1 © 2015 IBM Corporation© 2017 IBM Corporation
Z
Securing APIs throughout the enterprisez API RoadshowEric Phanz Systems IT [email protected]
2 ©2016IBMCorporation2 © 2017 IBM Corporation
Agenda• 09:30Registration&Coffee• 10:00Welcome&TrendsintheAPIEconomy:theBusinessOpportunity• 10:30CreatingAPIsfrommainframeapplicationswithz/OSConnect• 11:30BREAK• 12:15CreatingandmanagingAPIswithAPIConnect• 13:15LUNCH• 14:00SecuringAPIsfromEnd-to-End• 15:00ArchitectureOptionsforAPIEnablingzSystems• 15:45 IBMEngagementOfferings&ClosingComments• 16:00CLOSE
3 ©2016IBMCorporation3 © 2016 IBM Corporation3 ©2016IBMCorporation3 © 2017 IBM Corporation
§ Know who is invoking the API (Authentication)
§ Control access to APIs (Authorization)– End user– Application– Server
§ Know who invoked the APIs (Audit)
§ Ensure that the data has not been altered in transit (Data Integrity – Non Repudiation)
§ Ensure confidentiality of data in transit (Data Confidentiality)
§ Protect against malicious replay of a previous request (Non replay)
§ Limit number of requests (Traffic control and Rate limiting)
ConsiderationsforsecuringRESTAPIs
4 ©2016IBMCorporation4 © 2017 IBM Corporation
Session Agenda• Introduction
• z/OSConnectSecurity
• APIConnectSecurity
• DataPower Security
• EndtoEndsecurityscenario
• Summary
5 ©2016IBMCorporation5 © 2016 IBM Corporation5 ©2016IBMCorporation5 © 2017 IBM Corporation5
Integration solution
Description Recommendation
z/OS Connect EE V2.0
Extends the support available with z/OS Connect V1. Includes tooling for API creation and deployment.
Use to enable unified REST interface for CICS, IMS and DB2. Avoids multiple data transformations (use REST/JSON as message format from the client to the mainframe). Use to enable discovery of APIs
IBM API Connect Comprehensive API lifecycle to Create, Run, Manage and Enforce APIs and Microservices.DataPower and Node.js deployment options
Use to create APIs and microservicesthat consume z Systems APIsManage and secure z System APIs created by z/OS Connect
IBM DataPowerGateway
SOA and mobile security gateway.
Use for securing access to mainframe, and as runtime for API Gateway.
StrategicRESTAPIsolutions
Create Run
ManageSecure
6
Considersecurityindepth
CICSz/OSConnectDataPower
Otherchannels
Web
Mobile
JSON/REST
JSON/HTTPz/OS
JSON/REST
APIConnect
• Confidentiality• Integrity
• Authenticate(user)
Protect
• Authorize(application)
• Authorize(user)• Audit • Authorize(user)
Limit
• Audit• Audit
• Authorize(user)• Authorize(user)
• Audit
8 ©2016IBMCorporation8 © 2016 IBM Corporation8 ©2016IBMCorporation8 © 2017 IBM Corporation
z/OSConnectEESecurityoverview
WOLAServiceLayerSecurity
Libertyz/OS
CICSRegion
Program
RoleAccess
GroupAccess
Authentication
APILayerSecurity
z/OSConnectEEV2.0
SAFSecurityinsupportofserverruntime
TrustedServer
l SAFinsupportofruntimel Encryption(aka"SSL"or"TLS")l Authentication(basic,clientcertificates,3rd partyauthentication)
l Role-basedauthorizationl Optionalgroup-basedauthorizationl Identitypropagationintobackend
Encryption Encryption
Propagation
AuthorizationandAudit
9 ©2016IBMCorporation9 © 2016 IBM Corporation9 ©2016IBMCorporation9 © 2017 IBM Corporation
z/OSConnectsecurityisconfiguredinserver.xml
<keyStore id="defaultKeyStore" password="Liberty"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<basicRegistry id="basic1" realm="zosConnect"> <user name="Fred" password="fredpwd" />
