Security for z/OS Connect

z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition have a RESTful management interface to allow dynamic service discovery. This interface is hosted at the same host name and port number as the individual JSON Services. The use of Transport Layer Security (TLS) to protect this interface, and the individual JSON Services, is encouraged.

By default, all client connections to z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition must use the HTTPS protocol. The default behavior is to require a client-certified TLS connection to CICS. If this default is retained, client certificates must be associated with a SAF user ID. The application runs by using this certificate-derived identity.

Both z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition can be configured to support the HTTP basic authentication protocol. This protocol allows a client to connect by using TLS in combination with a SAF user ID and password. To enable support for HTTP basic authentication, add the following line to the Liberty server configuration file (server.xml) : <webAppSecurity allowFailOverToBasicAuth="true"/>

Users of z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition must be a member of the zos.connect.access.roles.zosConnectAccess EJBROLE. For more information, see Authorization using SAF role mapping

See Configuring authorization for applications in Liberty for Liberty information, Configuring security for z/OS Connect for z/OS Connect information, and Configuring security for z/OS Connect EE in z/OS Connect Enterprise Edition V3.0 product documentation for z/OS Connect EE information.

For further information, see Authorization using SAF role mapping, and Configuring security for a Liberty JVM server.