zosConnect-2.0 Configuration elements

Use the following elements in your configuration file to configure IBM® z/OS® Connect zosConnect-2.0.

zosConnect-2.0 Applies to zosConnect-2.0.

Configuring zosConnect-2.0 elements

This topic contains only those elements that are unique to z/OS Connect. For more information about Liberty configuration elements not listed here, see A launch icon to indicate a link opens a new tab or window. Server configuration in the WebSphere Application Server Liberty documentation.

Each server must have a server configuration file with the name server.xml in its server configuration directory ${server.config.dir}. You can keep all your configurations in a single server.xml file, or use include elements to consolidate configurations from separate files to create the structure that suits your needs. For more information, see A launch icon to indicate a link opens a new tab or window. Using include elements in configuration files in the WebSphere Application Server Liberty documentation.

Care is needed to avoid defining multiple instances of the singleton elements, or elements with the same ID value, by understanding the rules that are used to merge these elements. For more information about the rules that are used to merge the multiple instances of the elements, see A launch icon to indicate a link opens a new tab or window. Configuration element merging rules in the IBM WebSphere Application Server for z/OS Liberty documentation.

Each configuration element has one or more attributes that are detailed in the following tables with other useful details such as

Data type - each attribute has a data type which will be one of the following:
- string - if the attribute is of type string and is a reference to another element, then that attribute value must match the id attribute value of the element it is referencing. The id attribute is only required on an element if another element references that element. For example, for the zosconnect_authorizationServer configuration element to reference a zosconnect_authData element, the zosconnect_authData element must specify an id attribute value and the zosconnect_authorizationServer element basicAuthRef attribute must specify the same value.
- boolean - true or false
- integer - where applicable, the minimum and maximum integer values are included in the attributes description.
- a period of time with millisecond precision or a period of time with second precision - the default unit of time is either seconds or milliseconds. To set a value for these attributes specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.
Default value - specifies the default value for the attribute where applicable.
Supported values - if there are specific supported values, details of the supported values are provided.

zosconnect_apiRequesters

Defines the directory where API requester archives are stored and how the server is notified about changes in this directory. It also defines other configuration parameters that apply to all API requesters.

Attribute name	Description
idAssertion	Data type string Default value OFF Description Optional. Controls whether identity assertion is enabled in z/OS Connect for API requesters, and whether a surrogate check is supported if identity assertion is enabled. This value can be overridden for individual API requesters by specifying the `idAssertion` attribute on the appropriate `zosconnect_apiRequesters > apiRequester` subelement. Supported values are: OFF Identity assertion is not available in z/OS Connect for API requesters. z/OS applications cannot invoke an API requester with an asserted identity that is provided in the application context. ASSERT_SURROGATE Identity assertion is enabled in z/OS Connect for API requesters. z/OS applications can invoke an API requester with an asserted identity that is provided in the application context. With the ASSERT_SURROGATE value specified, z/OS Connect checks whether the identity used for authenticating the z/OS subsystem access to the z/OS Connect Server is a surrogate of the asserted identity and whether the asserted identity has the authority to invoke the API requester. ASSERT_ONLY Identity assertion is enabled in z/OS Connect for API requesters. z/OS applications can invoke an API requester with an asserted identity that is provided in the application context. With the ASSERT_ONLY value specified, z/OS Connect directly checks whether the asserted identity has the authority to invoke the API requester. Depending on the values set for the `idAssertion` and `requireAuth` attributes, z/OS Connect performs different actions on the asserted identity and the identity that is used for authenticating the z/OS subsystem access to the z/OS Connect Server. For more information, see Identity assertion for API requesters.
location	Data type string Default value ${server.config.dir}/resources/zosconnect/apiRequesters Description Optional. Path to a directory location where the API requester archive is stored. The value of location cannot be changed while the server is running; the value is set when the server is started.
pollingRate	Data type A period of time with millisecond precision. Default value 5s Description Optional. Controls how often the server polls the apiRequesters directory. The default time unit is milliseconds.
requireAuth	Data type boolean Default value Not applicable Description Optional. Available from 3.0.29.0. Requires that users specify security credentials to be authenticated and that the authenticated user is authorized under the `zosConnectAccess` role in order to access all API requesters. If the `requireAuth` attribute is not set, the global setting from the `requireAuth` attribute on the `zosconnect_zosConnectManager` element is used instead, unless the `requireAuth` attribute is overridden on the specific API requester.
requireSecure	Data type boolean Default value Not applicable Description Optional. Available from 3.0.45.0. Requests for API requesters are sent over HTTPS. If `requireSecure` is not set, the global setting from the `requireSecure` attribute on the `zosconnect_zosConnectManager` element is used instead. You can override this value for individual API requesters by specifying the `requireSecure` attribute on the appropriate `zosconnect_apiRequesters > apiRequester` subelement.
updateTrigger	Data type string Default value disabled Description Optional. Controls when the server is notified about changes in the apiRequesters directory. Supported values are: disabled Polling for updates is disabled. Updates can be triggered by using the MODIFY refresh command, and the RESTful administration interface can be used to deploy API requester archive files. polled The server checks periodically for changes to the directory contents. mbean The server checks for changes when the `notifyFileChanges` method is invoked on the `FileNotificationMBean`. If you specify this value, you must also configure your server to use the Java™ Management Extensions (JMX) connector. For more information, see Using an MBean to trigger updates. The value of this attribute is ignored when the MODIFY command is used to refresh the z/OS Connect Server artifacts.

Sub elements

zosconnect_apiRequesters > apiRequester

Description:

Defines other configuration options for the API requester archive.

Attribute name	Description
adminGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to use administrative functions on this API requester. The value of this attribute can be set to a group name or a comma-separated list of group names that are defined in the user registry. If `globalAdminGroup` is also under element `zosconnect_zosConnectManager`, the value that is defined under `adminGroup` is used. This group takes precedence over the global group except when controlling authorization to the RESTful administration actions to deploy an API, deploy a service, list all APIs, or list all services. See Note 1 and Note 2.
connectionRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_endpointConnection` element. If set, the connection is made by using the attributes of the `zosconnect_endpointConnection` element; if not set, or the associated `zosconnect_endpointConnection` element does not exist, the value of the `connectionRef` attribute in the build toolkit properties file is used, and if the value of the `connectionRef` attribute in the build toolkit properties file does not exist either, an error occurs.
idAssertion	Data type string Default value Not applicable Description Optional. Available from 3.0.45.0. Controls whether identity assertion is enabled in z/OS Connect for this API requester, and, if identity assertion is enabled, whether a surrogate check is supported. If the `idAssertion` attribute is not set, the setting for all API requesters from the `idAssertion` attribute on the `zosconnect_apiRequesters` element is used instead. Supported values are: OFF Identity assertion is not available in z/OS Connect for API requesters. z/OS applications cannot invoke an API requester with an asserted identity that is provided in the application context. ASSERT_SURROGATE Identity assertion is enabled in z/OS Connect for API requesters. z/OS applications can invoke an API requester with an asserted identity that is provided in the application context. With the ASSERT_SURROGATE value specified, z/OS Connect checks whether the identity used for authenticating the z/OS subsystem access to the z/OS Connect Server is a surrogate of the asserted identity and whether the asserted identity has the authority to invoke the API requester. ASSERT_ONLY Identity assertion is enabled in z/OS Connect for API requesters. z/OS applications can invoke an API requester with an asserted identity that is provided in the application context. With the ASSERT_ONLY value specified, z/OS Connect directly checks whether the asserted identity has the authority to invoke the API requester. Depending on the values set in the `idAssertion` and `requireAuth` attributes, z/OS Connect performs different actions on the asserted identity and the identity that is used for authenticating the z/OS subsystem access to the z/OS Connect Server. For more information, see Identity assertion for API requesters.
interceptorsRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectInterceptors` element that identifies the set of configured interceptors that are associated with this API requester.
invokeGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to invoke this API requester. The value of this attribute can be set to a group name or a comma-separated list of group names that are defined in the user registry. If `globalInvokeGroup` is also defined under the `zosconnect_zosConnectManager` element, the value that is defined under `invokeGroup` is used. See Note 1 and Note 2.
name	Data type string Default value Not applicable Description Required. The name of the API requester. The API requester is named automatically when the API requester archive file is generated. The name of the API requester indicates the name and version of the API to be called, and is associated with the API requester archive file to be used. For more information, see Configuring IBM z/OS Connect to support API requesters.
oAuthResource	Data type string Default value Not applicable Description Optional. Available from 3.0.51.0. An OAuth 2.0 resource parameter to be included in the access token request to an OAuth 2.0 authorization server. This parameter is applicable only when API request uses a `zosconnect_endpointConnection` definition that has an `authenticationConfigRef` of type `zosconnect_oAuthConfig`. This value overrides any value that is specified by `BAQ-OAUTH-RESOURCE-PTR` in the z/OS application.
operationsGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to perm operations such as starting or stopping this API requester. The value of this attribute can be set to a group name or a comma-separated list of group names that are defined in the user registry. If `globalOperationsGroup` is also defined in the `zosconnect_zosConnectManager` element, the value that is defined under `operationsGroup` is used. This group takes precedence over the global group except when controlling authorization to the RESTful administration actions to deploy an API, deploy a service, list all APIs, or list all services. See Note 1 and Note 2.
readerGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to get information about this API requester, including the Swagger documentation. The value of this attribute can be set to a group name or a comma-separated list of group names that are defined in the user registry. If `globalReaderGroup` is also defined under the `zosconnect_zosConnectManager` element, the value that is defined under `readerGroup` is used. See Note 1 and Note 2.
requireAuth	Data type boolean Default value Not applicable Description Optional. Requires that users specify security credentials to be authenticated and that the authenticated user is authorized under the `zosConnectAccess` role to access the specific API requester. If the `requireAuth` attribute is not set, the setting for all API requesters from the `requireAuth` attribute on the `zosconnect_apiRequesters` element is used instead. If the `requireAuth` attribute on the `zosconnect_apiRequesters` element is not set either, the global setting from the `requireAuth` attribute on the `zosconnect_zosConnectManager` element is used instead.
requireSecure	Data type boolean Default value Not applicable Description Optional. Requires that requests are sent over HTTPS. If the `requireSecure` attribute is not set, the setting for all API requesters from the `requireSecure` attribute on the `zosconnect_apiRequesters` element is used instead. If the `requireSecure` attribute on the `zosconnect_apiRequesters` element is also not set, the global setting from the `requireSecure` attribute on the `zosconnect_zosConnectManager` element is used instead.
runGlobalInterceptors	Data type boolean Default value true Description Optional. Indicates whether to run global interceptors for requests that are associated with this API requester. Global interceptors are listed in `globalInterceptorsRef` in the `zosconnect_zosConnectManager` element. By default, z/OS Connect processes all global and API requester-specific interceptors. If the `runGlobalInterceptors` attribute is set to false, z/OS Connect processes only the set of interceptors that are listed in the `interceptorsRef` attribute.

Note:

If you use an LDAP registry, you must specify each LDAP group's distinguished name (DN) with the commas that are escaped with a backslash. For example, "cn=employees\,ou=groups\,o=intern\,c=fr, cn=managers\,ou=groups\,o=intern\,c=fr". If you specify multiple groups, the commas that separate the groups are not escaped. Specifying LDAP short names is not supported.
For information about the authorization levels that are required to perform particular requests, see API requester authorization.

zosconnect_auditInterceptor

Defines the audit interceptor for z/OS Connect to allow request data to be logged in System Management Facility (SMF) 123 subtype 1 and subtype 2 records on z/OS.