</basicRegistry>
<authorization-roles id="zos.connect.access.roles"><security-role name="zosConnectAccess">
<user name="Fred"/> </security-role>
</authorization-roles>
z/OSConnectEEV2.0
WhoAreYou?Authentication
AreYouAllowed?Authorization
SecureLink?Encryption
1
1
2
2
3
3
Thiscanbeturnedoffusing"requireAuth"and"requireSecure"=falseelementsinXML
10 ©2016IBMCorporation10 © 2016 IBM Corporation10 ©2016IBMCorporation10 © 2017 IBM Corporation
"Hardening"SecurityinSAFSAFKeyringsforTLSLibertyz/OScanbeinstructedtogotoSAFforitskeyandtruststoreAddappSecurity-2.0 featureandsomeotherXMLupdatestoindicateSAFistheregistryRemovethe<keyStore>elementanddefinetheSAFkeyring
Authentication/AuthorizationRemovethe<basicRegistry>and<authorization-roles>fromserver.xmlAddzosSecurity-1.0 featureReplacewith<safRegistry>and<safAuthorization>alongwithotherXMLtodefinetheSAFregistryandEJBROLEdefinitions.
ClientCertificatesandSAFChangethebasicauth settingto"false"(orremove).ChangetwoelementsintheSAFSSLdefinitiontoenableclientcertificateauthorizationagainstSAFcertificates.ClientcertificatethenrelatestoSAFuserid andthatbecomesthesecurityprincipal.
<keyStore id="defaultKeyStore" password="Liberty"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<basicRegistry id="basic1" realm="zosConnect"> <user name="Fred" password="fredpwd" />
</basicRegistry>
<authorization-roles id="zos.connect.access.roles"><security-role name="zosConnectAccess">
<user name="Fred"/> </security-role>
</authorization-roles>
KeyStore
ClientCerts
Authentication/Authorization
"Basic"securitysettingsfromearlier...
11 ©2016IBMCorporation11 © 2016 IBM Corporation11 ©2016IBMCorporation11 © 2017 IBM Corporation
SAFinSupportoftheServerRuntime
WOLA
CICSRegion
Program
Libertyz/OS
z/OSConnectEEV2.0
LibertyAngel
STARTED CBIND
SERVER
WP102604Techdoc
SAFSERVERprofilesTheseallowordenyanIDaccesstoauthorizedservices.TheyareneededtouseWOLAandaccessingSAF(amongotherthings)z/OSConnectinstanceneedsaccesstoLibertyAngelprocessandspecificserverprocesses(e.g SAF,WLM,WOLA)
SAFSTARTEDprofilesTheseassignanIDtothestartedtaskforLibertyProfileisbasedontheJCLprocname,withJOBNAMEqualifierpossibleaswell
SAFCBINDprofilesTheseallowordenytheabilitytoWOLAregisterintotheLibertyserverProfileisbasedonthe"threepartname"intheLibertyserver.xml
Formoredetails,consultthe"GettingStarted"guide:
12 ©2016IBMCorporation12 © 2016 IBM Corporation12 ©2016IBMCorporation12 © 2017 IBM Corporation
Libertysecurity
12
Liberty security provides protection for web resources (z/OS Connect is a servlet):
1. An HTTP(S) client requests a web resource in the WebContainer
2. WebContainer delegates security check to the WebSecurity Collaborator
3. WebSecurity Collaborator prompts the user to enter credentials and uses the Authentication service to authenticate the user
4. Authentication service authenticates, creates, and returns the subject
5. WebSecurity Collaborator uses Authorization service to perform a user authorization check
6. Authorization service returns the authorization result to the WebSecurity Collaborator
7. WebSecurity Collaborator returns the result of the security check about whether the user is authorized
8. WebContainer serves or rejects the requested resource
