Securing Code Coverage Service on z/OS

Support for Multi-factor Authentication

Headless Code Coverage Service provides the ability to configure Bearer authentication (Token-based authentication), which provides greater security than basic authentication, and can support installations with multi-factor authentication.

To use Bearer authentication for Headless Code Coverage Service, a SAF JWT provider must first be configured to generate and validate JWT tokens. The application ID (APPLID) of the SAF JWT provider will need to be specified as a startup parameter for the Headless Code Coverage Service to use Bearer authentication. Refer to Starting and stopping the headless code coverage collector on how to specify the APPLID on startup.

It is recommended to set the application ID (APPLID) to be the same as the application ID used for Debug Profile Service (DPS). Make sure that SAF JWT authentication is configured for Debug Profile Service before using its application ID for Headless Code Coverage Service. For more information, see Authenticating with SAF JSON Web Tokens (JWT).

Accessing security logs

The Code Coverage Service on z/OS captures successful and unsuccessful login attempts. These logs are located inside the CC output directory at the following path:

{output_dir}/ccaas/CCS_access_{datetime}.log.

Also, on z/OS, RACF logs the authentication and authorization attempts. Only users that have access to RACF can read the security logs.

For more information about RACF logging, see Logging and reporting.