Attribute name	Description
apiProviderEarlyFailure	Data type boolean Default value false Description Optional. Available from 3.0.58.0. Indicates whether SMF subtype 1 version 2 records are written for early request failures for API provider.
apiProviderMaxDelay	Data type A time period with second precision Default value -1 Description Optional. Available from 3.0.58.0. The maximum time the audit interceptor waits before writing an SMF 123 subtype 1 version 2 record with less than the maximum number of request sections. The default time unit is seconds. The default value of `-1` disables the maximum delay meaning that an SMF record is only written when the maximum number of requests for an SMF record is reached. A value of `0` (or any value less than 1 second) means that an SMF record is written immediately for the request with no delay.
apiProviderRequestHeaders	Data type string Default value Not applicable Description Optional. SMF type 123 subtype 1 version 2 records only. The value of this attribute can be set to a header name or a comma-separated list of header names that might be present on requests.
apiProviderResponseHeaders	Data type string Default value Not applicable Description Optional. (SMF type 123 subtype 1 version 2 records only) The value of this attribute can be set to a header name or a comma-separated list of header names that might be present on responses as a result of response data mapping, see Defining and mapping headers, query parameters, or path parameters.
apiProviderSmfVersion	Data type integer Default value 1 Description Optional. The version of the SMF type 123 subtype 1 records that you want this audit interceptor to capture. Supported values are: 1 Write SMF type 123 subtype 1 version 1 records for API provider. 2 Write SMF type 123 subtype 1 version 2 records for API provider.
apiRequesterEarlyFailure	Data type boolean Default value false Description Optional. Available from 3.0.58.0. Indicates whether SMF subtype 2 version 2 records are written for early request failures for API requester.
apiRequesterMaxDelay	Data type A time period with second precision Default value -1 Description Optional. Available from 3.0.58.0. The maximum time the audit interceptor waits before writing an SMF 123 subtype 2 version 2 record with less than the maximum number of requests sections. The default time unit is seconds. A value of `-1` (the default) disables the maximum delay meaning that an SMF record is only written when the maximum number of requests for an SMF record is reached. A value of `0` (or any value less than 1 second) means that an SMF record is written immediately for the request with no delay.
apiRequesterRequestHeaders	Data type string Default value Not applicable Description Optional. Available from 3.0.45.0. (SMF type 123 subtype 2 version 2 records only) The value of this attribute can be set to a header name or a comma-separated list of header names that might be present on requests.
apiRequesterResponseHeaders	Data type string Default value Not applicable Description Optional. Available from 3.0.45.0. (SMF type 123 subtype 2 version 2 records only) The value of this attribute can be set to a header name or a comma-separated list of header names that might be present on responses.
apiRequesterSmfVersion	Data type integer Default value 1 Description Optional. Available from 3.0.45.0. Supported values are: 1 Write SMF type 123 subtype 1 version 1 records for API requester. 2 Write SMF type 123 subtype 2 version 2 records for API requester.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
sequence	Data type integer Default value 0 Description Optional. The sequence in which this interceptor is processed compared to other configured interceptors that implement the com.ibm.wsspi.zos.connect.Interceptor Service Provider Interface (SPI) for z/OS Connect. Supported values are `0` as a minimum value and `2147483647` as a maximum value.

zosconnect_authData

A reference name that identifies the basic authentication data to be used for a connection.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
password	Data type string Default value Not applicable Description Optional. The password that is passed from the z/OS Connect Server to establish the connection on every request. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. The password can be a password phrase. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.
user	Data type string Default value Not applicable Description Required. The user ID that is passed from the z/OS Connect Server to establish the connection on every request, if no user ID is supplied on the request.

zosconnect_authorizationInterceptor

Defines an z/OS Connect authorization interceptor.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
safCacheTimeout	Data type A period of time with second precision. Default value 600 Description Optional: Specifies the amount of time in seconds that SAF credentials are kept in the SAF cache that is used by the ID assertion feature. If the timeout value is set to `0`, the cache is disabled. If set to `-1`, SAF credentials are kept indefinitely. The cache is cleared if the timeout value is changed and the configuration refreshed.
sequence	Data type integer Default value 0 Description Optional. The sequence in which this interceptor is processed compared to other configured interceptors that implement the z/OS Connect `com.ibm.wsspi.zos.connect.Interceptor` Service Provider Interface (SPI). The minimum value is `-1` and the maximum value is `2147483647`.

zosconnect_authorizationServer

Defines the connection to an authorization or authentication server to obtain access tokens fused for authentication of requests to API endpoints. For more information about supported security configuration options for JWT or OAuth 2.0, see How to configure access token authentication or How to configure OAuth 2.0 with basic authentication.

Attribute name	Description
basicAuthRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_authData` element that identifies the basic authentication data to be used for authenticating with an authorization server. The values of the user and password attributes that are set in the associated `zosconnect_authData` element take precedence over user credentials that are specified in the z/OS application. When your z/OS application calls an API secured with OAuth 2.0 The value of the `user` and `password` attributes set in the associated `zosconnect_authData` element are used as client ID and client secret to verify the client identity of the z/OS Connect Server with an authorization server to obtain an access token. When your z/OS application calls an API secured with a JWT The values of the `user` and `password` attributes set in the associated `zosconnect_authData` element are used as username and password to verify the user identity with an authentication server to obtain a JWT.
connectionTimeout	Data type A period of time with millisecond precision Default value 30s Description Optional. The `connectionTimeout` specifies the amount of time that the z/OS Connect Server attempts to establish a connection to the authorization and authentication server before it times out. If the timeout value is set to `0`, the z/OS Connect Server attempts to open a connection indefinitely. The default time unit is milliseconds.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
proxyConfigRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_proxyConfig` element that identifies the proxy through which the request for access token is routed from the z/OS Connect Server to the authorization and authentication server.
receiveTimeout	Data type A period of time with millisecond precision Default value 60s Description Optional. The `receiveTimeout` specifies the amount of time that the z/OS Connect Server waits for a response from the authorization/authentication server before it times out. If the timeout value is set to `0`, the z/OS Connect Server waits for a response indefinitely. The default time unit is milliseconds.
sslCertsRef	Data type string Default value Not applicable Description Optional. Reference to an `ssl` repertoire element. Specify the SSL configuration to be used.
tokenEndpoint	Data type string Default value Not applicable Description Required. Token endpoint URL that is used for routing a request to get an access token or a JWT from an authorization server or an authentication server. This URL must follow the following format: `"https://host:port/path"` or if using AT-TLS: `"http://host:port/path"` For example, `tokenEndpoint="https://authorization.server.com:8001/JWTTokenGenerator/getJwtToken"` Contact the authorization and authentication server administrator for details of the path value required for that server.

`zosconnect_authToken`

Defines the configuration for obtaining access tokens from an authentication server.

Attribute name	Description
authServerRef	Data type string Default value Not applicable Description Required. Reference to the `zosconnect_authorizationServer` element that identifies the about the authentication server that is used to obtain access tokens.
cacheTokensWithJti	Data type boolean Default value false Description Optional. Specifies whether tokens issued by the authorization server that contain a jti claim are cached. Applicable only when the token is of type JWT and JWS.
header	Data type string Default value Authorization Description Optional. Specify the name of the header that contains the token on the request to the API endpoint.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
tokenLifetime	Data type A period of time with millisecond precision Default value 0 Description Optional. Available from 3.0.86.0. Specifies the period of time that tokens that are opaque or of type JWE are cached for. The default time unit is milliseconds. The time that is specified that is rounded down to the nearest second. This token lifetime value is overridden by a value obtained using `tokenLifetimePath` from the authentication server response.
tokenRefreshRate	Data type A period of time with millisecond precision Default value 0 Description Optional: Available from 3.0.70.0. Specifies a period of time after which an attempt is made to obtain a new token even if there is a non-expired cached token. If the attempt to obtain a new token fails, the existing cached token is used. If the time is set to `0`, tokens are cached and refreshed when they have expired. The default time unit is milliseconds.
useBearerScheme	Data type boolean Default value true Description Optional. Indicates whether to include the Bearer scheme in the HTTP header that contains the token on the API request.

Sub elements

zosconnect_authToken > tokenRequest

Description:

Required. Defines how the user credential is passed from the z/OS Connect Server to the authentication server.

Attribute name	Description
credentialLocation	Data type string Default value Not applicable Description Required. Specifies where the user credentials are included in the request to obtain a token from the authentication server. Supported values are: header Include the user credentials in the HTTP header. If this value is set, the `header` attribute of the `tokenRequest` element must be specified. body Include the user credentials in the request body. If this value is set, the `requestBody` attribute must be specified. For both values, the `requestMethod` attribute must be specified.
header	Data type string Default value Authorization Description Optional. Specifies the name of a single header to contain the user credentials. From 3.0.70.0, a comma-separated list of two-header names can be specified to contain the user credentials. The format specification for two-header names is: `<user ID header name>,<password header name>`
requestBody	Data type string Default value Not applicable Description Optional. Specifies the body of the token request that is sent to the authentication server, as a JSON string. Required when `credentialLocation` is set to body. From 3.0.70.0, is optional when `credentialLocation` is set to header. Either explicitly specify values in the request body, as in Example A or allow substitution of username and password values set by the client application, or in the server.xml file, as in Example B. From 3.0.70.0, custom parameter values set by the client application can also be substituted. Example A `"{"credentials":{ "username":"jwtuser", "password":"jwtpassword" } }"` In this example, the user credentials `"jwtuser"` and `"jwtpassword"` are directly included in the specified JSON string. Example B `"{"apiuser":"${userid}", "apipassword":"${password}"}"` In this example, the variables `${userid}` and `${password}` are replaced with the user credentials that you include in the z/OS application or set on the `zosconnect_authData` element that is referenced by the `zosconnect_authorizationServer` element basicAuthRef attribute. Important: Typically, you use the Example B syntax. When the Example B syntax is used with the user credentials set on the `zosconnect_authData` element, the password in the server.xml file can be encoded to ensure confidentiality. The Example A syntax is provided to allow more flexibility in the request payload that is required by the authentication server. As shown in the examples before this, `"` must be used to escape the double quotation mark `"` inside the attribute value because the attribute value is already surrounded by double quotation marks to indicate it is a string value. And the following characters must also be escaped if they are contained in the attribute value because these special characters cannot be directly used in XML: `<` escaped with `<` `>` escaped with `>` `&` escaped with `&`
requestMethod	Data type string Default value Not applicable Description Required. Specify the method of the HTTP request to the authentication server. Supported values are GET, PUT, or POST.

zosconnect_authToken > tokenResponse

Description:

Required. Defines how an access token is passed from the authentication server to the z/OS Connect Server.

Attribute name	Description
header	Data type string Default value Authorization Description Optional. Specify the name of the header that contains the token.
responseFormat	Data type string Default value Not applicable Description Optional. Specify the format of the HTTP response from the authentication server when the token is returned in the response body. Supported values are Text, JSON, or JWT. JWT is supported from 3.0.69.0. Before 3.0.69.0, no Accept header is set on the token request. From 3.0.69.0, an Accept header is set to `"application/json"` for JSON, `"text/plain"` for text and `"application/jwt"` for JWT.
tokenLifetimePath	Data type string Default value Not applicable Description Optional. Available from 3.0.86.0. Applies only to tokens that are opaque or of type JWE. Specify the path to where the token lifetime is located in the JSON response body string when the `responseFormat` attribute is set to JSON. The value of this attribute must be a valid JSONPath expression. For example, if the token response is: `{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600 }` you must set the `tokenLifetimePath` attribute to `"$.expires_in"`.
tokenLocation	Data type string Default value Not applicable Description Required. Specify where the generated JWT is returned in the response from the authentication server to the z/OS Connect Server. Supported values are: header The token is returned in a header to z/OS Connect. If this value is set, the `header` attribute of the `tokenResponse` element must be specified. body The token is returned in the response body to z/OS Connect. If this value is set, the `responseFormat` and `tokenPath` attributes must be specified.
tokenPath	Data type string Default value Not applicable Description Optional. Specify the path to where the token is located in the JSON response body string when the `responseFormat` attribute is set to JSON. The value of this attribute must be a valid JSONPath expression. For example, if the generated token is included in the following JSON string, you must set the `tokenPath` attribute to `"$.JWTinfo.tokenname"`. `{"JWTinfo":{ "tokenname": "eyJ0eXAiOiJKV1" } }`

zosconnect_authTokenLocal

Defines the locally generated JWT configuration in z/OS Connect.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
header	Data type string Default value Authorization Description Optional. Specify the name of the HTTP header that contains the JWT on the API request. The HTTP header includes the Bearer scheme keyword followed by the JWT.
tokenGeneratorRef	Data type string Default value Not applicable Description Required. Reference to the id attribute value of a `jwtBuilder` element. For more information about the `jwtBuilder` element, see JWT Builder (jwtBuilder) in the WebSphere Application Server Liberty documentation.

