Introduction
I’ll cover the instructions to install z/OS Connect, but the instructions are similar for other products. The steps are to create the minimum server configuration and gradually add more function to it.
The steps below guide you through
- Overview
- planning to help you decide what you need to create, and what options you have to choose
- initial customisation and creating a server, creating defaults and creating function specific configuration files, for example a file for SAF
- starting the server
- enable logon security and add SAF definitions
- add keystores for TLS, and client authentication
- adding an API and service application
- protect the API and service applications
- collecting monitoring data including SMF
- use the MQ sample
- using WLM to classify a service
With each step there are instructions on how to check the work has been successful.
Protect the service and APIs
z/OS connect provides interceptors to allow the product function to be extended. These are like exits in other program products.
z/OS Connect provides (at least) 2 interceptors
- For authorisation checks, to see if a userid is allowed to perform an operation.
- Creating SMF records.
You can also write your own interceptors, for example for data validation, or for collecting statistics.
You can configure APIs and services to have a list of interceptors. One service can have authorisation and SMF records, another service can just have authorisation
You create a list like
<!-- Interceptor list configuration --> <!-- this refers to the configuration elements following --> <zosconnect_zosConnectInterceptors id="interceptorList1" interceptorRef="auditInterceptor,zosConnectAuthorizationInterceptor" /> <!-- Audit interceptor configuration --> <zosconnect_auditInterceptor id="auditInterceptor" sequence="1" apiProviderSmfVersion="2" /> <!-- Authorisation checking --> <zosconnect_authorizationInterceptor id="zosConnectAuthorizationInterceptor" />
To protect the server, and control the global roles, have you need to use the following where you provide lists of group names such as SYS1.
<zosconnect_zosConnectManager
globalInterceptorsRef="interceptorList1"
globalAdminGroup="SYS1,SYSADMIN"
globalInvokeGroup="SYS1"
globalOperationsGroup="SYS1"
globalReaderGroup="SYS1"
/>
<!-- "interceptorList1" above points to … -->
<zosconnect_zosConnectInterceptors
id="interceptorList1"
interceptorRef="IR1,..."/>
<!-- zosConnectAuthorizationInterceptor is defined -->
<zosconnect_authorizationInterceptor
id="IR1"/>
This shows the global security definitions. The globalInterceptorsRef=”interceptorList1″ points to the <zosconnect_zosConnectInterceptors .. which in turn points to the <zosconnect_authorizationInterceptor . There is a program or interceptor zosConnectAuthorizationInterceptor which does the actual checking of userid and roles.
With this set of definitions when I try to query the service using an unauthorised userid, I got
{"errorMessage":"BAQR0435W: The zosConnectAuthorization interceptor
encountered an error while processing a request. ",
"errorDetails":"BAQR0409W: User ADCDC is not authorized to
perform the request."}
I changed the definitions to globalReaderGroup=”TEST” , refreshed the configuration, and the request worked.
You can make API security more specific
<zosconnect_zosConnectAPIs>
<zosConnectAPI name="stockmanager"
adminGroup="SYS1"
invokeGroup="TEST"
operationsGroup="TEST"
readerGroup="SYS1"
/>
</zosconnect_zosConnectAPIs>
and make the service security more specific.
<zosconnect_services>
<service name="stockQuery"
serviceDescription="stockQueryServiceDescriptionColin"
id="stockQueryService"
adminGroup="SYS1,TEST2"
invokeGroup="TES2"
operationsGroup="SYS1"
readerGroup="SYS1,TEST2"
/>
</zosconnect_services>
If you use the swagger to try it – and get the json data with
response body no content
response code 0
response header { “error”: no response from server}
This is what Swagger UI displays when a request fails due to a security issue such as an untrusted self-signed cert, invalid cert, or bad username:password.
ColinPaice 