Security of ML for IBM z/OS

ML for IBM z/OS® leverages the security strengths of both IBM® proprietary technologies, such as z/OS Security Server RACF® and System Authentication Facility (SAF), and industry open standards, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTPS, to secure network connections and authenticate users.

MLz security

MLz authenticates users with SAF.

MLz also uses JWT (JSON Web Token) for user authentication. JWT is an open standard for securely and efficiently transmitting information as a JSON object between a client and a server. The token is digitally signed, self-contained, and highly scalable. As the following figure shows, a JSON JWT token is returned when a user is successfully authenticated through the MLz user interface (UI).

Finally, the MLz uses the SSL/TLS protocols to secure network communications between the component systems that run under the same network domain. All MLz services on these systems are configured to use the same SSL certificate.

Begin figure description. Authentication flow of ML for IBM z/OS. End figure description — Figure 1. Authentication flow of ML for IBM z/OS

1 A user accesses the MLz UI from a browser.
2 After checking and determining that the user is not signed in yet, the UI redirects the user to the Sign-in page for authentication.
3 The user signs in with a valid username and password.
4 The UI sends the user's sign-in request to the user management service.
5 - 6 The user management service validates the user's credentials with SAF.
7 - 8 The user management service issues a JWT token and returns the token to the browser through the UI.
9 With a valid token, the user logs in successfully.
10 The UI passes the user's request to the rest of ML for IBM z/OS services.