Calling an API secured with multiple authentication and authorization methods
IBM® z/OS® Connect API requester provides the
capability that allows a CICS®, IMS or z/OS application to call a RESTful API that is secured with
multiple authentication or authorization methods.
The supported authentication and authorization methods are client certificate authentication,
basic authentication, JWT and OAuth 2.0.
- To configure IBM z/OS Connect to support client
certificate authentication to the RESTful API endpoint, you must specify the
sslCertsRef on the
zosconnect_endpointConnectionin the server.xml file. For more information, see API requester TLS client authentication to a RESTful API endpoint. - To configure IBM z/OS Connect to support basic
authentication to a RESTful API endpoint, calling an API secured with a JWT or calling an API
secured with OAuth 2.0, you must specify the authenticationConfigRef attribute
on the
zosconnect_endpointConnectionelement in the server.xml file. Follow Table 1 to find out how to use the authenticationConfigRef attribute to specify the combination use of basic authentication, JWT and OAuth 2.0.
| Authentication / authorization methods | Elements to be referenced by the authenticationConfigRef attribute |
|---|---|
| Multiple JWTs (either generated by an external authentication server or locally generated or both) |
|
| OAuth 2.0 and one or more JWTs (either generated by an external authentication server or locally generated or both) |
|
| Basic authentication and one or more JWTs (either generated by an external authentication server or locally generated or both) |
|
As IBM z/OS Connect needs to use the same HTTP
Authorization header to pass either user credentials for basic authentication or
the OAuth access token to the request endpoint by default, so the combination of basic
authentication and OAuth 2.0 cannot be supported. And when one or more JWTs are used with basic
authentication or OAuth 2.0, you must specify the header attribute in the
zosconnect_authToken and zosconnect_authTokenLocal element(s)
with a name other than Authorization.
When more than one JWT is used at the same time, you must consider the following two things:
- Ensure different header names are specified for the
zosconnect_authTokenandzosconnect_authTokenLocalelements. - For the JWTs generated by an external authentication server, where user credentials are not provided in the server.xml file, IBM z/OS Connect uses the user credentials that are specified in your z/OS application.