13 ©2016IBMCorporation13 © 2016 IBM Corporation13 ©2016IBMCorporation13 © 2017 IBM Corporation
RESTClients
This protects the conversation between the client and the server:
Libertyz/OS
TrustedServer
ThisismoreafunctionofLibertyitselfratherthanofz/OSConnectEEV2.0
RESTClient
Iwishtoestablishaconnectiontoyou
HereismyservercertsignedbyaCA
AcknowledgementandTLSestablishment
ItrustyoubasedonCA,pleaseagreetoTLSSAF
Java-basedkey/trustfilesEasytosetup,butlesscontrolbysecurityadministrators
SAFkeyringsThisisunderthecontrolofsecurityadministrators
Important to understand where the TLS sessions start and end:
RESTClients Libertyz/OS
SAFStart Terminate
Start Terminate
TheclientTLSsessionsmaycomeandgofrequently.Ifthat'stheresponsibilityofamid-tiertrustedserver,thentheoverheadofsetup/teardownisthere,notonthez/OSsystem
Thissessioncanbemuchlonger-livedandthuslesssetup/teardownoverhead
YoucanmanageSAF-basedcertificatesmoreeasilyherebecausepotentialclientsarelimitedandknown
Encryption("SSL",ormoreaccurately,"TLS")
14 ©2016IBMCorporation14 © 2016 IBM Corporation14 ©2016IBMCorporation14 © 2017 IBM Corporation
HTTPS
SSL• V1.0(1994)• V2.0(1995)• V3.0(1996)- POODLEattack 2014TLS• V1.0(1999)• V1.1(2006)• V1.2(2008)• V1.3(draft)
15 ©2016IBMCorporation15 © 2016 IBM Corporation15 ©2016IBMCorporation15 © 2017 IBM Corporation
Encryption
1.Symmetric
Thesecret
2.Asymmetric
#@4R;t9l<PAlgorithmKey
AES256
Thesecret E4”!KLs(l$
AlgorithmKey1
RSAPublicKey
AlgorithmKey2
RSAPrivateKey
• Keypair
• Handshake• Signature• Etc…
16 ©2016IBMCorporation16 © 2016 IBM Corporation16 ©2016IBMCorporation16 © 2017 IBM Corporation
Several different ways this can be accomplished:
RESTClient
Libertyz/OS
ID/PW Okay!
BasicAuthentication
ServerpromptsforID/PWClientsuppliesID/PWServerchecksregistry:l Basic(server.xml)l LDAPl SAF
RESTClient
Libertyz/OS
Okay!
ClientCertificate
Serverpromptsforcert.ClientsuppliescertificateServervalidatescertandmapstoanidentity
Registryoptions:l LDAPl SAF
TLSClientCert
Couldbeatrustedserver
TrustedServer
Libertyz/OS
ThirdPartyAuthentication
Clientauthenticatesto3rd partyseverClientreceivesatrusted3rd partytokenTokenflowstoLibertyz/OSandismappedtoanidentity
Registryoptions:l LDAPl SAF
Token(LTPA,other)
RESTClient
3rdParty
ID/PW
AuthOkay
Cert
='FRED'IdentityMapping
Authentication
17 ©2016IBMCorporation17 © 2016 IBM Corporation17 ©2016IBMCorporation17 © 2017 IBM Corporation
Overviewofz/OSConnectinterceptorsThe interceptor framework provides a way to call code to do pre-invoke work and then again to do post-invoke work:
BackendProgram
Request
Response
Interceptor AInterceptor B
Interceptor AInterceptor B
In server.xml you can:
• Define ‘global interceptors,’ which apply to all configured APIs and services
• Define interceptors specific to a given configured API or service
z/OS Connect comes with an authorization interceptor (which user can access which API or service) and an audit interceptor (for SMF recording)
It is also possible to write your own interceptor and have it called as part of request/response processing
18 ©2016IBMCorporation18 © 2016 IBM Corporation18 ©2016IBMCorporation18 © 2017 IBM Corporation
The “authorization interceptor” is a supplied piece of interceptor code that will check to see if the user has the authority to perform the action requested:
Allowed to Enter?
