Calling an API secured with multiple authentication and authorization methods
IBM® z/OS® Connect API requester provides the capability that allows a CICS®, IMS or z/OS application to call a RESTful API that is secured with multiple authentication or authorization methods.
The supported authentication and authorization methods are client certificate authentication, basic authentication, JWT and OAuth 2.0.
- To configure IBM z/OS Connect to support client
certificate authentication to the RESTful API endpoint, you must specify the
sslCertsRef on the
zosconnect_endpointConnectionin the server.xml file. For more information, see API requester TLS client authentication to a RESTful API endpoint.
- To configure IBM z/OS Connect to support basic
authentication to a RESTful API endpoint, calling an API secured with a JWT or calling an API
secured with OAuth 2.0, you must specify the authenticationConfigRef attribute
zosconnect_endpointConnectionelement in the server.xml file. Follow Table 1 to find out how to use the authenticationConfigRef attribute to specify the combination use of basic authentication, JWT and OAuth 2.0.
|Authentication / authorization methods||Elements to be referenced by the authenticationConfigRef attribute|
|Multiple JWTs (either generated by an external authentication server or locally generated or both)||
|OAuth 2.0 and one or more JWTs (either generated by an external authentication server or locally generated or both)||
|Basic authentication and one or more JWTs (either generated by an external authentication server or locally generated or both)||
As IBM z/OS Connect needs to use the same HTTP
Authorization header to pass either user credentials for basic authentication or
the OAuth access token to the request endpoint by default, so the combination of basic
authentication and OAuth 2.0 cannot be supported. And when one or more JWTs are used with basic
authentication or OAuth 2.0, you must specify the header attribute in the
with a name other than
When more than one JWT is used at the same time, you must consider the following two things:
- Ensure different header names are specified for the
- For the JWTs generated by an external authentication server, where user credentials are not provided in the server.xml file, IBM z/OS Connect uses the user credentials that are specified in your z/OS application.