Sub elements

zosconnect_authTokenLocal > claims

Data type:

A string or CDATA section.

Description:

Optional. Specify the public and private claims to be included in the JWT. If specified, write the claims as a JSON string. For example,


<zosconnect_authTokenLocal id="myLocalJWTConfig" 
    ...>
    <claims>{"branch":"Eastern",
             "dept":"insurance"}</claims>
</zosconnect_authTokenLocal>

Note:

The claims subelement is intended to specify only public and private claims. If registered claims, such as the aud (Audience) claim, are specified on the claims subelement, then these values overwrite the corresponding values that are configured on the jwtBuilder element that is referenced by the tokenGeneratorRef attribute of the zosconnect_authTokenLocal element. If the "sub" claim is specified on the claims subelement, its value is overwritten by the z/OS Connect Server to be the z/OS application asserted user ID. Registered claims are defined in the IANA JSON Web Token Claims Registry.
If the JSON string value of the claims subelement contains XML markup characters, such as <, >, or &, then include the JSON string inside a CDATA section so that those characters are treated as literals. For example, if one of the preceding private claims was "branch":"East&West" then the claims subelement value must be specified as:
```
<claims><![CDATA[{"branch":"East&West", 
                  "dept":"insurance"}]]></claims> 
```
For more information about the CDATA section, see CDATA.

zosconnect_bidiConfig

The following table contains all elements that are available for configuring bidi support.

Table 1. zosconnect_bidiConfig Attributes
Attribute	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
inArabicShapingOptions	Data type string Default value Not applicable Description Optional. Arabic digit and letter shaping options to apply when transforming the input text. For more information, see Unicode ICU Arabic Shaping documentation.
inDirection	Data type string Default value LTR Description Optional. Direction of the input text. Supported values are: LTR Left to right. RTL Right to left.
inHostDirection	Data type string Default value LTR Description Required. Direction of the host text. Supported values are: LTR Left to right. RTL Right to left.
inHostOrder	Data type string Default value LOGICAL Description Required. The desired order of the transformed input text. Supported values are: LOGICAL Text is in logical order VISUAL Text is in visual order
inOrder	Data type string Default value LOGICAL Description Optional. Order of the input text received by the service. Supported values are: LOGICAL Text is in logical order VISUAL Text is in visual order
inSymmetricSwapping	Data type boolean Default value false Description Optional. Indicates whether to replace characters having directional meaning with the opposite direction when transforming the input text. Characters such as `[ ] { } ( ) < >` all have directional meaning.
outArabicShapingOptions	Data type string Default value Not applicable Description Optional. Arabic digit and letter shaping options to apply when transforming the input text. For more information, see Unicode ICU Arabic Shaping documentation.
outDirection	Data type string Default value LTR Description Optional. The desired direction of the output text. Supported values are: LTR Left to right. RTL Right to left.
outHostDirection	Data type string Default value LTR Description Required. The direction of the host text. Supported values are: LTR Left to right. RTL Right to left.
outHostOrder	Data type string Default value LOGICAL Description Required. Order of the host text. Supported values are: LOGICAL Text is in logical order VISUAL Text is in visual order
outOrder	Data type string Default value LOGICAL Description Optional. The desired order of the output text. Supported values are: LOGICAL Text is in logical order VISUAL Text is in visual order
outSymmetricSwapping	Data type boolean Default value false Description Optional. Indicates whether to replace characters having directional meaning with the opposite direction when transforming the input text. Characters such as `[ ] { } ( ) < >` all have directional meaning.

zosconnect_cicsConnectionGroup

Available from 3.0.59.0. Defines a group of CICS® connections that are used for workload distribution.

Attribute name	Description
cicsConnectionRefs	Data type string Default value Not applicable Description Required. List of references to the `zosconnect_cicsIpicConnection` or `zosconnect_cicsConnectionGroup` elements. A comma-separated list of references to IPIC connection elements or other CICS connection group elements, or a mixture of both. The inclusion of IPIC HA connections (definitions with `sharedPort="true"`) is not supported in CICS connection groups.
connectionRatios	Data type Comma-separated list of integers Default value Equal ratios Description Optional. A list of the relative weights for the connections specified by the `cicsConnectionRefs` attribute. A value must be specified for each connection in the list. Values can be dynamically updated to alter the distribution of requests at run time. Minimum integer value is `0`. A value of zero indicates that no requests are to be sent over the corresponding connection.
id	Data type string Default value Not applicable Description Required. A unique configuration ID. This must match the value that is specified for the `connectionRef` build toolkit property, or API toolkit connection reference property, that is used to generate the .sar files that use this connection group with the CICS service provider.

zosconnect_cicsIpicConnection

Represents a connection to a CICS system.

Note: When an IPIC connection is established with CICS, updates to the authDataRef, transid, transidUsage, preferredSpecificHost and preferredSpecificPort attributes take immediate effect but updates to other attributes that are associated with this element do not take effect until the connection is released and acquired again. To release the connection in CICS, change the status of the corresponding IPCONN in CICS to Released.

Attribute name	Description
authDataRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_authData` element that contains the basic authentication data to be used for the connection if no credentials are supplied on a request. For more information, see zosconnect_authData.
cicsApplid	Data type string Default value Not applicable Description Optional. The APPLID of the target CICS region. If specified, the value of `cicsApplid` is used, together with the value of `cicsNetworkid`, to verify that the connected CICS region is the expected region.
cicsNetworkid	Data type string Default value Not applicable Description Optional. The network ID of the target CICS region. The default value is 9UNKNOWN. If specified, the value of `cicsNetworkid` is used, together with the value of `cicsApplid`, to verify that the connected CICS region is the expected region. The network ID of the target CICS region is either its z/OS Communications Server NETID or for VTAM®=NO systems, the value of its UOWNETQL system initialization parameter, or defaults to `9UNKNOWN`.
connectionRetryInterval	Data type A period of time with millisecond precision. Default value 30s Description Optional. Available from 3.0.59.0. This attribute applies only to IPIC connections that are configured within a CICS connection group element. The time interval at which z/OS Connect attempts to reestablish a failed connection to CICS, as a background task. The default time unit is milliseconds. The maximum value is 3600s.
connectionTimeout	Data type A period of time with millisecond precision. Default value 30s Description Optional. The maximum amount of time that is allowed for the socket to establish a connection to CICS. The default time unit is milliseconds. A value of 0 disables this timeout.
heartbeatInterval	Data type A period of time with millisecond precision. Maximum: 3600s. Default value 30s Description Optional. Sets the time that the connection must be inactive before heartbeats are sent to CICS. The default time unit is milliseconds. A value of 0 disables IPIC heartbeats.
host	Data type string Default value Not applicable Description Required. The IP address, domain name server (DNS) hostname with domain name suffix, or just the DNS hostname, of the host on which the CICS region is running. If using Sysplex Distributor, it is the hostname of the sysplex.
id	Data type string Default value Not applicable Description Required. A unique configuration ID. This must match the value that is specified for the `connectionRef` build toolkit property that is used to generate the .sar files that use this connection with the CICS service provider.
port	Data type integer Default value Not applicable Description Required. The port number on which the target CICS region is listening. This must match the port number of a TCPIPSERVICE definition in the CICS region that is configured with the PROTOCOL parameter set to IPIC. The minimum supported value is `1` and the maximum supported value is `65535`.
preferredSpecificHost	Data type string Default value Not applicable Description Optional. Available from 3.0.56.0 and applicable only when `sharedPort="true"`. The primary IP address, or the DNS name, of the preferred CICS region for this connection. This must match the host name of a CICS region that is configured to listen on the shared port specified by the `port` attribute of this connection. The primary IP address of a CICS region can be found from message BAQR0680I, issued when an IPIC connection is established to that region. From 3.0.57.0, this attribute can be set to a value of "local" to indicate the preferred host is the LPAR on which the z/OS Connect server is running. For more information, see Setting preferredSpecificHost="local".
preferredSpecificPort	Data type integer Default value Not applicable Description Optional. Available from 3.0.56.0 and applicable only when `sharedPort="true"`. The port number of the preferred CICS region for this connection. This must match the port number of a specific TCPIPSERVICE definition of a CICS region that is configured to listen on the shared port specified by the `port` attribute of this connection. The minimum supported value is `1` and the maximum supported value is `65535`.
reconnectInterval	Data type A period of time with millisecond precision. Default value 0 Description Optional. Available from 3.0.56.0 and applicable only when `sharedPort="true"`. The time interval at which z/OS Connect attempts to reconnect to CICS. If either or both of the attributes `preferredSpecificHost` and `preferredSpecificPort` are also specified, reconnection is attempted only if the already established connection is not the configured preference. The default time unit is milliseconds. A value of 0 disables the reconnect interval. The maximum value is `3600s`.
sendSessions	Data type integer Default value 100 Description Optional. Sets the maximum number of simultaneous requests over the connection. The actual number of send sessions that are established depends on the value of `sendSessions` and the value in the RECEIVECOUNT parameter of the IPCONN definition in the CICS region. The minimum supported value is `1` and the maximum supported value is `999`. For more information to understand how the value is determined, see Table 1.
sharedPort	Data type boolean Default value false Description Optional. Indicates whether the port attribute specifies a shared port or a specific port.
sslCertsRef	Data type string Default value Not applicable Description Optional. Reference to an `ssl` repertoire element. Specify the SSL configuration to be used.
transid	Data type string Default value CSMI Description Optional. A CICS transaction name; the transidUsage parameter specifies how the value is used.
transidUsage	Data type string Default value EIB_AND_MIRROR Description Optional. Specifies how the value of the `transid` parameter is used. Supported values are: EIB_ONLY The `transid` parameter specifies the name of the CICS transaction that appears in the CICS exec interface block (EIB); the `EIBTRNID` field contains the value of the `transid` parameter. The called CICS program runs under the default mirror transaction CSMI. EIB_AND_MIRROR The `transid` parameter specifies the name of the CICS transaction under which the called CICS program runs. The transaction must be defined in the CICS region, and the transaction definition must specify the mirror program, DFHMIRS. The value that is specified by the `transid` parameter is available to the called CICS program for querying the transaction ID. The value of the `transid` parameter also appears in the EIBTRNID field of the CICS EIB.
zosConnectApplid	Data type string Default value Not applicable Description Optional. The APPLID of the IBM z/OS Connect Server that is passed to CICS. If specified, this value of `zosConnectApplid` is used, together with the value of `zosConnectNetworkid`, to match a predefined IPCONN definition in CICS or reject the request if no match is found and the CICS system has not been configured to autoinstall IPCONN connections. If you configure CICS to not allow autoinstall of IPCONN connections, only requests that have APPLIDs set on a predefined IPCONN definition are able to connect.
zosConnectNetworkid	Data type string Default value Not applicable Description Optional. The network ID of the IBM z/OS Connect Server that is passed to CICS. The default value is 9UNKNOWN. If specified, this value of `zosConnectNetworkid` is used, together with the value of `zosConnectApplid`, to match a predefined IPCONN definition in CICS or reject the request if no match is found and the CICS system has not been configured to autoinstall IPCONN connections. If a `zosConnectNetworkid` value is not specified and the NETWORKID in the CICS IPCONN definition is left blank, a match might not occur even if the z/OS Connect and CICS APPLIDs match because CICS defaults the blank NETWORKID to the local network ID. This local network ID is specified by the z/OS Communications Server NETID or for VTAM=NO systems, the value of its UOWNETQL system initialization parameter and is only defaulted to 9UNKNOWN if no local network ID is set.

zosconnect_dbServices

Defines the location for your user type converter libraries for IMS Database services. To learn more, see Configuring user type converter support for IMS database services.