AdministratorFull authority
OperatorStart, Stop, Deploy ….
InvokeInvoke service only
“Fred” Yes
No
Go Away
Controlled by a defined
“role”
What the interceptor provides
Authorizationinterceptor
ReaderDiscover and read
19 ©2016IBMCorporation19 © 2016 IBM Corporation19 ©2016IBMCorporation19 © 2017 IBM Corporation
Audit(SMF)InterceptorThe audit interceptor writes SMF 123.1 records. Below is an example of some of the information captured:
• System Name• Sysplex Name• Job Name• Job Prefix• Address Space Stoken
• Arrival Time• Completion Time• Target URI• Input JSON Length• Response JSON Length• Method Name• API or Service Name• Userid• Mapped user name
ServerIdentificationSection
UserDataSection
20 ©2016IBMCorporation20 © 2016 IBM Corporation20 ©2016IBMCorporation20 © 2017 IBM Corporation
Record£:144;Type:120; Size:2212;Date:MonFeb1615:56:09GMT+01:002015;SystemID:ZT01;SubsystemID:WAS;Flag:94;Subtype:11 (LibertyRequestActivity);
£SubtypeVersion:1;Indexofthisrecord:0;Totalnumberofrecords:1;recordcontinuationtoken*0000000000000000-------- -------- *£Triplets:2;Triplet£:1;offsetDec:72;offsetHex:48;lengthDec:80;lengthHex:50;counTriplet£:2;offsetDec:152;offsetHex:98;lengthDec:2060;lengthHex:80c;
Triplet£:1;Type:LibertyServerInfoSection;ServerInfoVersion:1;SystemName(CVTSNAME):ZT01;Sysplex Name:ZT00PLEX;JobID :STC06791;JobName :MOPZCO1;Stoken *00000514000003b6-------- -------- *
Triplet£:2;Type:UserDataSection;Version:1;DataType:102;DataLength:251;dataversion:1;arrivalTime*ce84612141b6586a-------- -------- *completionTime*ce84612144cc7969-------- -------- *targetURI:/placeOrder;inputLength:207;servicename:placeOrder;methodname:PUT;responseLength:244;userid :JeanLeclerc;mapped userid :EMPLOY1;
AuditplaceOrder requests
21 ©2016IBMCorporation21 © 2016 IBM Corporation21 ©2016IBMCorporation21 © 2017 IBM Corporation
IdentityPropagationtoBackend
CICSRegion
Program
Libertyz/OS
z/OSConnectEEV2.0
IMSRegion
ProgramIMSConnect
WOLA
TCP
<zosLocalAdapters useCicsTaskUserId="true"wolaGroup="GROUP" wolaName2="NAME1" wolaName3="NAME2" />
Identity
TheCICSlinkservertasksupportstheassertionofidentityfromLibertyz/OSoverWOLA
TheIMSadapterforz/OSConnectEEV2.0supportstheassertionofidentityoverTCPtoIMSConnectandintotheIMSregion
Thisiswhattellsz/OSConnectEEV2.0toasserttheidentityoveraWOLAconnectiontoCICS
23 ©2016IBMCorporation23 © 2016 IBM Corporation23 ©2016IBMCorporation23 © 2017 IBM Corporation
APIEndpointsaddtheirownsecurity
policy
APIConnectSecurityoverview
APIGateway
APIEndpoint
RESTAPI
Authentication/Authorization
Pre-processing
l Encryption(aka"SSL"or"TLS")l TLSProfilesetsTLSconfigurations(keystore,trustore,protocol)
l TheAPIGatewayenforceAPIsecuritywithAPIKey,BasicAuth orOAuth
l APISecuritycanbeappliedtoanentireAPIorspecificAPIoperations
l Throttlingisappliedaccordingtosubscriptionplans
InvokingAPI Encryption
TrustedServer
TLSProfile
APISecurity
Throttling
TLSProfile
UserCustomPolicies
AssemblyFlow
InvokingAPI
LoopBackApplication
24 ©2016IBMCorporation24 © 2016 IBM Corporation24 ©2016IBMCorporation24 © 2017 IBM Corporation
APIConnect- TLS
Identitycertificates
Trustedcertificates
Authorizedprotocols
TLS/SSLis configured using TLSprofiles
25 ©2016IBMCorporation25 © 2016 IBM Corporation25 ©2016IBMCorporation25 © 2017 IBM Corporation
APIConnect- APISecurity
APIsareprotected using Securitydefinitions
3typesofSecuritydefinitions supported• APIkey• BasicAuth• OAuth
