Open in app

Sign in

Write

Sign in

Single-Sign-On to z/OS REST APIs with Zowe

Petr Plavjaník
Zowe
Published in
5 min readFeb 23, 2020

{Core} Once you have multiple different API services on z/OS or you use multi-factor authentication, you would like to log in only once per your authenticated session and then access your APIs within the authenticated session without the need to provide different second factors to each request.

Zowe™ is an open-source project created to host technologies that benefit the IBM Z platform for all members of the Z community, including Independent Software Vendors (ISVs), System Integrators, and z/OS consumers. Zowe, like Mac or Windows, comes with a set of APIs and OS capabilities that applications build on and also includes some applications out of the box. Zowe offers modern interfaces to interact with z/OS and allows you to work with z/OS in a way that is similar to what you experience on cloud platforms today. You can use these interfaces as delivered or through plug-ins and extensions that are created by clients or third-party vendors.

Zowe provides authentication capabilities that make it possible to authentication only once per session and then do multiple REST API requests.

API security is the building block of the Zowe pathway to the better CLI security and authentication experience that has been described by Dan Kelosky.

Zowe CLI: Token Authentication, MFA, and SSO

Using the best of CLI standards

medium.com

Zowe API Gateway allows you to obtain Zowe JWT token and use it in API services.

Zowe-conformant API services accept the same Zowe JWT token that can be passed in the Authorization: Bearer header of HTTP request on in secure HTTP-only cookie with the name apimlAuthenticationToken.

We will see the process in more detail.

Note: We will use the HTTPie command-line HTTP client that allows us to issue REST API requests easily. The output starts with the full request including the JSON body and the output contains all response cookies and formatted JSON response if present. You can use any HTTP client on command-line, programming language, or application like Postman.

Zowe API Gateway unifies different authentication schemes

Obtaining JWT Token

The Zowe API Mediation Layer provides support for token-based authentication. You can use the/api/v1/gateway/auth/login endpoint to obtain a time-limited JWT token.

In the following example, we will use Zowe installation on a system with the hostname sys1.acme.net and Zowe API Gateway on port 40004.

Example of obtaining JWT token:

$ http -v --session=zowe POST https://sys1.acme.net:40004/api/v1/gateway/auth/login username=user01 password=YOUR@PWD Content-Type: application/json
Host: sys1.acme.net:40004
{
    "username": "user01",
    "password": "YOUR@PWD"
}HTTP/1.1 204
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Pragma: no-cache
Set-Cookie: apimlAuthenticationToken=eyJhbGciOiJSU...nPCxrFl-aegbQ; Path=/; Secure; HttpOnly

The HTTPie has two special parameters:

  • -v causes that the request header and body are printed before the response. You can see that the body was:
Content-Type: application/json
Host: sys1.acme.net:40004
{
    "username": "user01",
    "password": "YOUR@PWD"
}
  • --session=zowe stores the response cookies to a named session so we will be able to use in following requests

The response has been 204 which means success as every 2xx response.

Photo by Mollie Sivaram on Unsplash

Validating JWT Token

The next request validates the current JWT token. The HTTPie uses the token stored in the zowe session. This is not required. It can be useful if you have an older token and you want to be sure that is not expired.

$ http -v --session=zowe GET https://sys1.acme.net:40004/api/v1/gateway/auth/query                                   GET /api/v1/gateway/auth/query HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: apimlAuthenticationToken=eyJhbGciOiJSU...nPCxrFl-aegbQ
Host: sys1.acme.net:40004HTTP/1.1 200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 126
Content-Type: application/json;charset=UTF-8
Expires: 0
Pragma: no-cache{
    "creation": "2020-01-13T14:31:19.000+0000",
    "domain": "SAFRealm",
    "expiration": "2020-01-14T14:31:19.000+0000",
    "userId": "user01"
}

The response is 200 so the token is valid. You can that it will be valid for one full day in the expiration field. The expiration time is configurable by Zowe API Mediation Layer properties.

Note: You can also use Authorization header in the request instead of the cookie:

Authorization: Bearer eyJhbGciOiJSU...nPCxrFl-aegbQ

The cookies are better suited for web browsers and the Authorization header is easier to use in programmatic API clients. You can find more details about cookies and authorization header in the following talk:

Common API security pitfalls by Philippe De Ryck (YouTube)

Accessing z/OSMF with Zowe JWT Token

Zowe API Gateway allows you to access many APIs with a valid Zowe JWT token. You do not need to know what is the authentication scheme of the downstream API service, API gateway will do it transparently. Of course, the Zowe JWT token needs to be valid.

