Credential management by UMS JWT tokens
Credential management involves securing user credentials through multiple stages in IBM® Unified Management Server for z/OS®.
The following figure illustrates the credential management process for IBM Unified Management Server for z/OS when the UMS login user authentication type (authType) of STANDARD_JWT is selected.
The following steps list the credential management process for IBM Unified Management Server for z/OS.
- The user logs into Zowe by providing credentials.
- The request is passed to the Zowe System Services (ZSS) server plug-in.
- The ZSS plug-in passes the request to the ZSS server.
- The ZSS server communicates with System Authorization Facility (SAF) for credential validation. The SAF could be RACF, ACF2, or Top Secret.
- Once the user is authenticated by SAF, a session cookie is generated.
- The Zowe App Server authentication plug-in for IBM Unified Management Server for z/OS sends a login request to the UMS server along with user credentials.
- The user credentials are verified again in the UMS server through SAF. The user credentials are then stored in the UMS server and a UMS token is generated.
- The response to the login request is sent back to the browser along with a session cookie, completing the login request process.
- The session cookie is used for granting access to the Unified Experience Zowe App.
- Any login user action along with the session cookie is passed to the authentication plug-in using
HTTPS. - The authentication plug-in uses the session cookie to procure the UMS token from the session store. The user request and the UMS token are then passed to the UMS server for validation.
- The UMS server first validates the UMS token, and then proceeds to carry out the user request, including any request meant for subsystems, subsystem tool services, or z/OSMF.