Attribute name	Description
imsDbUtcPaths	Data type string Default value Not applicable Description Optional. A colon separated list of fully qualified file paths to your .jar files that contain user type converters.

zosconnect_endpointConnection

Allows requests to be routed from z/OS Connect to a request endpoint.

Attribute name	Description
allowChunking	Data type boolean Default value true Description Optional. Available from 3.0.66.0. Allow chunking on messages greater than 4 KB.
authenticationConfigRef	Data type string Default value Not applicable Description Optional. Reference to `zosconnect_authData`, `zosconnect_oAuthConfig`, `zosconnect_authToken` or `zosconnect_authTokenLocal` element. The attribute identifies the authentication data that is used for basic authentication, OAuth 2.0, or JWT when the z/OS Connect establishes a connection to a remote REST endpoint: For basic authentication, it must be associated with the `zosconnect_authData` element. For OAuth 2.0, it must be associated with the `zosconnect_oAuthConfig` element. For using a JWT that is obtained from an authentication server, it must be associated with the `zosconnect_authToken` element. For using a JWT that is locally generated by the z/OS Connect Server, it must be associated with the `zosconnect_authTokenLocal` element. Note: The `authenticationConfigRef` attribute can reference more than one element to support the combined use of basic authentication, OAuth 2.0, or JWT. For more information, see Using API requester to call an API secured with multiple authentication and authorization methods.
basicAuthRef	Data type string Default value Not applicable Description This attribute is now deprecated. Use the `authenticationConfigRef` attribute instead. Optional. Reference to the `zosconnect_authData` element that identifies the basic authentication data to be used for connecting to a request endpoint.

connectionTimeout	Data type A period of time with millisecond precision Default value 30s Description Optional. The connection timeout specifies the amount of time that the z/OS Connect Server attempts to establish a connection to the request endpoint before it times out. If the timeout value is set to 0, the z/OS Connect Server attempts to open a connection indefinitely. The default time unit is milliseconds.
domainBasePath	Data type string Default value Not applicable Description Optional. An additional path that is added between the `{host}:{port}` and `{basePath}` field in an API URL to identify domain-related information.
host	Data type string Default value Not applicable Description Required. The address that is used to route the request to the request endpoint. The value can be the protocol `http://` or `https://` followed by the IP address, the domain name server (DNS) hostname with domain name suffix, or just the DNS hostname. If the protocol is not specified, the default protocol `http://` is used.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
port	Data type string Default value Not applicable Description Optional. Port that is used for routing HTTP or HTTPS requests. If not specified, the default HTTP or HTTPS port is used.
proxyConfigRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_proxyConfig` element that identifies the proxy through which the request is routed from the z/OS Connect Server to the request endpoint.
receiveTimeout	Data type A period of time with millisecond precision Default value 60s Description Optional. Specifies the amount of time that the z/OS Connect Server waits for a response from the request endpoint before it times out. If the timeout value is set to 0, the z/OS Connect Server waits for a response indefinitely. The default time unit is milliseconds.
requestCompression	Data type string Default value identity Description Optional. Specifies the type of request payload compression that is used on an endpoint request. Supported values are: gzip Content is compressed with gzip encoding. identity Content is not compressed. For more information, see Enabling payload compression.
responseCompression	Data type string Default value identity Description Optional. Specifies the type of response payload compression that is accepted from the endpoint. Supported values are: gzip Content is compressed with gzip encoding. identity Content is not compressed. For more information, see Enabling payload compression.
sslCertsRef	Data type string Default value Not applicable Description Optional. Reference to an `ssl` repertoire element. Specify the SSL configuration to be used.

`zosconnect_fileSystemloggerInterceptor`

Defines an z/OS Connect File System logger interceptor.

Attribute name	Description
apiProviderRequestHeaders	Data type string Default value Not applicable Description Optional. Available from 3.0.74. Comma-separated list of request headers to log.
apiProviderResponseHeaders	Data type string Default value Not applicable Description Optional. Available from 3.0.74. Comma-separated list of response headers to log.
bufferedLogging	Data type boolean Default value false Description Optional. Indicates whether entries to the log are buffered before they are written the log file.
bufferSize	Data type integer Default value 8192 Description Optional. Buffer size in bytes to be used when the bufferLogging attribute is set to `true`.
encoding	Data type string Default value UTF-8 Description Optional. Encoding that is used when writing the log file.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
logName	Data type string Default value Not applicable Description Required. Log file name pattern that is used for payload logging.
logOption	Data type string Default value ALL Description Optional. Log option that controls what is logged. Supported values are: RESPONSE Indicates that only response data is logged. REQUEST Indicates that only request data is logged. ALL Indicates that both request and response data are logged.
logPath	Data type string Default value Not applicable Description Optional. File system location where the log file is created. By default, the log files are created in the `${server.config.dir}`/logs/zosConnect directory. For example, if you use the default value of /var/zosconnect for the `WLP_USER_DIR` environment variable, then the file system logger interceptor writes the logs to /var/zosconnect/servers/`serverName`/logs/zosConnect.
maxPayloadSize	Data type integer Default value 524288 Description Optional. Maximum payload size in characters that are allowed to be written to the log file.
requestUrl	Data type boolean Default value false Description Optional. Available from 3.0.74. Control whether request URL and method information is logged.
rollOffLogPolicy	Data type string Default value SIZE Description Optional. Indicates that a log file is rolled off based on size or duration. Supported values are: SIZE Indicates that the log file is roll-off based on the size of the log. DURATION Indicates that the roll-off log policy is based on the elapsed time since the active log file was created.
rollOffLogPolicyDuration	Data type integer Default value 1440 Description Optional. Roll off policy duration in minutes.
rollOffLogPolicySize	Data type integer Default value 52428800 Description Optional. Roll off policy size in bytes.
sequence	Data type integer Default value 0 Description Optional. Sequence in which the interceptor is processed with respect to others. Minimum value is `0` and maximum value is `2147483647`

zosconnect_libertyUserData

Defines the data into the System Management Facility (SMF) records for z/OS Connect that writes correlation information to the SMF 120 subtype 11 record User Data section.

Attribute name	Description
apiProviderEnabled	Data type boolean Default value true Description Optional. Indicates that z/OS Connect is acting as an API provider. When z/OS Connect functions as an API provider, the User Data is added to the WebSphere® Application Server Liberty.
apiRequesterEnabled	Data type boolean Default value true Description Optional. Indicates that z/OS Connect is acting as an API requester. When z/OS Connect functions as an API requester, the User Data is added to the WebSphere Application Server Liberty.

zosconnect_localAdaptersConnectService

Represents a WOLA service. The following table lists the attributes that are applicable to both COMMAREA and channel payloads.

Attribute name	Description
connectionFactoryRef	Data type string Default value Not applicable Description Required. Reference to a `connectionFactory` element that contains the JNDI name of the WOLA resource adapter connection factory to be used.
connectionWaitTimeout	Data type integer Default value Not applicable Description Optional. Number of seconds to wait for an external address space application that matches the registration name to issue a WOLA Receive Request or Host Service API and become active. Supported values are `0` as a minimum value and `2147483647` as a maximum value.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
linkTaskTranID	Data type string Default value Not applicable Description Optional. When using the WOLA CICS Link Server, specifies the name of the WOLA CICS Link Server link invocation task transaction ID.
registerName	Data type string Default value Not applicable Description Required. Name of the WOLA target register. This name must match the name an external address space application is using for the register name on a WOLA Register API call, or the name used for Register Name with a WOLA CICS Link Server.
serviceName	Data type string Default value Not applicable Description Required. Name of the WOLA target service. This service name must match the name an external address space application is using for the service name on a WOLA Receive Request or Host Service API call, or the program name used for SVC with a WOLA CICS Link Server.
useCICSContainer	Data type boolean Default value false Description Optional. When using the WOLA CICS Link Server, defines the mechanism to use for data propagation. When set to `true`, the payload is passed to the target CICS application program using CICS containers. When set to `false` (default), the payload is passed the target CICS application program using a COMMAREA. See the following tables for a description of the additional attributes required for channel payloads.
useGenericError	Data type boolean Default value false Description Optional. When enabled, all error cases from the service return an HTTP status code of 500 Internal Server Error. This option is retained for compatibility with previous versions of z/OS Connect.

There are two different methods of specifying the channel and container attributes. These methods are mutually exclusive:

Method 1

Use a channel name of IBM-WAS-ADAPTER to flow a single payload container. Specify the following attributes:

Attribute name	Description
linkTaskReqContID	Data type string Default value Not applicable Description Optional. When using the WOLA CICS Link Server and the `linkTaskRspContID` and `useCICSContainer` (`true`) attributes are also configured, specifies the name of the request, or input, container. The default CICS channel name is IBM-WAS-ADAPTER. The container name must not include blank characters.
linkTaskReqContType	Data type integer Default value 0 Description Optional. Minimum value is `0`. When using the WOLA CICS Link Server and the `linkTaskReqContID` and `useCICSContainer` (`true`) attributes are also configured, specifies the type of the request container (0=CHAR, 1=BIT). The default CICS channel name is IBM-WAS-ADAPTER.
linkTaskRspContID	Data type string Default value Not applicable Description Optional. When using the WOLA CICS Link Server and the `linkTaskReqContID` and `useCICSContainer` (`true`) attributes are also configured, specifies the name of the response, or output container. The container name must not include blank characters.
linkTaskRspContType	Data type integer Default value 0 Description Optional. Minimum value is `0`. When using the WOLA CICS Link Server and the `linkTaskRspContID` and `useCICSContainer` (`true`) attributes are also configured, specifies the type of response container (0=CHAR, 1=BIT).

