CA File Master Plus Zowe CLI Plugin: Enhanced to support Single Sign-on
{Ecosystem} CA File Master Plus API now has the capability of multi-factor authentication and single sign-on together with The Open Mainframe Project’s Zowe . Using File Master Plus Zowe Command Line Interface (CLI) and the Zowe API Mediation Layer users can now login once and have the capability to access mainframe files and manipulate the data.
This brings the File Master Plus Zowe CLI’s into the growing number of Zowe CLI’s that are taking advantage of single sign-on technology.
Introduction
Based on the Single Sign-on architecture described in the blog post titled Single-Sign-On to z/OS REST APIs with Zowe, by Petr Plavjaník, File Master Plus (FMP) has enhanced its Command Line Interface (CLI) to use the PassTicket for SSO authentication. The blog describes how to use Zowe API Mediation Layer’s Token facility for PassTicket to support Single Sign-On (SSO).
What is Zowe CLI interface to File Master Plus?
The File Master Plus Plug-in for Zowe CLI is a file management and data manipulation tool. With the FMP Zowe CLI file creation and manipulates virtual storage access method (VSAM), sequential and partitioned data sets are faster. The Zowe CLI also supports symbolic access to data with layouts, and data manipulation such as selection of records in data sets.
With the FMP Zowe CLI, application developers can script DevOps processes that include VSAM file functions which enable Continuous Testing. The file functions that CLI can invoke include copying, renaming and deleting files, and populating files with data.
How does File Master Plus single sign-on work?
First login in to the API Mediation Layer to obtain a JWT Token. After that each request sends this token to the API ML. Once this token is validated by the API ML, a PassTicket is generated. This PassTicket is then validated by the File Master Plus server, and processes the request and generates a response.
What is a PassTicket?
A PassTicket is like a temporary replacement of the mainframe password, which consists of 8 characters and is valid for ~10 minutes. It is used to enable z/OS components and products to authenticate a user ID without storing or caching z/OS passwords or sending the passwords through the network.
Configuring a PassTicket
To use PassTicket, a security configuration needs to be performed in the security system (i.e. IBM Resource Access Control Facility (RACF), CA Top Secret, or CA ACF2) to allow the user ID authentication.
There are two main access methods for application ID (APPLID) to use PassTicket, which needs to be provided by security admin:
- Update Access — Gives the application permission to generate the PassTicket
- Read Access — Gives the application permission to validate the PassTicket
To achieve a single sign in API Mediation Layer, the application should have access to generate the PassTicket (Update Access) for the application and the application should have access to validate the PassTicket (Read Access).
Flow:
Step 1: Login to API ML to obtain token
Step 2: Setup File Master Plus profile to select a Base Path from registered FMP servers in API ML.
Profiles setup is complete, and ready to send the “zowe fmp” requests.
Benefits of Single Sign-on
Now the user or your automation can login once per session and allow access to all the SSO enabled APIs within this authenticated session without the need of providing passwords to each request.
Useful links
If you enjoyed this blog checkout more Zowe blogs here. Or, ask a question and join the conversation on the Open Mainframe Project Slack Channel #Zowe-dev, #Zowe-user or #Zowe-onboarding. If this is your first time using the OMP slack channel register here.
You can learn more about PassTicket here.
CA File Master Plus Plug-in for Zowe CLI