We will access a z/OSMF REST API endpoint via the API Gateway. The z/OSMF is available via the zosmf service ID.

http -v --session=zowe GET https://sys1.acme.net:40004/api/v1/zosmf/info "X-CSRF-ZOSMF-HEADER;"GET /api/v1/zosmf/info HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: apimlAuthenticationToken=eyJhbGciOiJSU...nPCxrFl-aegbQ
Host: sys1.acme.net:40004
X-CSRF-ZOSMF-HEADER:HTTP/1.1 200
Cache-Control: no-store
Content-Language: en-US
Content-Type: application/json
Pragma: no-cache
Transfer-Encoding: chunked{
    "api_version": "1",
    "plugins": [
       ...
    ],
    "zos_version": "04.27.00",
    "zosmf_full_version": "27.0",
    "zosmf_hostname": "sys2.acme.net",
    "zosmf_port": "443",
    "zosmf_saf_realm": "SAFRealm",
    "zosmf_version": "27"
}

You can access any z/OSMF REST API endpoint with the same JWT token.

Accessing Services that Support PassTickets with Zowe JWT Token

The Zowe API Gateway supports z/OSMF, services that support Zowe JWT token, and any service that accepts PassTickets in the standard HTTP Basic authorization header.

A lot of z/OS API services support PassTickets. In this example, we will use the CA Endevor SCM REST API.

For each service that supports PassTickets, you need to do a setup in the security product on z/OS. This is documented in the documentation for your particular API service. For example, this is for CA Endevor SCM: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/18-0/securing/multi-factor-authentication-mfa.html

The last step is to allow the Zowe server user ID to generate PassTickets for the ENDEVOR APPLID. The following example is for CA Top Secret as the security product:

TSS PERMIT(<zowesrv>) PTKTDATA(IRRPTAUTH.ENDEVOR.) ACCESS(READ,UPDATE)
TSS REFRESH

You can limit it to certain users by specifying IRRPTAUTH.ENDEVOR.USERID .

You need to tell Zowe API Gateway that Endevor accepts PassTickets by providing additional metadata for any file in the Zowe api-defs directory on z/OS:

additionalServiceMetadata:
- serviceId: endevor 
  mode: UPDATE 
  authentication:
    scheme: httpBasicPassTicket  
    applid: ENDEVOR

For more details about the configuration of PassTicket and commands for other security products, see Zowe Docs.

Now we can access the Endevor REST API via the API Gateway:

http --session=zowe GET https://sys1.acme.net:40004/api/v1/endevor/ENV/HTTP/1.1 200
API-Version: 1.1
Cache-Control: private
Content-Encoding: gzip
Content-Length: 330
Content-Type: application/json
{
    "agedTimeout": 0,
    "characterSet": "ISO8859-1",
    "codepage": "cp1047",
    "comments": "Welcome to ENDEVOR ACME Environment",
    "contentType": "Text",
    "description": "Endevor Web Services",
    "hostName": "A01SENF",
    "jobName": "TSO1MFNE",
    "lang": "EN",
    "message": "ENDEVOR Web Service for ACME",
    "name": "ENV",
    "password": null,
    "poolIncrSize": 1,
    "poolInitSize": 2,
    "poolMaxSize": 5,
    "poolReapTime": 0,
    "programName": "BC1PAPI0",
    "status": "Available",
    "timeZone": "GMT-6.0",
    "traced": "ALL",
    "unusedTimeout": 0,
    "userId": "ENDEVOR"
}

Summary

We have obtained one JWT token from the Zowe API Gateway and used that token to access both z/OSMF and CA Endevor. This allows you to develop and use other API services or automation scripts that work with multiple APIs that require the authentication to be done only once.

You can learn more about Zowe here.

See more blogs at medium.com/zowe.

Download at https://www.zowe.org/.

API
Mainframe
Jwt
Zowecore
Zowe Apiml

--

--

Petr Plavjaník
Zowe

Written by Petr Plavjaník

249 Followers
Writer for

Petr’s main areas of expertise are mainframes and automation, and using modern development tools and languages such as Java, Python, and Node.js on z/OS.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams