How to configure basic authentication with a SAF user registry

Configure a IBM® z/OS® Connect server to perform basic authentication with a SAF user registry.

This task is applicable when IBM z/OS Connect is used as an API provider.

Before you begin

You should be familiar with the information in API provider authentication and identification.
You must complete the task How to activate and configure the SAF user registry to configure the IBM z/OS Connect server to use z/OS authorized services and a SAF user registry.
You must have write access to the server.xml configuration file.

About this task

You configure the IBM z/OS Connect server to require authentication, by setting the attribute requireAuth="true". This task then configures the server to use basic authentication.

This task does not include information on how to configure the IBM z/OS Connect server to use TLS. If the attribute requireSecure is set to true (the default), you must configure a TLS connection between the client and the IBM z/OS Connect server, for example, by completing the task How to configure TLS with RACF key rings.

Procedure

For more information about configuration elements, see Configuration elements in the Reference section.

Ensure that the server is configured to require authentication for the request.
This configuration can be set at different scopes:
- To require authentication globally for the server, set requireAuth="true" on the zosconnect_zosConnectManager element in the server.xml configuration file. For example,
```
<zosconnect_zosConnectManager requireAuth="true" ... />
```
- To require authentication for a specific API, which takes precedence over the global server setting, set requireAuth="true" on the zosConnectAPI element in the server.xml configuration file. For example,
```
<zosconnect_zosConnectAPIs>
    <zosConnectAPI name="Api1" requireAuth="true"/>
</zosconnect_zosConnectAPIs>
```
- To require authentication for a specific service, which takes precedence over the global server setting, set requireAuth="true" on the service element in the server.xml configuration file. For example,
```
<zosconnect_services>
    <service name="Service1" requireAuth="true"/>
</zosconnect_services>
```
Configure the server to use basic authentication.
IBM z/OS Connect attempts to use a TLS client certificate for authentication, unless an alternative authentication mechanism is configured. Use one of the following methods to configure basic authentication:
- Configure fail-over to basic authentication, by adding the following element to the server.xml configuration file:
```
<webAppSecurity allowFailOverToBasicAuth="true"/>
```
- Configure basic authentication to override the client certificate authentication default, by adding the following element to the server.xml configuration file:
```
<webAppSecurity overrideHttpAuthMethod="BASIC"/>
```
Assign users and groups to the zosConnectAccess role.
Follow the instructions in task How to configure the zosConnectAccess role with a SAF user registry.

Results

User IDs and groups in the SAF user registry can be used to authenticate with the IBM z/OS Connect server. Additionally, the SAF user IDs and groups that are assigned to the zosConnectAccess role now have authorization to access IBM z/OS Connect.