26 ©2016IBMCorporation26 © 2016 IBM Corporation26 ©2016IBMCorporation26 © 2017 IBM Corporation
APIConnect- APISecuritygranularity
API-level Securitydefinitions
Oncedefined theSecuritydefinitions can be enabled forthewhole APIorperoperation
Multipleoptionscan beconfigured,toallow multipleways toauthenticate/authorize
Operation-level Securitydefinitions
…
Forinstance,aspecific Securitypolicy can be applied totheGEToperation for/items
27 ©2016IBMCorporation27 © 2016 IBM Corporation27 ©2016IBMCorporation27 © 2017 IBM Corporation
APIConnect- APIkey
AnAPIkeyandAPIsecretaregenerated foreach newregistered ApplicationontheDeveloper Portal
28 ©2016IBMCorporation28 © 2016 IBM Corporation28 ©2016IBMCorporation28 © 2017 IBM Corporation
APIConnect- BasicAuth
TheBasicAuthorization headeris verified against anAuthentication serveroranLDAPregistry
HTTPcalltoAuthenticationServerwithBasicAuth
Code200:Authenticated +Authorized
Code401:NotAuthenticated
Code403:NotAuthorized
Authentication/Authorizationagainst LDAPregistry
29 ©2016IBMCorporation29 © 2016 IBM Corporation29 ©2016IBMCorporation29 © 2017 IBM Corporation
APIConnect- OAuth
APIConnect supportsdifferent OAuth flows.AnOAuth ProviderAPI is configured which providestheURLoftheOAuthproviderAPI'stokenorauthorizationPath.
Required scopes
30 ©2016IBMCorporation30 © 2016 IBM Corporation30 ©2016IBMCorporation30 © 2017 IBM Corporation
APIConnect- Plans
APIConnect managesProducts;each Productcan havemultipleAPIsandmultipleSubscription Plans.ASubscription Plandefines:
• thenecessity toapprove asubscription• theratelimit forAPIcalls
32 ©2016IBMCorporation32 © 2016 IBM Corporation32 ©2016IBMCorporation32 © 2017 IBM Corporation
e.g.REST(JSON/XML)overHTTPS
MobileFirstServer,WASND
e.g.RESTorSOAPoverHTTP(S)ormessaging
CICSIMSDB2
Otherservers,WebApps,otherservices
DataPowerGatewayAppliance
• Security, Control, Integration & Optimization of mobile workload• Enforcement point for centralized security policies• Authentication, Authorization, LTPA, SAML, OAuth 2.0, Audit• Threat protection for XML and JSON• Message validation and filtering• Centralized management and monitoring point• Traffic control / Rate limiting• Integration with MobileFirst Server• Available as a physical or virtual appliance
DataPower SecurityFeatures
33 ©2016IBMCorporation33 © 2016 IBM Corporation33 ©2016IBMCorporation33 © 2017 IBM Corporation
AAA
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom
Authenticate
ExtractResource
URLSOAP OperationHTTP OperationCustom
LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
Authorize Audit &Post-Process
MapIdentity
MapResource
OAuth 2.0LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
DataPower AAA
34 ©2016IBMCorporation34 © 2016 IBM Corporation34 ©2016IBMCorporation34 © 2017 IBM Corporation
Jumbo JSON Payload
• Label - Value Pairs• Label String Length (characters)• Value String Length (characters)• Number Length (characters)
• Threat Protection• Maximum nesting depth (levels)• Maximum document size (bytes)
Label String
Nesting Depth of 3
Value StringNumber
DocumentSize
DataPower JSONprotection
35 ©2016IBMCorporation35 © 2016 IBM Corporation35 ©2016IBMCorporation35 © 2017 IBM Corporation
DataPower TrafficcontrolandRatelimiting
37 ©2016IBMCorporation37 © 2016 IBM Corporation37 ©2016IBMCorporation37 © 2017 IBM Corporation
OfficesuppliesBluemix application
Emailand addressvalidationfeaturesareaddedusingBluemix services.ThesefeaturesdonotcurrentlyexistintheCICSapplication.