Method 2

Use a channel name of your choice to flow a single payload container with the HTTP context containers. Specify the following attributes:

Attribute name	Description
linkTaskChanCtxContEncoding	Data type string Default value cp819 Description Optional. When using the CICS Link Server and when the `linkTaskChanID` and `useCICSContainer` (`true`) attributes are also configured, specifies the encoding of the data in all context containers that are sent to the destination program.
linkTaskChanCtxContHttpHeaders	Data type string Default value Not applicable Description Optional. When using the CICS Link Server and the `linkTaskChanID` and `useCICSContainer` (`true`) attributes are also configured, specifies the HTTP header name or list of comma-separated and case-sensitive HTTP header names that are passed to the destination program using the context container with the name of `ZCONHTTPHeaders`. The information that is contained in this context container is in JSON format: `{httpHeaders:{"header1":"header1Value", ...,"header-n":"headerValue-n"}}`. If the request contains multiple headers with the same name, the value that is used is the one for the first header in the request.
linkTaskChanID	Data type string Default value Not applicable Description Optional. When using the WOLA CICS Link Server and the `useCICSContainer` (`true`) attribute is also configured, specifies the CICS channel name to use for delivering messages and receiving payloads using CICS containers. The channel name must not include blank characters.
linkTaskChanType	Data type integer Default value 0 Description Optional. Minimum value is `0`. When using the WOLA CICS Link Server and the `linkTaskChanID` and `useCICSContainer` (`true`) attributes are also configured, specifies the type of the CICS containers (0=CHAR, 1=BIT) that are to be associated with the configured channel ID. When set to `0`(default), the encoding of the character data in the input/output containers are expected/returned in ASCII (CCSID 819) and the data is converted to or from EBCDIC (cp037) before/after it is sent to/from the destination program. Use the BIT type to avoid data type and encoding expectations.
linkTaskChanReqContID	Data type string Default value ZCONReqData Description Optional. When using the CICS Link Server and when the `linkTaskChanID` and `useCICSContainer` (`true`) attributes are also configured, specifies the name of the request container. The container name must not include blank characters.
linkTaskChanRespContID	Data type string Default value ZCONRespData Description Optional. When using the CICS Link Server and when the `linkTaskChanID` and `useCICSContainer` (`true`) attributes are also configured, specifies the name of the response container. The container name must not include blank characters.

zosconnect_mqService

Defines a one or two-way service for the IBM MQ Service Provider.

Note: This element is for users who have already created services from the IBM MQ service provider that is shipped with IBM MQ. Users who want to create new services should use service archive files. For more information, see Migrating a service to the IBM MQ service provider in z/OS Connect.

Attribute name	Description
connectionFactory	Data type string Default value Not applicable Description Required. Specifies the JNDI name of an IBM MQ messaging provider connection factory. The IBM MQ service provider uses the connection factory to connect to IBM MQ. For more information, see JMS Connection Factory (jmsConnectionFactory) in the WebSphere Application Server Liberty documentation.
destination	Data type string Default value Not applicable Description Required. Specifies the JNDI name of an IBM MQ messaging provider destination. For a one-way service, the target for HTTP POST, HTTP GET, and HTTP DELETE requests. Queue destinations are supported for all three request types whereas topic destinations are supported only with HTTP POST requests. For a two-way service, `destination` must be a queue destination that represents the request queue that is used by the back-end service. Two-way services support only HTTP POST requests. For more information, see JMS Queue (jmsQueue) and JMS Topic (jmsTopic) in the WebSphere Application Server Liberty documentation.
expiry	Data type integer Default value -1 Description Optional. Specifies the length of time, in thousandths of a second, that messages that are sent that are by the MQ service provider are valid. Messages become eligible to be discarded if they have not been removed from the destination queue before this period of time elapses. A negative value means that messages never expire. REST clients can override `expiry` by specifying an `ibm-mq-md-expiry` HTTP header with a valid 64-bit integer.
id	Data type string Default value Not applicable Description Required. A unique configuration ID. It is used by the `zosConnectService` element to refer to a target service provider instance.
mqmdFormat	Data type string Default value Not applicable Description Optional. Used to set the value of the MQMD format field in messages that are sent by the IBM MQ service provider. Only used when the IBM MQ service provider is configured to use IBM z/OS Connect data transformations, otherwise it is ignored. If you do not specify this attribute, and data transformations are used, messages are sent with the MQMD format field set to `"MQSTR"`. The length of this attribute must be less than, or equal to, 8 characters.
password	Data type string Default value Not applicable Description Optional. The password that the IBM MQ service provider presents to IBM MQ for authentication and authorization purposes. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation. For more information, see Liberty: securityUtility command. If you do not specify this attribute, the value in the `password` attribute that is specified in the Connection Factory referred to by the `connectionFactory` attribute is used. If a `password` attribute is specified both on the referenced connection factory and on this `zosconnect_mqService` element, the value in the `zosconnect_mqService` element is used. If you specify this attribute, you must also specify the `userName` attribute.
persistence	Data type boolean Default value false Description Optional. Specifies the persistence of messages that are sent by a service and is equivalent to setting the MQMD `Persistence` field. The value must be one of the following: false Means that messages are non-persistent. true Means that messages are persistent. You can override `persistence` by setting one of these values in the `ibm-mq-md-persistence` HTTP header.
receiveTextCCSID	Data type integer Default value 37 Description Optional. The CCSID that is used to transform the data in a `javax.jms.TextMessage` message. For example, an HTTP GET or HTTP DELETE with a one-way service, or when retrieving a response message for a two-way service. The text in the message is converted into the CCSID specified by `receiveTextCCSID`.
replyDestination	Data type string Default value Not applicable Description Optional. Specifies the JNDI name of an IBM MQ messaging provider queue where the back-end service sends reply messages. If `replyDestination` is not specified, the service is a one-way service. If `replyDestination` is specified, the service is a two-way service.
replySelection	Data type string Default value `msgIDToCorrelID` Description Optional. Describes the mechanism that is used to match reply messages with request messages. `replySelection` is used only with two-way services. If `replySelection` is used with a one-way service, it is ignored. Supported values are: msgIDToCorrelID Reply messages are assumed to be generated with the correlation ID set to the value of the message ID from the request message. The service generates a suitable message selector based on this information. correlIDToCorrelID Reply messages are assumed to be generated with the correlation ID set to the value of the correlation ID from the request message. The service generates a suitable message selector based on this information. If the request message does not have a correlation ID specified, the service generates a random correlation ID for the request message. none No mechanism is used to correlate reply messages with request messages. The service gets the first available message on the reply queue.
selector	Data type string Default value Not applicable Description Optional. Used on HTTP GET and HTTP DELETE requests to select which message is returned. Must be set to a valid JMS message selector as described by the JMS specification. If `ibm-mq-md-msgID` or `ibm-mq-md-correlID` headers are specified, `selector` is ignored. `selector` is only used with one-way services and is optional. If `selector` is specified on a two-way service it is ignored. Some characters in the attribute value must be escaped in order to be embedded in server.xml because these special characters cannot be directly used in XML. For example, `"` escaped with `"` `'` escaped with `'` `<` escaped with `<` `>` escaped with `>`
useCallerPrincipal	Data type boolean Default value false Description Optional. When set to true, the name of the authenticated principal of a request to z/OS Connect, is passed on to IBM MQ for authentication and authorization purposes. The name of the principal, but not the password, is used when connecting to IBM MQ. Any values that are specified in the `password` and `userName` attributes are ignored.
userName	Data type string Default value Not applicable Description Optional. The user name that the IBM MQ service provider presents to IBM MQ for authentication and authorization purposes. If you do not specify this attribute, the value of the `userName` attribute that is specified in the connection factory referred to by the `connectionFactory` attribute is used. If a `userName` attribute is specified on both the referenced connection factory and this `zosconnect_mqService` element, the value in the `zosconnect_mqService` element is used. If you specify this attribute, you must also specify the `password` attribute.
waitInterval	Data type integer Default value Not applicable Description This attribute is optional for one-way services, required for two-way services. For HTTP DELETE requests to one-way services, `waitInterval` specifies the number of milliseconds that the service waits for a matching message on the queue specified by the `destination` attribute. For HTTP POST requests to two-way services, `waitInterval` specifies the number of milliseconds that the service waits for a matching message on the queue that is specified by the `replydestination` attribute. `waitInterval` is not supported with HTTP GET requests. If `waitInterval` is zero, the service does not wait. A `waitInterval` of zero is not supported with two-way services. If `waitInterval` is negative, the service waits for ever until a message is available. REST clients can override this value by specifying an `ibm-mq-gmo-waitInterval` HTTP header with a valid 64-bit integer. Note: Specifying a large, or negative `waitInterval`, is likely to result in transaction timeouts and asynchronous service request timeouts. If these events occur, you can increase the timeout, reduce the wait interval, or do both.

zosconnect_oAuthConfig

Defines the OAuth 2.0 configuration in z/OS Connect. For more information about supported security configuration options when using OAuth 2.0, see Calling an OAuth 2.0 authorization server (zosConnect-2.0).

Attribute name	Description
authServerRef	Data type string Default value Not applicable Description Required. Reference to the `zosconnect_authorizationServer` element that identifies the information of an authorization server that is used for authentication and authorization.
clientSecretInBody	Data type boolean Default value false Description Optional. Available from 3.0.49.0. Not applicable when using JWT authentication or there is no client secret. Indicates whether to send the client credentials to the authorization server in the Authorization header or in the request body. If only a client ID is specified, it is always sent to the authorization server in the request body.
grantType	Data type string Default value Not applicable Description Required. Specifies the OAuth 2.0 grant type. Supported values are: password The Resource Owner Password Credential grant type is used. client_credentials The Client Credentials grant type is used.
header	Data type string Default value Authorization Description Optional. Available from 3.0.66.0. The name of the header that contains the OAuth 2.0 access token on the API request.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
jwtAuthenticationSetClientId	Data type boolean Default value false Description Optional. Available from 3.0.51.0. Applicable only when using JWT authentication. Indicates whether to include the client ID, specified by the `tokenSubject attribute` of the referenced `zosconnect_oAuthTokenConfig element`, in the request body sent to the authorization server.
jwtAuthenticationTokenRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_oAuthTokenConfig element` that identifies the data to be used for generating a JWT to be used for authentication with the authorization server. If both JWT authentication and basic authentication are configured for the authorization server, JWT authentication is used. Available from 3.0.51.0.
tokenPath	Data type string Default value `$.access_token` Description Optional. Optional. Available from 3.0.97.0.Specify the path to where the required token is located in the JSON response body string. The value of this attribute must be a valid JSONPath expression. For example, to retrieve the token from the `id_token` field in the following JSON string, set the `tokenPath` attribute to `"$.id_token"`. `{ "access_token": {access-token}, "token_type": "Bearer", "expires_in": 3600, "id_token": {identity-token} }`
tokenRetryCheckLevel	Data type string Default value 3 Description Optional. Specifies the checks to make before retrying a failed request to the API endpoint with a new OAuth 2.0 access token. Supported values are: 1 Retry the request if HTTP status code 401 is returned. 2 Not implemented. 3 Default value - Retry the request if HTTP status code 401 and a WWW_Authenticate header containing invalid_token are returned
useBearerScheme	Data type boolean Default value true Description Optional. Available from 3.0.66.0. Indicates whether to include the Bearer scheme in the HTTP header that contains the OAuth 2.0 access token on the API request.

`zosconnect_oAuthTokenConfig`

Available from 3.0.51.0. Defines the configuration that is used to generate a JWT for authentication when obtaining an OAuth 2.0 access token.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
tokenGeneratorRef	Data type string Default value Not applicable Description Required. Reference to the id attribute value of a `jwtBuilder`. For more information about the `jwtBuilder` element, see JWT Builder (jwtBuilder) in the WebSphere Application Server Liberty documentation.
tokenSubject	Data type string Default value Not applicable Description Required. The client ID to be used as the subject claim `"sub"` in the generated JWT token.

Sub elements

zosconnect_oAuthTokenConfig > claims

Data type:

A string or CDATA section

Description:

Optional. Specify the public and private claims to be included in the JWT. If specified, write the claims as a JSON string. For example,


<zosconnect_oAuthTokenConfig id="myOAuthJWTConfig" 
    ...>
    <claims>{"branch":"Eastern",
             "dept":"insurance"}</claims>
</zosconnect_oAuthTokenConfig>

Note:

The claims subelement is intended to specify only public and private claims. If registered claims, such as the aud (Audience) claim, are specified on the claims subelement, then these values overwrite the corresponding values that are configured on the jwtBuilder element by the tokenGeneratorRef attribute of the zosconnect_oAuthTokenConfig element. If the "sub" claim is specified on the claims subelement, its value is overwritten by the value of the value of the tokenSubject attribute. Registered claims are defined in the IANA JSON Web Token Claims Registry.
If the JSON string value of the claims subelement contains XML markup characters, such as <, > and &, then include the JSON string inside a CDATA section so that those characters are treated as literals. For example, if one of the private claims above was "branch":"East&West" then the claims subelement value must be specified as:
```
<claims><![CDATA[{"branch":"East&West", 
                  "dept":"insurance"}]]></claims> 
```
For more information about the CDATA section, see CDATA .

