Skip to content

Enable single sign on on zOSMF HA servers

Jump to bottom
NayerNajafi edited this page Feb 11, 2021 · 4 revisions

z/OSMF uses the Lightweight Third Party Authentication (LTPA) security protocol to enable a secure single sign-on environment among z/OSMF instances. The LTPA protocol uses an LTPA token to authenticate a user with the z/OSMF servers that are enabled for single sign-on. The requirements to establish a single sign-on environment for z/OSMF can be found in https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.izua300/IZUHPINFO_SSOSetup.htm

Single Sign-On (SSO) must be configured for all z/OSMF instances running in your Sysplex. Please follow the link below to enable SSO: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zosmfcore.multisysplex.help.doc/izuG00hpActEnableSSO.html

Note:

  1. All z/OSMF servers must use the same SAF prefix. By default, the z/OSMF SAF prefix is IZUDFLT.
  2. The servers must share the same LTPA key.

Test Scenario: Check the validity of LTPA token generated by z/OSMF preferred server when failover occurs

For example, suppose a Sysplex consists of two z/OS systems (SYSA, SYSB). z/OSMF server A (IZUSVRA) is autostarted on SYSA and similarly, z/OSMF server B (IZUSVRB) is autostarted on SYSB. IZUSVRA as preferred receives all incoming requests.

  1. Generate LTPA token by making a request to a z/OSMF REST Service:

curl -k -v https://x.x.x.V/zosmf/services/authenticate -H 'X-CSRF-ZOSMF-HEADER: *' -u userid -X POST

  1. Make sure that the generated LTPA token works properly:

curl -k -v https://x.x.x.V/zosmf/restjobs/jobs?owner=* -H "Cookie: LtpaToken2=ltpa token value"

  1. Stop z/OSMF server A (IZUSVRA) on SYSA, P IZUSVRA or remove SYSA from the Sysplex so that the failover happens

  2. Make a request to a z/OSMF REST Service to validate LTPA token you got in step 2:

curl -k -v https://x.x.x.V/zosmf/restjobs/jobs?owner=* -H "Cookie: LtpaToken2=ltpa token value"

Expected result:

  • Dynamic VIPA takeover will happen, z/OSMF server B (IZUSVTB) becomes the preferred server and accepts all new incoming requests.
  • The successful response for your request (step 4) which indicates the LTPA token is still valid.

System Squad

Zowe Builds

Bill of Materials

SMPE

PSWI

Major Features

v2

High available and Sysplex

Containerization

CI/CD and Automation

Clone this wiki locally