Start of change

Adding support for Authentication Service API

Debug Profile Service API is a REST API that runs on z/OS to manage debug profiles between CICS and non-CICS environments.

The Authentication Service API is a REST API that runs on z/OS to authenticate mainframe user credentials. It consists of a suite of authentication services, each equipped with the necessary logic to interface with various authentication providers on z/OS. These services can be enabled or disabled individually or operated simultaneously to support multiple authentication methods concurrently.

Authentication
The following authentication methods are supported:
  • Authenticating with JSON Web Tokens (JWT)

    JWT authentication is important because it supports one-time-use Multi-Factor Authentication (MFA) credentials, eliminating the need to supply the password multiple times.

  • Authenticating with Basic Authentication
    Table 1. Table 1. Authentication methods
    Authentication method JSON Web Token (JWT) authentication Basic Authentication
    Authorization header Bearer <token> Basic <base64_encoded_string>
    MFA support Yes No
    Authentication service SAF JWT Service SAF Basic Service
    The Authentication Service API provides POST and GET methods to handle the following:
    • A login endpoint to authenticate mainframe user credentials in the form of username and password, and return a System Authorization Facility (SAF) JWT authentication token.
    • A query endpoint to validate and retrieve information about the associated token or based64-encoded string:
      • SAF JWT authentication tokens
      • SAF Basic Authentication based64-encoded strings
    • A logout endpoint that invalidates the SAF JWT tokens generated by the Authentication Service API login endpoint.
Note:
  • System Authorization Facility (SAF) is a z/OS interface that drives Resource Access Control Facility (RACF). These two terms might be used interchangeably.
  • Support for SAF JWT requires z/OS 2.4 or later.
  • Debug Profile Service API and IMS Transaction Isolation Service API use the same authentication services within Authentication Service API to perform authentication functions.
  • The installation provides a sample Debug Profile Service configuration file called eqaprof.env, which defines all configurable parameters used by the Authentication Service API.
  • Users that use the DTCN API component to manage z/OS CICS profiles must define AUTHENTICATE(NO) in the CICS TCPIPSERVICE resource because Debug Profile Service manages user authentications.
End of change