`zosconnect_policy`

Defines the z/OS Connect policy rules to be applied to API requests.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
location	Data type string Default value ${server.config.dir}/resources/zosconnect/rules Description Optional. The directory where the rule set file is located.
pollingRate	Data type A period of time with millisecond precision Default value 1m Description Optional. For dynamic configuration, controls how often the server polls the directory that contains the ruleset files. The default time unit is milliseconds.
updateTrigger	Data type string Default value disabled Description Optional. Controls when the runtime is notified about changes in the ruleset directory. Supported values are: disabled Polling for updates is disabled. Updates can be triggered using the MODIFY refresh command. polled The server will periodically check for changes to the ruleset directory contents. The value of this attribute is ignored when the MODIFY command is used to refresh the z/OS Connect Server artifacts.

Sub elements

zosconnect_policy > ruleset

Attribute name	Description
file	Data type string Default value Not applicable Description Required. The file name of the rule set. Note: Do not include the path.

`zosconnect_proxyConfig`

Allows requests to be routed from z/OS Connect to an endpoint via a proxy.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
host	Data type string Default value Not applicable Description Required. The IP address, domain name server (DNS) host name with domain name suffix, or just the DNS host name of the proxy server, used to route the request.
password	Data type string Default value Not applicable Description Optional. Available from version 3.0.81.0. The password that is passed from z/OS Connect to the proxy server for proxy authentication. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.
port	Data type integer Default value Not applicable Description Required. Port that is used by the proxy server for routing HTTP or HTTPS requests.
type	Data type string Default value Not applicable Description Required. The proxy type. Supported values are: HTTP Uses the HTTP internet protocol. If this element is referenced from a `zosconnect_authorizationServer` element that is referenced from a `zosconnect_authToken` element, the value must be HTTP. SOCKS Uses the SOCKS internet protocol.
user	Data type string Default value Not applicable Description Optional. Available from version 3.0.81.0. The user ID passed from z/OS Connect to the proxy server for proxy authentication.

zosconnect_services

Defines the directory where service archive files are stored and how the server is notified about changes in this directory. This element must be defined for service archive files to be processed at server start up, even if all the attributes use their default values.

Note: This element is only for specific services that are defined by service archive files (.sar files)

Attribute name	Description
location	Data type string Default value ${server.config.dir}/resources/zosconnect/services Description Optional. Path to a directory location where service archive (.sar) files are stored. This location is referred to as the services directory. The value of location cannot be changed while the server is running; the value is set when the server is started.
pollingRate	Data type A period of time with millisecond precision Default value 5s Description Optional. Controls how often the server polls the services directory. The default time unit is milliseconds.
updateTrigger	Data type string Default value disabled Description Optional. Controls when the server is notified about changes in the services directory. Supported values are: disabled Polling for updates is disabled. Updates can be triggered using the MODIFY refresh command, and service archive files can be deployed using the RESTful administration interface. polled The server periodically checks for changes to the directory contents. mbean The server checks for changes when the `notifyFileChanges` method is invoked on the `FileNotificationMBean`. If you specify this value, you must also configure your server to use the Java Management Extensions (JMX) connector. For more information, see Using an MBean to trigger updates. The value of this attribute is ignored when the MODIFY command is used to refresh the z/OS Connect Server artifacts.

Sub elements

zosconnect_services > service

Description:

Required. Defines additional configuration for the service.

Attribute name	Description
adminGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to use administrative functions on this service. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalAdminGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `adminGroup` is used. This group takes precedence over the global group except when controlling authorization to the RESTful administration actions to deploy an API, deploy a service, list all APIs, or list all services. See Note 1 and Note 2.
interceptorsRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectInterceptors` element that identifies the set of configured interceptors that are associated with this service. Note: If the service is called by an API, only the interceptors that are configured for that API are processed. Interceptors that are defined for the service are ignored.
invokeGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to invoke this service. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalInvokeGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `invokeGroup` is used. See Note 1 and Note 2.
name	Data type string Default value Not applicable Description Required. The name of the service.
property	Data type A list of `property` elements. Default value Not applicable Description Optional. The `property` elements define the override properties for the service archive file.
operationsGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to perform operations such as starting or stopping this service. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalOperationsGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `operationsGroup` is used. This group takes precedence over the global group except when controlling authorization to the RESTful administration actions to deploy an API, deploy a service, list all APIs, or list all services. See Note 1 and Note 2.
readerGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to get information about this service, including the Swagger documentation. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalReaderGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `readerGroup` is used. See Note 1 and Note 2.
requireSecure	Data type boolean Default value Not applicable Description Optional. Require that requests are sent over HTTPS. If the `requireSecure` attribute is not set, the global setting from the `requireSecure` attribute on the `zosconnect_zosConnectManager` element that is referenced is used instead.
requireAuth	Data type boolean Default value Not applicable Description Optional. Require that users specify security credentials to be authenticated and that the authenticated user is authorized under the `zosConnectAccess` role, in order to access the service. If the `requireAuth` attribute is not set, the global setting from the `requireAuth` attribute on the `zosconnect_zosConnectManager` element is used instead.
runGlobalInterceptors	Data type boolean Default value true Description Optional. Indicates whether global interceptors should run for requests that are associated with this service. Global interceptors are listed in `globalInterceptorsRef` in the `zosconnect_zosConnectManager` element. By default, z/OS Connect processes all global and service endpoint-specific interceptors. If the `runGlobalInterceptors` is set to false, z/OS Connect processes only the set of interceptors that are listed in the `interceptorsRef` attribute.

Note:

If using an LDAP registry, you must specify each LDAP group's distinguished name (DN) with the commas that are escaped with a backslash. for example "cn=employees\,ou=groups\,o=intern\,c=fr, cn=managers\,ou=groups\,o=intern\,c=fr". If specifying multiple groups, the commas separating the groups are not escaped. Specifying LDAP short names is not supported.
For information about the authorization levels that are required to perform particular requests, see API provider authorization

zosconnect_services > service > property

Description:

Optional. Properties for the service provider. These values take precedence over equivalent values specified in the service archive file.

Attribute name	Description
name	Data type string Default value Not applicable Description Required. The name of the property. See the following tables for the properties supported for the different service providers. CICS service provider Db2 service project REST client service provider WOLA service provider IMS service provider IBM MQ service provider
value	Data type string Default value Not applicable Description Required. The value of the property

The values that can be specified for the name attribute are specific to the service provider being used by the service. The following attribute name values are supported:

CICS service provider

Attribute name	Description
connectionRef	Reference to a `zosconnect_cicsIpicConnection` element. Available from version 3.0.81.0. Overrides the CICS IPIC connection reference specified in the service archive file.
transid	Overrides the transaction ID specified in the service archive file.
transidUsage	Overrides the transaction ID usage value specified in the service archive file.

Db2 service project

Attribute name	Description
collectionId	Overrides the value of Collection ID that was entered in the project editor.
connectionRef	Reference to a `zosconnect_zosConnectServiceRestClientConnection` element. Overrides the value of Connection Reference that was entered in the project editor.

REST client service provider

Does not support optional properties.
WOLA service provider

tranId

IMS service provider

Attribute name	Description
enforceMinArrayOccurrence	Default value true Description Enforces the minimum number of array occurrences in the input data structure as defined in the copybook. By default, minimum number of array occurrences is enforced.
escapeOutputControlCharacters	Default value false Description Escapes non-printable control characters, such as tokens or control blocks, in JSON property values as `\uNNNN` for necessary internal processing, instead of removing them. By default, control characters are omitted, not escaped.
imsConnectionRef	Default value Not applicable Description Name of the connection profile to use at service invocation. For more information about IMS connection profiles, see IMS connection profiles. This value overrides the connection profile that is specified in the API toolkit during service archive file generation.
imsDatastoreOverride	Default value Not applicable Description Overrides the IMS datastore name that specifies the IMS subsystem against which to invoke the service.
imsInteractionRef	Default value Not applicable Description Name of the interaction profile to use at service invocation. For more information about IMS interaction profiles, see IMS interaction profiles. This value overrides the interaction profile that is specified in the API toolkit during service creation.
imsTranCodeOverride	Default value Not applicable Description Overrides the transaction code that the service invokes at run time.
initializeInputFields	Default value false Description Initializes fields in the input data structure according to their type if a default is not specified for the field and either the field is omitted from the input interface or the field is included but the respective JSON tag is not received at run time. By default, fields are not initialized.
omitOutputFieldsByValue	Default value false Description Omits the JSON name-value pair for a non-numeric field from the JSON output message when the data for the field is composed of the same byte value that is repeated throughout, such as all 0x00 or all 0xFF.
omitOutputFieldsByValueByte	Default value `0x00` Description Specifies the hexadecimal value that all bytes in a non-numeric field must contain to be omitted.
omitOutputEmptyTags	Default value false Description Omits JSON tags that contain an empty string (`"tag":""`) from JSON output messages after white space and control characters are processed. By default, empty tags are not omitted.
trimOutputLeadingWhitespace	Default value false Description Trims the leading white space from JSON property values in the output messages. By default, leading white space is not trimmed.
trimOutputTrailingWhitespace	Default value true Description Trims trailing white space from JSON property values in output messages. By default, trailing white space is trimmed.

