Using a Trust Authentication Interceptor (TAI) to allow selected unauthenticated requests

Where IBM® z/OS® Connect is configured for basic authentication, but selected requests do not present the required credential, a Trust Authentication Interceptor (TAI) can be developed, configured and deployed with a IBM z/OS Connect server to allow selected unauthenticated requests to be processed.

For example, where an API gateway component has already authenticated requests that presented a credential, such as a client certificate, and no associated credential is available for the onward request to IBM z/OS Connect , a TAI can be developed to identify such requests and allow them to be processed under a fixed application or task identity. Requests that do not match the criteria of the TAI must still present the required credential to proceed. The criteria by which a TAI decides to block or allow a request is entirely due to the design of the TAI implementation.

In the event that the TAI allows an unauthenticated request to be processed, it is possible, depending upon overall configuration, that one or more warning messages are written to the log for each unauthenticated request. For example:

CWWKS1100A: Authentication did not succeed for user ID cn=unknown,o=ibm,c=us. An invalid user ID or password was specified.

ACF2 users might see one instance of the ACF1097 message per associated request:

ACF01097 NO USERID SPECIFIED ON SYSTEM ENTRY VALIDATION REQUEST

To avoid these warning messages, use the Liberty configuration element, webAppSecurity, to set the useAuthenticationDataForUnprotectedResource attribute to false. For example:

<webAppSecurity useAuthenticationDataForUnprotectedResource=“false”/>

For more information about this element, see Web Container Application Security (webAppSecurity) in the WebSphere® Application Server for z/OS Liberty documentation.

For more information about creating a TAI, see Developing a custom TAI for Liberty in the WebSphere Application Server for z/OS Liberty documentation.