Introduction
Cloud and mobile applications have reshaped the way enterprises and systems interact. The dominate standard for new application development for these new environments uses RESTful APIs for sending and receiving JSON formatted messages to backend services. IBM z/OS Connect Enterprise Edition provides a framework that enables new application development using RESTful APIs and JSON messages for accessing z/OS based services and data when developing new cloud and mobile applications for the enterprise uniting z/OS into the Cloud infrastructure.
The administration of a z/OS Connect server and then the enablement of secure connections between REST clients connecting to a z/OS Connect server and then propagating security credentials to the z/OS resource to which are accessed is critical to protecting your data. In the world of cloud and mobile applications, protocols such as Transport Security Layer (TSL), OAuth, OpenID, and JWT are commonly used secure communications. In the workshop, we will explore some of the basic best practices for z/OS Connect administration and security options and show how they can be used to secure communications to and from z/OS Connect EE.
This workshop gives a guided hands-on experience with administration and the use of system authorization security (SAF) and the IBM z/OS Connect Enterprise Edition (EE) product. Attendees will be given the option to perform exercises that start adding system authorization security (SAF) to a z/OS Connect server. The initial exercise covers everything from enabling basic SAF security to fully enabling mutual authentication of digital certificates from the z/OS Connect Eclipse tooling and REST clients like cURL and Postman to a z/OS Connect server. Other exercises include hands-on access to z/OSMF for configuring and installing AT-TLS policies. These AT-TLS policies provide TLS protection between MVS batch application to a z/OS Connect server and between a z/OS Connect server and back-end resources such as IMS databases, IMS transactions, Db2 resources and MQ queues. A CICS security exercise provides hands-on experience configuring CICS TLS support from a CICS API requester exercise as well as configuring identity propagation from a z/OS Connect server to a CICS region. Finally, there is an exercise that introduces the use of OAuth and OpenID Connect and the use of JWT tokens with z/OS Connect server configured as an API provider and API requester.
Objectives
At the conclusion of this workshop, an attendee will have hands-on experience with:
• Performing the initial setup of a z/OS Connect Liberty server.
• Implementing and administrating SAF security with IBM z/OS Connect EE for z/OS servers.
• Enabling TLS connectivity between z/OS Connect server and z/OS backend systems like CICS, IMS DC, IBM MQ, IBM DB2 and MVS batch jobs.
• Implementing the security options available in z/OS Connect. These security options range from:
o Implementing basic security with a user identity and password using a SAF registry.
o Implementing a full exchange of digital certificates between a client and a z/OS Connect server using RACF key rings.
o Implementing JWT tokens with a z/OS Connect server as a provider and as requester.
Contact Judy Vadnais at judyv@us.ibm.com for questions or for enrollment to attend the event.