IBM MQ service provider

Property name	Description
connectionFactory	Default value Not applicable Description Defines a JNDI name that is used to locate a connection factory that connects to a z/OS queue manager on the same LPAR as the z/OS Connect Server or on a different LPAR. For more information, see JMS connection factory in the WebSphere Application Server for z/OS Liberty documentation.
destination	Default value Not applicable Description Defines a JNDI name that is used to locate an IBM MQ queue or topic. For one-way services for sending messages, the queue or topic that messages are put to. For one-way services for receiving messages, this value is the name of the queue where messages are destructively got. For two-way services, this value is the name of the queue where request messages are put. For more information, see the following topics in the WebSphere Application Server for z/OS Liberty documentation: JMS Queue (jmsQueue) if the destination is a queue or JMS Topic (jmsTopic) if the destination is a topic.
expiry	Default value -1 Description Specifies the expiry time in milliseconds of messages that are sent by the IBM MQ service provider. If set, the value is an integer that describes how long the message is available before it expires. By default, messages do not expire. `expiry` is equivalent to setting the MQMD Expiry field. Negative values mean that messages never expire. REST clients can override `expiry` by specifying an `ibm-mq-md-expiry` HTTP header with a valid 64-bit integer.
mqmdFormat	Default value Not applicable Description Completes the format field of the MQMD header in messages that are sent by the IBM MQ service provider. Only supported when the `language` property is specified. If not specified, then messages are sent with a blank format.
password	Default value Not applicable Description The password that the IBM MQ service provider presents to IBM MQ for authentication and authorization purposes. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation. If this property is specified, the `userName` property must also be specified. If this property is not specified, the `password` property in the connection factory that is referred to by the `connectionFactory` property is used. If a `password` property is specified in both the referenced connection factory and this `service property` subelement, the `service property` value is used.
persistence	Default value false Description Describes the persistence of messages that are sent to the queue referenced by the destination property. If set to true, messages are sent as persistent.
replyDestination	Default value Not applicable Description Defines a JNDI name that is used to locate a queue that contains response messages for two-way services. If specified, the service is a two-way service. This property is configured in the same way as the destination property. Can be set only if `replyDestination` is already set in the service archive file.
replySelection	Default value msgIDToCorrelID Description Defines how a two-way service locates reply messages on the queue that is referenced by the `replyDestination` property. If `replySelection` is used with a one-way service, it is ignored. Supported values are: msgIDToCorrelID Reply messages are assumed to be generated with the correlation ID set to the value of the message ID from the request message. The service generates a suitable message selector based on this information. none No mechanism is used to correlate reply messages with request messages. The service gets the first available message on the reply queue. correlIDToCorrelID Reply messages are assumed to be generated with the correlation ID set to the value of the correlation ID from the request message. The service generates a suitable message selector based on this information. If the request message has no correlation ID specified, the service generates a random correlation ID for the request message. For more information, see ibm-mq-md-correlID.
selector	Default value Not applicable Description Defines a valid JMS message selector that is used to locate messages from the queue that is referenced by the destination attribute. Only valid with one-way services for receiving messages. For more information, see Message selectors in JMS in the IBM MQ documentation. Some characters in the attribute value must be escaped in order to be embedded in server.xml because these special characters cannot be directly used in XML. For example, `"` escaped with `"` `'` escaped with `'` `<` escaped with `<` `>` escaped with `>`
useCallerPrincipal	Default value Not applicable Description When a request is made to z/OS Connect, the caller authenticates with the z/OS Connect Server. The name of the authenticated principal can be passed onto IBM MQ for authentication and authorization purposes by setting the value of `useCallerPrincipal` to true. The name of the principal, but no password, is used to connect to IBM MQ. Any values that are specified in the `password` and `userName` attributes are ignored.
userName	Default value Not applicable Description The user name that the IBM MQ service provider presents to IBM MQ for authentication and authorization purposes. If this property is not specified, the `userName` property in the connection factory that is referred to by the `connectionFactory` property is used. If a `userName` property is specified both in the referenced connection factory and this `service property` subelement, the `service property` value is used. If this property is specified, the `password` property must also be specified.
waitInterval	Default value Not applicable Description Specifies a time, in milliseconds that the IBM MQ service provider waits for messages to arrive on a queue. This property is only valid for two-way services, or one-way services for receiving messages. If `replyDestination` is set, then `waitInterval` must be a positive number. If `messagingAction=mqget`, then `waitInterval` can be negative, which means that the IBM MQ service provider waits forever until a message is available. If `waitInterval` is 0, the IBM MQ service provider does not wait.

zosconnect_zosConnectAPIs

Defines the directory where API archive files are stored and how the server is notified about changes in this directory. It also defines additional configuration that applies to all APIs

Attribute name	Description
location	Data type string Default value ${server.config.dir}/resources/zosconnect/apis Description Optional. Path to a directory location where API archive files are stored. The value of location cannot be changed while the server is running; the value is set when the server is started.
policyRef	Data type string Reference to a zosconnect_policy element. Default value Not applicable Description Optional. A reference name that identifies the zosconnect_policy element that is active for these APIs.
pollingRate	Data type A period of time with millisecond precision. Default value 5s Description Optional. Controls how often the server polls the apis directory. The default time unit is milliseconds.
updateTrigger	Data type string Default value disabled Description Optional. Controls when the server is notified about changes in the apis directory. Supported values are: disabled Polling for updates is disabled. Updates can be triggered using the MODIFY refresh command, and API archive files can be deployed by using the RESTful administration interface. polled The server periodically checks for changes to the directory contents. mbean The server checks for changes when the `notifyFileChanges` method is invoked on the `FileNotificationMBean`. If you specify this value, you must also configure your server to use the Java Management Extensions (JMX) connector. For more information, see Using an MBean to trigger updates. The value of this attribute is ignored when the MODIFY command is used to refresh the z/OS Connect Server artifacts.

Sub elements

zosconnect_zosConnectAPIs > zosConnectAPI

Description:

Optional. Defines additional configuration for the API.

Attribute name	Description
adminGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to use administrative functions on this API. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalAdminGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `adminGroup` is used. This group takes precedence over the global group except when controlling authorization to the RESTful administration actions to deploy an API, deploy a service, list all APIs, or list all services. See Note 1 and Note 2.
interceptorsRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectInterceptors` element that identifies the set of configured interceptors that are associated with this API. Note: If an API operation is invoked, only the interceptors that are configured for the API are processed. The service-specific interceptor that is configured on the related service is never called.
invokeGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to invoke this API. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalInvokeGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `invokeGroup` is used. See Note 1 and Note 2.
name	Data type string Default value Not applicable Description Required. A name of the API.
operationsGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to perform operations such as starting or stopping this API. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalOperationsGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `operationsGroup` is used. This group takes precedence over the global group except when controlling authorization to the RESTful administration actions to deploy an API, deploy a service, list all APIs, or list all services. See Note 1 and Note 2.
policyRef	Data type string Default value Not applicable Description Optional. A reference name that identifies the zosconnect_policy element that is active for this API.
readerGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to get information about this API, including the Swagger documentation. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalReaderGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `readerGroup` is used. See Note 1 and Note 2.
requireAuth	Data type boolean Default value Not applicable Description Optional. Require that users specify security credentials to be authenticated and that the authenticated user is authorized under the `zosConnectAccess` role, in order to access the API. If the `requireAuth` attribute is not set, the global setting from the `requireAuth` attribute on the `zosconnect_zosConnectManager` element is used instead.
requireSecure	Data type boolean Default value Not applicable Description Optional. Require that requests are sent over HTTPS. If the `requireSecure` attribute is not set, the global setting from the `requireSecure` attribute on the `zosconnect_zosConnectManager` element is used instead.
runGlobalInterceptors	Data type boolean Default value true Description Optional. Indicates whether global interceptors should run for requests that are associated with this API. Global interceptors are listed in `globalInterceptorsRef` in the `zosconnect_zosConnectManager` element. By default, z/OS Connect processes all global and endpoint-specific interceptors. If the `runGlobalInterceptors` is set to false, z/OS Connect processes only the set of interceptors that are listed in the `interceptorsRef` attribute.

Note:

If you use an LDAP registry, you must specify each LDAP groups distinguished name (DN) with the commas that are escaped that are with a backslash. for example "cn=employees\,ou=groups\,o=intern\,c=fr, cn=managers\,ou=groups\,o=intern\,c=fr". If specifying multiple groups, the commas separating the groups are not escaped. Specifying LDAP short names is not supported.
For information about the authorization levels that are required to perform particular requests, see API provider authorization.

`zosconnect_zosConnectDataXform`

Defines an z/OS Connect data transformer.

Attribute name	Description
bindFileLoc	Data type string Default value Not applicable Description Required. File system path where the bind files are located.
bindFileSuffix	Data type string Default value empty string Description Optional. Suffix name that is associated with the bind files.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
pollingRate	Data type A period of time with millisecond precision Default value 2s Description Optional. The rate at which the server checks for updates to data transformation-related files such as bind or schema files. The default time unit is milliseconds.
requestSchemaLoc	Data type string Default value Not applicable Description Optional. File system path where the request schema files are located.
requestSchemaSuffix	Data type string Default value Not applicable Description Optional. Suffix name that is associated with the request schema files.
responseSchemaLoc	Data type string Default value Not applicable Description Optional. File system path where the response schema files are located.
responseSchemaSuffix	Data type string Default value Not applicable Description Optional. Suffix name that is associated with the response schema files.
updateTrigger	Data type string Default value polled Description Optional. Controls when the server is notified about changes to data transformation files such as bind and schema files. Supported values are: disabled Polling for updates is disabled. Updates can be triggered using the MODIFY refresh command. polled The server scans for changes at the polling interval and reloads any files that have detectable changes. mbean The server reloads data transformation files when prompted by an MBean called by an external program such as an integrated development environment or a management application. If you specify this value, you must also configure your server to use the Java Management Extensions (JMX) connector. For more information, see Using an MBean to trigger updates. The value of this attribute is ignored when the MODIFY command is used to refresh the z/OS Connect Server artifacts.

zosconnect_zosConnectInterceptors

Bundles 1 to N interceptors.

Attribute name	Description
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
interceptorRef	Data type comma-separated string. Default value Not applicable Description Optional. References to top-level interceptor elements. The identifier of one or more interceptors.

zosconnect_zosConnectManager

Defines global configuration settings for z/OS Connect.

Attribute name	Description
asyncRequestTimeout	Data type A period of time with millisecond precision Default value 30s Description Optional. Timeout value that is associated with every HTTP request (services and APIs) when processing asynchronous work. This does not apply to API requester calls. It specifies the time in milliseconds in which requests must complete. This timeout value overrides the web container's `asyncTimeoutDefault` attribute value. If neither `asyncRequestTimeout` nor `asyncTimeoutDefault` are configured, the timeout that is used is the `asyncTimeoutDefault` attribute default value. If `asyncRequestTimeout` is not configured, but the `asyncTimeoutDefault` attribute is, the value that is defined in `asyncTimeoutDefault` is used. A timeout might occur at any time during processing of the request IBM z/OS Connect. The request might still be active after the timeout is detected and a response is sent to the client. The default time unit is milliseconds. An `asyncRequestTimeout` value of zero means do not time out. From 3.0.8, requests that timeout receive a 503 HTTP response code instead of a 500 HTTP response code.
globalAdminGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to use administrative functions on all APIs, services, service endpoints and API requesters. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. See Note 1 and Note 2.
globalDataXformRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_zosConnectDataXform` element that identifies the data transformation handler that is associated with all service endpoints.
globalInterceptorsRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectInterceptors` element that identifies the set of configured interceptors that is associated with all APIs and services. If services do not require global interceptors association, the `runGlobalInterceptors` attribute of the `zosconnect_zosConnectService` element can be set to false. If APIs do not require global interceptors association, the `runGlobalInterceptors` attribute of the `zosConnectAPI` element can be set to false. See Note 1, Note 3, and Note 4.
globalInvokeGroup	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectInterceptors` element. Identifies the users that are able to invoke all APIs, services, service endpoints and API requesters. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. See Note 1 and Note 2.
globalOperationsGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to perform operations such as starting, stopping, or obtaining the status of all APIs, services, service endpoints, and API requesters. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. See Note 1 and Note 2.
globalReaderGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to get lists of, or information about, all APIs, services, service endpoints, and API requesters, including Swagger documentation. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. See Note 1 and Note 2.
operationMode	Data type string Default value ASYNC Description Optional. Specifies the mode in which z/OS Connect requests are processed. Supported values are: SYNC Synchronous mode of operation. Requests use the same thread. ASYNC Asynchronous mode of operation. Multiple threads are used to manage requests. Use SYNC when running z/OS Connect embedded in CICS and ASYNC when running standalone.
preserveJsonObjectPayloadOrder	Data type boolean Default value false Description Optional. When enabled, the order of entries in a JSON object payload is preserved.
preserveJsonPayloadCharFormat	Data type boolean Default value false Description Optional. Indicates whether the characters in the JSON payload should flow unchanged through z/OS Connect during request handling such as API invocation, service invocation and schema retrievals. When set to false, UTF-8 encoded characters might be converted to their respective escaped Unicode representation. For this attribute to take effect, the attribute definition `setUTF8ResponseEncoding` must be set to true.
requireAuth	Data type boolean Default value true Description Optional. Require that users specify security credentials to be authenticated and that the authenticated user is authorized under the `zosConnectAccess` role, in order to access APIs, services and API requesters, unless overridden on the specific resource definitions.
requireSecure	Data type boolean Default value true Description Optional. Require that requests are sent over HTTPS. The `requireSecure` attribute can be overridden on the specific resource definitions.
setUTF8ResponseEncoding	Data type boolean Default value false Description Optional. Indicates whether the character encoding in the HTTP response is set to UTF-8. The default encoding is ISO-8859-1. Set this attribute to true if your service or API contains double-byte character set (DBCS) characters. For compatibility with previous versions of z/OS Connect, this option defaults to false. Set this value to true to conform to the standard JSON encoding of UTF-8.
useJsonErrorResponses	Data type boolean Default value true Description Optional. When enabled, all error responses from the server are in JSON format. This option is retained for compatibility with previous versions of z/OS Connect.

