Adding support for Authentication Service API
The Authentication Service API is a REST API that runs on z/OS to authenticate mainframe user credentials. It consists of a suite of authentication services, each equipped with the necessary logic to interface with various authentication providers on z/OS. These services can be enabled or disabled individually or operated simultaneously to support multiple authentication methods concurrently.
The following authentication methods are supported:
- JSON Web Token (JWT)
authentication
JWT authentication is important because it supports one-time-use Multi-Factor Authentication (MFA) credentials, that eliminates the need to supply the password multiple times.
- Basic Authentication
| Authentication method | JSON Web Token (JWT) authentication | Basic Authentication |
|---|---|---|
| Authorization header | Bearer <token> |
Basic <base64_encoded_string> |
| MFA support | Yes | No |
| Authentication service | SAF JWT Service | SAF Basic Service |
The Authentication Service API provides
POST and GET methods to handle the following:
- A login endpoint to authenticate mainframe user credentials in the form of username and password, and return a System Authorization Facility (SAF) JWT authentication token.
- A query endpoint to validate and retrieve information about the associated token or
based64-encoded string:
- SAF JWT authentication tokens
- SAF Basic Authentication based64-encoded strings
- A logout endpoint that invalidates the SAF JWT tokens generated by the Authentication Service API login endpoint.
Notes:
- SAF JWT Authentication offers a more secure method for authenticating users to the server
and it is optional. You can continue to use SAF Basic Authentication, which has no external
dependencies and is available for immediate use. To enable one or both authentication methods, you
must configure the
eqaprof.envfile accordingly. - System Authorization Facility (SAF) is a z/OS interface that drives Resource Access Control Facility (RACF). These two terms might be used interchangeably.
- Support for SAF JWT requires z/OS version 2.4 or later.
- Debug Profile Service API and IMS Transaction Isolation Service API use the same authentication services within Authentication Service API to perform authentication functions.
- The installation provides a sample Debug Profile Service configuration file called eqaprof.env, which defines all configurable parameters used by the Authentication Service API.
- If you manage z/OS CICS DTCN profiles through the TCPIPSERVICE (DTCN API) path, you must specify
AUTHENTICATE(NO)and ensure CICS TS version 6.x or later is used to support JWT authentication. For more information, see Defining the CICS TCPIPSERVICE resource.