38 ©2016IBMCorporation38 © 2016 IBM Corporation38 ©2016IBMCorporation38 © 2017 IBM Corporation
z/OSConnectEEV2.0
CatalogManager
CICS
1. Userlogsin2. Authenticateuser3. CheckBluemix applicationisauthorizedtouseAPI4. MapdistributedIDtoaRACFuserID5. CheckuserisauthorizedtouseAPI6. Auditrequest7. Checkuserisauthorizedtoruntransaction
Node.js
Demoarchitecture– securityrequirements
Gateway
JeanLeclerc
23
1
4
6
57
39 ©2016IBMCorporation39 © 2016 IBM Corporation39 ©2016IBMCorporation39 © 2017 IBM Corporation
1. User logs into Bluemix application using "distributed" user ID (“JeanLeclerc”) and password
Exampledemoscenario
Bluemix
userID/pwdHTTPS/JSON
LDAP
HTTPS/JSONIdentity in token
z/OSConnect
z/OS
RACF
CICS
1
COMMAREA+ mapped identity
RACMAPID(EMPLOY1)MAPUSERDIDFILTER(NAME('UID=JeanLeclerc,OU=employees,O=mop,C=fr'))REGISTRY(NAME('*'))
2 4 57
3
JeanLeclerc
6
2. DataPower authenticatesuserinLDAPandforwardsdistributedIDinLTPAtokentoAPIConnect
3. APIConnectcheckstheBluemixapplicationclientIDandforwardsrequesttoz/OSConnect4. z/OSConnectvalidatesLTPAtokenandmapsdistributedIDtoRACFuserIDEMPLOY1
5. z/OSConnectusesRACFuserIDforauthorizationcheckingi.e istheuserauthorizedtocalltheAPI
6. z/OSConnectauditstherequesti.e whoinvokedtheAPI(auditrecordincludesdistributedandRACFids)
7. z/OSConnectpassesRACFuserIDtoCICSfortransactionauthorization
DataPower APIConnect
40 ©2016IBMCorporation40 © 2016 IBM Corporation40 ©2016IBMCorporation40 © 2017 IBM Corporation
O=m
op,C=fr
OU=employees
UID=JeanLeclerc
UID=AliceNevers
OU=customers
UID=MarieDupond
UID=PierreDuclos
OU=partner1
UID=ArthurLeroy
UID=JulieLaforest
OU=partner2
UID=RoryWilliams
UID=RoseMoubinou
ExampleDN:UID=JeanLeclerc,OU=employees,O=mop,C=fr
EMPLOY1
EMPLOY2
CUSTOM
PARTNE1
PARTNE2
Useridentitiesandmappings RACFID
41 ©2016IBMCorporation41 © 2016 IBM Corporation41 ©2016IBMCorporation41 © 2017 IBM Corporation
Serviceauthorization
inquireCatalog
inquireSingle
placeOrder
AliceNevers
RACFgroupGMINVOKE
GMINVOKE
SMINVOKE
EMPLOY2JeanLeclercEMPLOY1
PierreTabardEMPLOY3RACFuserID
42 ©2016IBMCorporation42 © 2016 IBM Corporation42 ©2016IBMCorporation42 © 2017 IBM Corporation
Record£:144;Type:120; Size:2212;Date:MonFeb1615:56:09GMT+01:002015;SystemID:ZT01;SubsystemID:WAS;Flag:94;Subtype:11 (LibertyRequestActivity);
