How to configure basic authentication with a basic user registry

Configure a z/OS® Connect server to perform basic authentication with a basic user registry.

zosConnect-2.0 Applies to zosConnect-2.0.

This task is applicable when z/OS Connect is used as an API provider.

Before you begin

You should be familiar with the information in API provider authentication and identification.
You must complete the task How to configure a basic user registry.
You must have write access to the server.xml configuration file.

About this task

You configure the z/OS Connect server to require authentication, by setting the attribute requireAuth="true". This task then configures the server to use basic authentication.

This task does not include information on how to configure the IBM z/OS Connect server to use TLS. If the attribute requireSecure is set to true (the default), you must configure a TLS connection between the client and the z/OS Connect server, for example, by completing the task How to configure TLS with RACF key rings.

Procedure

For more information about configuration elements, see zosConnect-2.0 Configuration elements in the Reference section.

Ensure that the server is configured to require authentication for the request.
This configuration can be set at different scopes:
- To require authentication globally for the server, set requireAuth="true" on the zosconnect_zosConnectManager element in the server.xml configuration file. For example,
```
<zosconnect_zosConnectManager requireAuth="true" ... />
```
- To require authentication for a specific API, which takes precedence over the global server setting, set requireAuth="true"on the zosConnectAPI element in the server.xml configuration file. For example,
```
<zosconnect_zosConnectAPIs>
    <zosConnectAPI name="Api1" requireAuth="true"/>
</zosconnect_zosConnectAPIs>
```
- To require authentication for a specific service, which takes precedence over the global server setting, set requireAuth="true" on the service element in the server.xml configuration file. For example,
```
<zosconnect_services>
    <service name="Service1" requireAuth="true"/>
</zosconnect_services>
```
Configure the server to use basic authentication.
IBM z/OS Connect attempts to use a TLS client certificate for authentication, unless an alternative authentication mechanism is configured. Use one of the following methods to configure basic authentication:
- Configure fail-over to basic authentication, by adding the following element to the server.xml configuration file:
```
<webAppSecurity allowFailOverToBasicAuth="true"/>
```
- Configure basic authentication to override the client certificate authentication default, by adding the following element to the server.xml configuration file:
```
<webAppSecurity overrideHttpAuthMethod="BASIC"/>
```
Assign users and groups to the zosConnectAccess role.
Follow the instructions in task How to configure the zosConnectAccess role with a basic user registry.

Results

The pre-defined set of users and groups that are defined in the basic user registry can be used to authenticate with the IBM z/OS Connect server. Additionally, the basic user registry users and groups that are assigned to the zosConnectAccess role now have authorization to access z/OS Connect.