Note:

If you use an LDAP registry, you must specify each LDAP group's distinguished name (DN) with the commas that are escaped with a backslash. for example "cn=employees\,ou=groups\,o=intern\,c=fr, cn=managers\,ou=groups\,o=intern\,c=fr". If specifying multiple groups, the commas separating the groups are not escaped. Specifying LDAP short names is not supported.
For information about the authorization levels that are required to perform particular requests, see API provider authorization and API requester authorization.
If a service is called by an API, only the interceptors that are configured for the API are processed. Interceptors that are defined for the service are ignored.
The set of configured interceptors that are referenced by globalInterceptorsRef is run for every HTTP request (services and APIs).

zosconnect_zosConnectService

Defines the configuration settings for a service endpoint.

Note: This element is for services that are not defined by service archive files.

Attribute name	Description
adminGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to use administrative functions on this service endpoint. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If it is configured along with its global counterpart, globalAdminGroup defined under element `zosconnect_zosConnectManager`, the value that is defined under adminGroup is used. See Note 1.
dataXformRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectDataXform` element that identifies the data transformation handler that is associated with a service endpoint. If configured along with its global data transformation handler counterpart (`globalDataXformRef` defined under element `zosconnect_zosConnectManager`), the data transformer that is defined for the service endpoint is used.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
interceptorsRef	Data type string Default value Not applicable Description Optional. Reference to a `zosconnect_zosConnectInterceptors` element that identifies the set of configured interceptors that is associated with a service endpoint. If it is configured along with its global interceptors counterpart (`globalInterceptorsRef` defined under the `zosconnect_zosConnectManager` element), z/OS Connect processes both sets of interceptors. If the `runGlobalInterceprs` attribute for the service endpoint is set false, z/OS Connect will only process the set of interceptors that are configured for the service endpoint.
invokeGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to invoke this service endpoint. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If it is configured along with its global counterpart, `globalInvokeGroup` defined under element `zosconnect_zosConnectManager`, the value that is defined under `invokeGroup` is used. See Note 1.
invokeURI	Data type string Default value Not applicable Description Optional. URI or list of comma-separated URIs to associate with a service endpoint. InvokeURIs can end with a wildcard character in the form /a/b/* or x/y* to generically match a service endpoint invocation. Specifying multiple wildcard characters (i.e. /a/b/*) or wildcard characters in the middle of the requestURI (i.e. /a//c) is not supported. If service endpoints with configured invokeURIs using the wildcard character are associated with overlapping invokeURIs, the service endpoint that is associated with the most specific invokeURI is matched. For instance, if a service endpoint request is issued with the following: https://host:port/a/b/c going to a server with the following configuration: `service1` `->` `invokeURI="/a/b/c/"` and `service2` `->` `invokeURI="/a/b/"`, z/OS Connect will match the request to service1. Configured invokeURI entries must start with the / character. The use of an invokeURI is equivalent to a service request where the action=invoke query parameter is specified.
operationsGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to perform operations such as starting, stopping, or obtaining the status of this service endpoint. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If it is configured along with its global counterpart, `globalOperationsGroup` defined under element `zosconnect_zosConnectManager`, the value that is defined under `operationsGroup` is used. See Note 1.
readerGroup	Data type string Default value Not applicable Description Optional. Identifies the users that are able to get information about this service endpoint, including the Swagger documentation. The value of this attribute can be set to a group name or a comma-separated list of group names, that are defined in the user registry. If `globalReaderGroup` is also defined under element `zosconnect_zosConnectManager`, the value that is defined under `readerGroup` is used. See Note 1.
requireAuth	Data type boolean Default value Not applicable Description Optional. Require that users specify security credentials to be authenticated and that the authenticated user is authorized under the `zosConnectAccess` role, in order to access the service. If the `requireAuth` attribute is not set, the global setting from the `requireAuth` attribute on the `zosconnect_zosConnectManager` element is used instead.
requireSecure	Data type boolean Default value Not applicable Description Optional. Require that requests are sent over HTTPS. If the `requireSecure` attribute is not set, the global setting from the `requireSecure` attribute on the `zosconnect_zosConnectManager` element is used instead.
runGlobalInterceptors	Data type boolean Default value true Description Optional. Indicates whether global interceptors run for requests that are associated with a service endpoint. By default z/OS Connect processes all global and service endpoint-specific interceptors.
serviceAsyncRequestTimeout	Data type A period of time with millisecond precision Default value 30s Description Optional. Timeout value that is associated with a service endpoint when processing asynchronous work. It specifies the time in milliseconds in which requests must complete. This timeout value overrides the web container's `asyncTimeoutDefault` attribute value. If neither `asyncRequestTimeout` nor `asyncTimeoutDefault` are configured, the timeout that is used is the `asyncTimeoutDefault` attribute default value. If `asyncRequestTimeout` is not configured, but the `asyncTimeoutDefault` attribute is, the asyncTimeoutDefault's configured value is used. If configured along with its global counterpart: `asyncRequestTimeout` defined under element `zosconnect_zosConnectManager`, the value that is defined under `serviceAsyncRequestTimeout` is used. A timeout might occur at any time during processing of the request by z/OS Connect. The request might still be active after the timeout is detected and a response is sent to the client. The default time unit is milliseconds. From 3.0.8, requests that timeout receive a 503 HTTP response code instead of a 500 HTTP response code. This timeout applies only to direct requests to this service endpoint and not if this service endpoint is invoked via an API.
serviceDescription	Data type string Default value Not applicable Description Optional. Description that is associated with a service endpoint.
serviceGroupingName	Data type string Default value Not applicable Description Optional. Name that can be used to group or associate a set of service endpoints together.
serviceName	Data type string Default value Not applicable Description Required. Name that is associated with a service endpoint. This name identifies a service endpoint to a client.
serviceRef	Data type string Default value Not applicable Description Required. Reference to a user defined service element that identifies the service endpoint that is registered with z/OS Connect.

Note 1: If using an LDAP registry, you must specify each LDAP group's distinguished name (DN) with the commas that are escaped with a backslash. for example "cn=employees\,ou=groups\,o=intern\,c=fr, cn=managers\,ou=groups\,o=intern\,c=fr". If specifying multiple groups, the commas separating the groups are not escaped. Specifying LDAP short names is not supported.

zosconnect_zosConnectServiceRestClient

Allows requests to be routed from z/OS Connect to a remote REST endpoint.

Attribute name	Description
basicAuthRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_zosConnectServiceRestClientBasicAuth` element that identifies the basic authentication data to be used for connecting to a remote REST endpoint.
connectionRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_zosConnectServiceRestClientConnection` element. If set, the connection is made using the attributes of the `zosconnect_zosConnectServiceRestClientConnection` element. If not set, or the `zosconnect_zosConnectServiceRestClientConnection` element does not exist, the values from the `zosconnect_zosConnectServiceRestClient` element are used.
connectionTimeout	Data type A period of time with millisecond precision Default value 30s Description Optional. The connection timeout specifies the amount of time that the client attempts to establish a connection to the remote endpoint before it times out. If the timeout value is set to 0, the client attempts to open a connection indefinitely. The default time unit is milliseconds.
host	Data type string Default value Not applicable Description Required. IP address, domain name server (DNS) host name with domain name suffix, or just the DNS host name, used to route the request.
httpMethod	Data type string Default value Not applicable Description Optional. Name of the HTTP method to be used when routing HTTP requests. If no method is specified, the method that is used is the one in the original request. Supported values are: `GET`, `PUT`, `POST`, `OPTIONS`, and `DELETE`.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
port	Data type string Default value Not applicable Description Required. Port that is used for routing HTTP or HTTPS requests.
receiveTimeout	Data type A period of time with millisecond precision Default value 60s Description Optional. The receive timeout specifies the amount of time that the client waits for a response from the remote endpoint before it times out. If the timeout value is set to 0, the client will wait for a response indefinitely. The default time unit is milliseconds.
sslCertsRef	Data type string Default value Not applicable Description Optional. Reference to an `ssl` repertoire element. Specify the SSL configuration to be used.
uri	Data type string Default value Not applicable Description Optional. URI that identifies the resource to contact when routing HTTP requests. If no URI is specified everything after the port number from the original request is used.

Sub elements

zosconnect_zosConnectServiceRestClient > basicAuth

Description:

Optional. A reference name that identifies the basic authentication data to be used for connecting to a remote REST endpoint.

Attribute name Description

password

Attribute name	Description
password	Data type string Reversably encoded password. Default value Not applicable Description Optional. The password of the user under which the request will be routed. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.
userName	Data type string Default value Not applicable Description Optional. The name of the user under which the request will be routed.

Data type: string; Reversably encoded password.
Default value: Not applicable
Description: Optional. The password of the user under which the request will be routed. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the securityUtility shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.

userName

Data type: string
Default value: Not applicable
Description: Optional. The name of the user under which the request will be routed.

zosconnect_zosConnectServiceRestClientConnection

Allows requests to be routed from z/OS Connect to a remote REST endpoint.

Attribute name	Description
allowChunking	Data type boolean Default value true Description Optional. Allow chunking on messages greater than 4KB.
basicAuthRef	Data type string Default value Not applicable Description Optional. Reference to the `zosconnect_zosConnectServiceRestClientBasicAuth` element that identifies the basic authentication data to be used for connecting to a remote REST endpoint.
connectionTimeout	Data type A period of time with millisecond precision Default value 30s Description Optional. The connection timeout specifies the amount of time that the client attempts to establish a connection to the remote endpoint before it times out. If the timeout value is set to `0`, the client attempts to open a connection indefinitely. The default time unit is milliseconds.
host	Data type string Default value Not applicable Description Required. IP address, domain name server (DNS) host name with domain name suffix, or just the DNS host name, used to route the request.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
port	Data type string Default value Not applicable Description Required. Port that is used for routing HTTP or HTTPS requests.
receiveTimeout	Data type A period of time with millisecond precision Default value 60s Description Optional. The receive timeout specifies the amount of time that the client waits for a response from the remote endpoint before it times out. If the timeout value is set to `0`, the client will wait for a response indefinitely. The default time unit is milliseconds.
sslCertsRef	Data type string Default value Not applicable Description Optional. Reference to an `ssl` repertoire element. Specify the SSL configuration to be used.

Sub elements

zosconnect_zosConnectServiceRestClientConnection > basicAuth

Description:

Optional. A reference name that identifies the basic authentication data to be used for connecting to a remote REST endpoint.

Attribute name	Description
applName	Data type string Default value Not applicable Description The name of the application that requests and uses the PassTickets.
password	Data type string Reversably encoded password Default value Not applicable Description The password of the user under which the request will be routed. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.
userName	Data type string Default value Not applicable Description The name of the user under which the request will be routed.

zosconnect_zosConnectServiceRestClientBasicAuth

Basic authentication data for connecting to a remote REST endpoint.

Attribute name	Description
applName	Data type string Default value Not applicable Description Optional. The name of the application that requests and uses the PassTickets.
id	Data type string Default value Not applicable Description Required. A unique configuration ID.
password	Data type string Default value Not applicable Description Optional. The password of the user under which the request will be routed. The value can be stored in clear text or encoded. Typically, the password is encoded. To do so, use the `securityUtility` shipped with WebSphere Liberty profile. For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.
userName	Data type string Default value Not applicable Description Optional. The name of the user under which the request will be routed.