Enable Zowe to generate and evaluate PassTickets for APIML Services Zowe HA

To enable Zowe server to receive requests over TCP/IP connections that use SAF-protected user IDs and SAF PassTickets (as passwords), you must define security profile and grant permission to that profile in SAF database. This security configuration allows the Zowe API Gateway to generate PassTickets for an API service. Please follow the link below to setup SAF security profiles:

https://docs.zowe.org/stable/extend/extend-apiml/api-mediation-passtickets.html#enabling-passticket-creation-for-api-services-that-accept-passtickets

Note:

1. The value of z/OSMF APPLID, APIML_SECURITY_ZOSMF_APPLID parameter in instance.env must be the same as the z/OSMF SAF prefix used by all z/OSMF servers in Sysplex. The default z/OSMF APPLID is IZUDFLT.
2. To generate the ticket, Zowe client certificate and key (converted to ISO8859-1) must be downloaded to your local workstation and used in step 2.

Test Scenario: Check the validity of passticket generated by z/OSMF preferred server when failover occurs

For example, suppose a Sysplex consists of two z/OS systems (SYSA, SYSB). z/OSMF server A (IZUSVRA) is autostarted on SYSA and similarly, z/OSMF server B (IZUSVRB) is autostarted on SYSB. IZUSVRA as preferred receives all incoming requests.

1. Generate jwtToken by making a request to a z/OSMF REST Service:

curl -k -v https://x.x.x.V/zosmf/services/authenticate -H 'X-CSRF-ZOSMF-HEADER: *' -u userid -X POST

2. Generate passticket from zowe:

• Create apimlToken:

curl -k -v https://hostname:7554/api/v1/gateway/auth/login -d '{"username":"userid","password":"password"}'

• Generate ticket:

curl -k -v https://hostname:7554/api/v1/gateway/auth/ticket -H 'Cookie: apimlAuthenticationToken=apiml token value' -d '{"applicationName":"IZUDFLT"}' --cert ~/Desktop/keystore/localhost/localhost.keystore.cer --key ~/Desktop/keystore/localhost/localhost.keystore.key.88591

3. Stop z/OSMF server A (IZUSVRA) on SYSA, P IZUSVRA or remove SYSA from the Sysplex so that the failover happens

4. Make a request to a z/OSMF REST Service to validate jwtToken you got in step 1:

curl -k -v https://x.x.x.V/zosmf/restjobs/jobs?owner=* -H "Cookie: jwtToken=jwt token value"

5. Use the ticket created on step 2 to validate passticket:

curl -k -v 'https://x.x.x.V/zosmf/restfiles/fs?path=/etc' -H 'X-CSRF-ZOSMF-HEADER: *' -u userid

Expected result:

• Dynamic VIPA takeover will happen, z/OSMF server B (IZUSVTB) becomes the preferred server and accepts all new incoming requests.
• The successful response for your requests (step 4 and 5) which indicates the jwtToken and the ticket are still valid.