z/OS Connect Enterprise Edition - Group home

Using a Trust Authentication Interceptor (TAI) to allow selected unauthenticated requests

By Will Meyerink posted Fri April 16, 2021 04:24 AM

Where z/OS Connect EE is configured for basic authentication, but selected requests do not present the required credential, a Trust Authentication Interceptor (TAI) can be developed, configured and deployed with a z/OS Connect EE server to allow selected unauthenticated requests to be processed.

For example, where an API gateway component has already authenticated requests that presented a credential, such as a client certificate, and no associated credential is available for the onward request to z/OS Connect EE, a TAI can be developed to identify such requests and allow them to be processed under a fixed application or task identity. Requests that do not match the criteria of the TAI must still present the required credential to proceed. The criteria by which a TAI decides to block or allow a request is entirely due to the design of the TAI implementation.

In the event that the TAI allows an unauthenticated request to be processed, it is possible, depending upon overall configuration, that one or more warning messages are written to the log for each unauthenticated request. For example:
CWWKS1100A: Authentication did not succeed for user ID cn=unknown,o=ibm,c=us. An invalid user ID or password was specified.

ACF2 users might see one instance of the ACF1097 message per associated request:

To avoid these warning messages, you can use the Liberty configuration element, webAppSecurity, to set the useAuthenticationDataForUnprotectedResource attribute to false. For example:
<webAppSecurity useAuthenticationDataForUnprotectedResource="false"/>

For more information about this element, see Web Container Application Security (webAppSecurity) in the [() WebSphere]® Application Server for [() z/OS]® Liberty documentation.

For more information about creating a TAI, see Developing a custom TAI for Liberty in the [() WebSphere]® Application Server for [() z/OS]® Liberty documentation.

1 view