£SubtypeVersion:1;Indexofthisrecord:0;Totalnumberofrecords:1;recordcontinuationtoken*0000000000000000-------- -------- *£Triplets:2;Triplet£:1;offsetDec:72;offsetHex:48;lengthDec:80;lengthHex:50;counTriplet£:2;offsetDec:152;offsetHex:98;lengthDec:2060;lengthHex:80c;
Triplet£:1;Type:LibertyServerInfoSection;ServerInfoVersion:1;SystemName(CVTSNAME):ZT01;Sysplex Name:ZT00PLEX;JobID :STC06791;JobName :MOPZCO1;Stoken *00000514000003b6-------- -------- *
Triplet£:2;Type:UserDataSection;Version:1;DataType:102;DataLength:251;dataversion:1;arrivalTime*ce84612141b6586a-------- -------- *completionTime*ce84612144cc7969-------- -------- *targetURI:/placeOrder;inputLength:207;servicename:placeOrder;methodname:PUT;responseLength:244;userid :JeanLeclerc;mapped userid :EMPLOY1;
AuditplaceOrder requests
43 ©2016IBMCorporation43 © 2016 IBM Corporation43 ©2016IBMCorporation43 © 2017 IBM Corporation
FlowingaRACFIDtoCICS
WOLAService
DFH0XCMNCOMMAREA
orContainer
BBO$LINKservertask
CICSMOBP
BBOATRUETaskRelatedUserExit
MZ**InvocationTask
WOLA
CICSregionRACFID(CICSMOBP)
z/OSConnect
LibertyServer
<zosLocalAdaptersuseCicsTaskUserId="true"
FlowedRACFID(EMPLOY1)
43
JeanLeclerc
<safCredentialsmapDistributedIdentities="true"
44 ©2016IBMCorporation44 © 2016 IBM Corporation44 ©2016IBMCorporation44 © 2017 IBM Corporation
WOLAService
DFH0XCMNCOMMAREA
orContainer
BBO$LINKservertask
CICS
BBOATRUETaskRelatedUserExit
MZ**InvocationTask
WOLA
TransactionNamesetinLibertyserver.xml
§ EnablesCICStransactionauthorization
§ Alsomakesiteasiertocapturecpu formobiletransactionse.g capturecpu fortransstartingMZ*
• inquireCatalog transid=MZIC
• inquireSingle transid=MZIS
• placeOrder trans id=MZPO
z/OSConnect
LibertyServer <localAdaptersConnectService id="inquireCatalog"registerName="CICSMOB1"serviceName="DFH0XCMN"linkTaskTranID="MZIC"connectionFactoryRef="wolaCF"/>
Settransactionid
44
45 ©2016IBMCorporation45 © 2016 IBM Corporation45 ©2016IBMCorporation45 © 2017 IBM Corporation
FlowRACFIDtoCICS
45
47 ©2016IBMCorporation47 © 2016 IBM Corporation47 ©2016IBMCorporation47 © 2017 IBM Corporation
Summary
RESTClients
Libertyz/OS
z/OSConnectEEV2.0
CICSRESTClients
Registry(basicorSAF)
RESTClientsRESTClients
Libertyz/OS
z/OSConnectEEV2.0
CICS
SAFTrustedServer
LDAPorother
Token
Cert
z/OSConnectmaybethemainsecuritycontrolpoint
Proxy
Firewall Firewall
Orsomethingmorecomplexismorerealistic.Buttheprinciplesofauthentication,authorization,audit,encryption…stillapply.