Securing and Authenticating Operations REST Server
After you install and configure the System Automation Operations REST Server by following "Step 28: Configure and Run the System Automation Operations REST server" in Planning and Installation, make the following necessary security and authentication settings.
Security
The System Automation Operations REST Server can be addressed with HTTP(S) requests from any user that wants to use this service. To prevent the execution of altered or faked requests from an unauthorized source, it is recommended to configure security for this server and allow HTTPS calls only to be answered.
Authentication
Every call to the Operations REST Server needs to be authenticated. The following two authentication ways are supported:
- Basic Authentication (BASIC_AUTH)
Every call to the server contains a valid user ID and a password, which are the same ones used for TSO login. The Operations REST Server checks the ID and password with the configured SAF system, for example, RACF®.
- JSON Web Token (JWT)
A token is generated and provided by a trusted third party, such as Zowe or IBM z/OS Management Facility (z/OSMF). It has an expiration time and can be used as often as needed before it expires. The Operations REST Server checks the validity of the provided token for each call with the configured third party.
This REST Server is session-less. Every call is authenticated individually and authorization of each authenticated caller is checked with the default System Automation user authorization mechanisms. No special authorization mechanism needs to be configured for this REST server.
After the caller is authenticated, the request is executed via a PPI communication to the NetView commands provided by System Automation.
Resulting data from the called NetView command is parsed by the System Automation Operations REST Server and returned as response body in JSON data structure to the HTTPS request.