How to configure basic authentication with a SAF user registry

Configure a IBM® z/OS® Connect server to perform basic authentication with a SAF user registry.

This task is applicable when IBM z/OS Connect is used as an API requester.

Before you begin

You should be familiar with the information in API requester authentication and identification.
You must complete the task How to activate and configure the SAF user registry to configure the IBM z/OS Connect server to use z/OS authorized services and a SAF user registry.
You must have write access to the server.xml configuration file.

About this task

You configure the IBM z/OS Connect server to require authentication, by setting the attribute requireAuth="true". This task then configures the server to use basic authentication.

This task does not include information on how to configure the IBM z/OS Connect server to use TLS. If the attribute requireSecure is set to true (the default), you must configure a TLS connection between the client and the IBM z/OS Connect server, for example, by completing the task How to configure TLS with RACF key rings.

Procedure

For more information about configuration elements, see Configuration elements in the Reference section.

Ensure that the server is configured to require authentication for the request.
This configuration can be set at different scopes in the server.xml configuration file:
- To require authentication globally for the server, set requireAuth="true" on the zosconnect_zosConnectManager element. For example,
```
<zosconnect_zosConnectManager requireAuth="true"... />
```
- To require authentication for all API requesters, which takes precedence over the global setting, set requireAuth="true" on the zosconnect_apiRequesters element. For example,
```
<zosconnect_apiRequesters requireAuth=“true”>
    <apiRequester ... />
</zosconnect_apiRequesters>
```
- To require authentication for a specific API requester, which has the highest precedence, set requireAuth="true" on the apiRequester element. For example,
```
<zosconnect_apiRequesters>
    <apiRequester name="Stock_Control" requireAuth="true"/>
 </zosconnect_apiRequesters>
```
Important: When the requireAuth attribute is specified at more than one scope, the value set on the apirequester element takes precedence over the value set on the zosconnect_apiRequesters element, which takes precedence over the value on the zosconnect_zosconnectManager element.
Configure the server to use basic authentication.
IBM z/OS Connect attempts to use a TLS client certificate for authentication, unless an alternative authentication mechanism is configured. Use one of the following methods to configure basic authentication:
- Configure fail-over to basic authentication, by adding the following element to the server.xml configuration file:
```
<webAppSecurity allowFailOverToBasicAuth="true"/>
```
- Configure basic authentication to override the client certificate authentication default, by adding the following element to the server.xml configuration file:
```
<webAppSecurity overrideHttpAuthMethod="BASIC"/>
```
Assign users and groups to the zosConnectAccess role.
Follow the instructions in task How to configure the zosConnectAccess role with a SAF user registry.

Results

User IDs and groups in the SAF user registry can be used to authenticate with the IBM z/OS Connect server. Additionally, the SAF user IDs and groups that are assigned to the zosConnectAccess role now have authorization to access IBM z/OS Connect .