Introduction
I’ll cover the instructions to install z/OS Connect, but the instructions are similar for other products. The steps are to create the minimum server configuration and gradually add more function to it.
The steps below guide you through
- Overview
- planning to help you decide what you need to create, and what options you have to choose
- initial customisation and creating a server, creating defaults and creating function specific configuration files, for example a file for SAF
- starting the server
- enable logon security and add SAF definitions
- add keystores for TLS, and client authentication
- adding an API and service application
- protect the API and service applications
- collecting monitoring data including SMF
- use the MQ sample
- using WLM to classify a service
With each step there are instructions on how to check the work has been successful.
Protect the service and APIs
z/OS connect provides interceptors to allow the product function to be extended. These are like exits in other program products.
z/OS Connect provides (at least) 2 interceptors
- For authorisation checks, to see if a userid is allowed to perform an operation.
- Creating SMF records.
You can also write your own interceptors, for example for data validation, or for collecting statistics.
You can configure APIs and services to have a list of interceptors. One service can have authorisation and SMF records, another service can just have authorisation
You create a list like
<!-- Interceptor list configuration --> <!-- this refers to the configuration elements following --> <zosconnect_zosConnectInterceptors id="interceptorList1" interceptorRef="auditInterceptor,zosConnectAuthorizationInterceptor" /> <!-- Audit interceptor configuration --> <zosconnect_auditInterceptor id="auditInterceptor" sequence="1" apiProviderSmfVersion="2" /> <!-- Authorisation checking --> <zosconnect_authorizationInterceptor id="zosConnectAuthorizationInterceptor" />
To protect the server, and control the global roles, have you need to use the following where you provide lists of group names such as SYS1.
<zosconnect_zosConnectManager globalInterceptorsRef="interceptorList1" globalAdminGroup="SYS1,SYSADMIN" globalInvokeGroup="SYS1" globalOperationsGroup="SYS1" globalReaderGroup="SYS1" /> <!-- "interceptorList1" above points to … --> <zosconnect_zosConnectInterceptors id="interceptorList1" interceptorRef="IR1,..."/> <!-- zosConnectAuthorizationInterceptor is defined --> <zosconnect_authorizationInterceptor id="IR1"/>
This shows the global security definitions. The globalInterceptorsRef=”interceptorList1″ points to the <zosconnect_zosConnectInterceptors .. which in turn points to the <zosconnect_authorizationInterceptor . There is a program or interceptor zosConnectAuthorizationInterceptor which does the actual checking of userid and roles.
With this set of definitions when I try to query the service using an unauthorised userid, I got
{"errorMessage":"BAQR0435W: The zosConnectAuthorization interceptor encountered an error while processing a request. ", "errorDetails":"BAQR0409W: User ADCDC is not authorized to perform the request."}
I changed the definitions to globalReaderGroup=”TEST” , refreshed the configuration, and the request worked.
You can make API security more specific
<zosconnect_zosConnectAPIs> <zosConnectAPI name="stockmanager" adminGroup="SYS1" invokeGroup="TEST" operationsGroup="TEST" readerGroup="SYS1" /> </zosconnect_zosConnectAPIs>
and make the service security more specific.
<zosconnect_services> <service name="stockQuery" serviceDescription="stockQueryServiceDescriptionColin" id="stockQueryService" adminGroup="SYS1,TEST2" invokeGroup="TES2" operationsGroup="SYS1" readerGroup="SYS1,TEST2" /> </zosconnect_services>
If you use the swagger to try it – and get the json data with
response body no content
response code 0
response header { “error”: no response from server}
This is what Swagger UI displays when a request fails due to a security issue such as an untrusted self-signed cert, invalid cert, or bad username:password.