Re: Authenticate with RACF from Web App
- From: denisgaebler@xxxxxxxxxxxx (Denis Gäbler)
- Date: 17 Jul 2009 00:34:41 -0700
Hi,
the easiest approach I have ever seen works like this:
The web server on distributed redirects (easy to implement in distributed http.conf) to the HTTP Server on z/OS (this is the free one, not WebSphere Application Server).
I recall the ITSO wrote a simple CGI program/Exit, which allows to autenticate with RACF and even change the RACF password, if it is expired. On successful authentication the z/OS HTTP Server can redirect back to the distributed web server and it can proceed working with the request.
Nevertheless there are some additonal considerations, e.g. what data to send with the redirect (e.g. generated 128 byte hex token send to z/OS and back and of course by using SSL/HTTPS) in order to make sure that this authentication cannot be bypassed. But this is not rocket sience and the CGI programs for HTTP Server on z/OS can be REXX, so any additional logic would be easy to implement.
Denis.
-----Original Message-----
From: Bob Bonhard <rbonhard@xxxxxxx>
To: IBM-MAIN@xxxxxxxxxxx
Sent: Fri, Jul 17, 2009 12:10 am
Subject: Authenticate with RACF from Web App
Thanks in advance for all/any advice, direction, samples, expertise related to
my question. I was approached by one of our distributed application folks with
a request that I believe should be very possible to accommodate based on my
experiences with zOS system sftwr/hdwr, WAS, etc.
The app is web-based running on non-zOS platform. They would likebe able to
connect to the mainframe to authenticate a RACF ID/password; if the ID and
password are OK, continue with the app (possibly return a RC=0 or any
other "OK"); if ID unknown, pswd wrong, pswd revoked or expired, provide a
non-zero return code or "not OK" msg with explicit reason, even routing user
to a web page where they can update an expiring password, correct an invalid
password. I'm hoping to find something that is *easy* and *cheap* to
implement ("free" being the key word), and generic enough to be used by any
subsequent apps. I figure there has to be an easy way to do this but I don't
know what that way is, whether a direct call to RACF or USS, some kind of
non-html call to the IBM HTTP server, WebSphereAS, MQ ... something simple
and free.
Thank you,
Bob Bonhard/UPS I.S.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.
- References:
- Authenticate with RACF from Web App
- From: Bob Bonhard
- Authenticate with RACF from Web App
- Prev by Date: Re: Offload work to zIIP with zPRIME
- Next by Date: Re: INFOZIP >2Gb
- Previous by thread: Authenticate with RACF from Web App
- Next by thread: Re: Authenticate with RACF from Web App
- Index(es):
Relevant Pages
|
Loading
