (I have given this functionality to explain whole requirement of logon Functionality)


    - Which service provider are you using (e.g. WOLA, REST Client or IMS)? - Through WOLA connectivity is going to CICS 
    - Which SOR are you using (e.g. CICS or IMS)? - CICS

     

    Please let me know your thoughts about this.

     

    Thanks,

    Jibin

  • JibinJacob
    JibinJacob
    30 Posts

    Re: How to authenticate userID and Password with server.xml

    ‏2017-02-08T10:56:47Z  

    Hi,

     

     - Are you saying you have a web application which presents a UI requesting a user enter their userid and password, and that you want to use those credentials to perform basic authentication when the web app makes an invoke request to your login API in the z/OS Connect EE server. Also that you want to use a basic registry (rather than SAF or LDAP) in the z/OS Connect EE server to validate the userid and password against. - Yes . need to use those credentials to perform basic authentication  when the web app invokes login API.  Looking for Basic registry  to validate the user id and password. 

     

    - When you say "validate the domain in the application program", is this in your web application before calling z/OS Connect EE or in another application in your System Of Record (SOR) (called by the invoke API request)?  - After the password validation. API has to get  the domain for this user. This information is stored in DB2 tables. So thought of creating a cobol program for creating it. (I have given this functionality to explain whole requirement of logon Functionality)


    - Which service provider are you using (e.g. WOLA, REST Client or IMS)? - Through WOLA connectivity is going to CICS 
    - Which SOR are you using (e.g. CICS or IMS)? - CICS

     

    Please let me know your thoughts about this.

     

    Thanks,

    Jibin

    Hi,

     

    Can anyone please reply back to my question. I have setup below things in server.xml:

    featureManager>

            <feature>zosconnect:zosconnect-2.0</feature>

            <feature>appSecurity-2.0</feature>

            <feature>zosLocalAdapters-1.0</feature>

        </featureManager>

          <webAppSecurityallowFailOverToBasicAuth="true" /> 

        <basicRegistryid="basic1" realm="zOSConnect">

        <username="Jibin" password="Jibin" />

        </basicRegistry>

     

    <zosconnect_zosConnectManagerrequireSecure="false" requireAuth="true"/>

     

    I am getting a popup window while trying the API URL from the Google Chrome browser, and its accepting My user id and password,  but i am not able to test this with any of the REST Test tools like Postman/SOAPUI  etc... 

    Please let me know the issue here.

     

    And  for enabling this  roles id access, do we have to update any cofiguration setup in RCAF?

    <authorization-rolesid="zos.connect.access.roles">

                 <security-rolename="zosConnectAccess">

                <username = "Jibin"/>

              </security-role>

          </authorization-roles> 

    Please let me know  your valid comments.

     

    thanks,

    Jibin

    Updated on 2017-02-08T10:59:24Z at 2017-02-08T10:59:24Z by JibinJacob
  • bayliss
    bayliss
    37 Posts

    Re: How to authenticate userID and Password with server.xml

    ‏2017-02-08T12:09:40Z  

    Hi,

     

    Can anyone please reply back to my question. I have setup below things in server.xml:

    featureManager>

            <feature>zosconnect:zosconnect-2.0</feature>

            <feature>appSecurity-2.0</feature>

            <feature>zosLocalAdapters-1.0</feature>

        </featureManager>

          <webAppSecurityallowFailOverToBasicAuth="true" /> 

        <basicRegistryid="basic1" realm="zOSConnect">

        <username="Jibin" password="Jibin" />

        </basicRegistry>

     

    <zosconnect_zosConnectManagerrequireSecure="false" requireAuth="true"/>

     

    I am getting a popup window while trying the API URL from the Google Chrome browser, and its accepting My user id and password,  but i am not able to test this with any of the REST Test tools like Postman/SOAPUI  etc... 

    Please let me know the issue here.

     

    And  for enabling this  roles id access, do we have to update any cofiguration setup in RCAF?

    <authorization-rolesid="zos.connect.access.roles">

                 <security-rolename="zosConnectAccess">

                <username = "Jibin"/>

              </security-role>

          </authorization-roles> 

    Please let me know  your valid comments.

     

    thanks,

    Jibin

    Hi Jibin

    To cause the z/OS Connect EE server to authenticate a User ID and Password when invoking your API (for example the User ID and Password entered in your Application UI screen), you will need to add the following elements into server.xml:

    <featureManager>    
        <feature>zosconnect:zosconnect-2.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>
    
    <!-- Fail over to basic authentication -->
    <webAppSecurity allowFailOverToBasicAuth="true"/>
    
    <!-- You will need to pre-populate this with ALL your userids and passwords -->
    <basicRegistry id="basic1" realm="zosConnect">   
       <user name="
    user1" password="
    password1"/>
       <user name="
    user2" password="
    password2"/>
    </basicRegistry>
    
    <!-- You will need to add each user to be authorized to access the z/OS Connect EE application  -->
    <authorization-roles id="zos.connect.access.roles">
       <security-role name="zosConnectAccess">           
          <user name="
    user1"/>
          <user name="
    user2"/>  
       </security-role>  
    </authorization-roles>
    
    <!-- If you do not require authentication or SSL for every API add this element to set the global defaults -->
    <zosconnect_zosConnectManager requireAuth="false" requireSecure="false"/>
    
    <zosconnect_zosConnectAPIs>
        <zosConnectAPI name="
    your API name" requireAuth="true" />
    </zosconnect_zosConnectAPIs>
    


    This info from the Knowledge Center topic "Configuring security using a basic user registry".
    Notes:
    - It is recommended that you also enable SSL on the connection between your web application and the z/OS Connect EE server, so that the user ID and password are not sent in clear text on the HTTP connection.
    - I have only included the elements and attributes specific to configure the basic authentication using a basic registry for an API, you will still need your other elements and attributes.
    - You can encode the passwords in the basicRegistry element (so they are not in clear text in server.xml) using the  Liberty server securityUtility command. For example:  securityUtility encode password1. This utility is located in the <installation_path>/wlp/bin directory. For more info see the Liberty Knowledge Center https://www.ibm.com/support/knowledgecenter/en/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/rwlp_command_securityutil.html


    Regards, Sue