I'm pleased to hear that has resolved the original issues and you have been able to make progress.
scheme in front of the actual token on the request to the remote endpoint URL. See the Change History in the IBM product documentation
scheme to be included. (You will not need to specify the useBearerScheme attribute on the zosconnect_authToken element, because from that release onwards, the default behaviour is to include the
Original Message:
Sent: Fri December 03, 2021 06:25 PM
From: Varma Nadimpally
Subject: Zos Connect Calling Api with JWT.
Thanks @Sue BAYLISS. Now after those changes progress has been made. Now the Api call is actually getting the Token and adding that to the Header Authorization...
But there is another hurdle i am encountering...
When the call is made the Header is only sending the actual token.
OTeytONOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
Api call is failing because the Api is expecting the following.
Bearer OTeytONOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nz9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
How can i make the changes within in Zos connect to add the word Bearer before the token... Not sure what i can do to make this happen
My swagger for the actual Api call has the following ...
"parameters" : [ {
"name" : "Authorization",
"in" : "header",
"required" : true,
"type" : "string"
}],
Hope this is my last hurdle before this works successfully.
------------------------------
Varma Nadimpally
Original Message:
Sent: Thu December 02, 2021 04:26 AM
From: Sue BAYLISS
Subject: Zos Connect Calling Api with JWT.
Hello Varma @Varma Nadimpally
The "E BAQR1006E: An error occurred when z/OS Connect EE attempted to access the authentication/authorization server. Error: SSLContext could not be created for alias 'null', the configuration is not present." message indicates that the z/OS Connect EE server is unable to create an SSL/TLS connection to your authorization server.
You will need to add attribute sslCertsRef to your <zosconnect_authorizationServer ... /> element.
- The value of the sslCertsRef attribute must match the id value of an ssl element.
- The ssl element must include the keyStoreRef and trustStoreRef attributes. These attributes must reference keyStore elements which define the keystores containing any certificates required for the SSL/TLS connection to your authorization server.
For example:
<zosconnect_authorizationServer id="myJWTserver"
tokenEndpoint="https://test-postcall.xxxx.com:0433/v1/auth" This is the call that will get the JWT in Body
basicAuthRef="tokenCredential"
sslCertsRef="authServerSSLConfig" />
<ssl id="authServerSSLConfig"
keyStoreRef="authServerKeyStore"
trustStoreRef="authServerTrustStore" />
<keyStore id="authServerKeyStore"
fileBased="false"
location="safkeyring:///KEYRING1"
password="notUsed"
readOnly="true"
type="JCERACFKS" />
<keyStore id="authServerTrustStore"
fileBased="false"
location="safkeyring:///KEYRING2"
password="notUsed"
readOnly="true"
type="JCERACFKS" />
For more information on the ssl and keyStore elements, for example how to specify .p12 or .jks keystores see "SSL Repertoire (ssl)" https://www.ibm.com/docs/en/was-liberty/zos?topic=configuration-ssl and "Keystore (keyStore)" https://www.ibm.com/docs/en/was-liberty/zos?topic=configuration-keystore in the WebSphere Application Server Liberty documentation.
Regards
------------------------------
Sue Bayliss
IBM z/OS Connect EE
Original Message:
Sent: Wed December 01, 2021 04:59 PM
From: Varma Nadimpally
Subject: Zos Connect Calling Api with JWT.
Thanks you @Sue BAYLISS. Once i added the <tokenRequest credentialLocation="header" header="Authorization" requestMethod="POST" /> now in my trace i see the following. I see Zos connect server is trying to make a call to /v1/auth where it can get the JWT in response body. But the Call is not going to the server at all it is stopped at the Zos connect server side with the following error.
[11/30/21 10:39:57:986 EST] 0000005d HttpClientReq E BAQR1006E: An error occurred when z/OS Connect EE attempted to access the authentication/authorization server. Error: SSLContext could not be created for alias 'null', the configuration is not present.
[11/30/21 10:39:57:987 EST] 0000005d ZosConnectCon > <init> Entry
BAQR1093E: Internal server error.
[11/30/21 10:39:57:987 EST] 0000005d ZosConnectCon < <init> Exit
com.ibm.zosconnect.endpoint.connection.TokenConfigException: BAQR1093E: Internal server error.
Trace shows the following.
[11/30/21 10:32:27:641 EST] 00000023 connection 1 ServiceEvent REGISTERED
LoggerName:Events.Service.com.ibm.zosconnect.endpoint.connection
ServiceRef:[com.ibm.zosconnect.endpoint.connection.AuthorizationServer](id=700, pid=com.ibm.zosconnect.endpoint.connection.authServer_102)
Event:org.osgi.framework.ServiceEvent[source={com.ibm.zosconnect.endpoint.connection.AuthorizationServer}={proxyConfig.target=(service.pid=${proxyConfigRef}), basicAuth.target=(service.pid=com.ibm.zosconnect.security.authdata_74), service.id=700, service.bundleid=194, service.scope=bundle, config.overrides=true, component.name=com.ibm.zosconnect.endpoint.connection.internal.AuthorizationServerImpl, tokenEndpoint=https://test-xxxxxx.xxxxxx.com:48022/v1/auth, component.id=457, receiveTimeout=60000, config.id=com.ibm.zosconnect.endpoint.connection.authServer[myJWTserver], connectionTimeout=30000, config.source=file, basicAuthRef=[com.ibm.zosconnect.security.authdata_74], service.factoryPid=com.ibm.zosconnect.endpoint.connection.authServer, id=myJWTserver, service.vendor=IBM, service.pid=com.ibm.zosconnect.endpoint.connection.authServer_102, config.displayId=zosconnect_authorizationServer[myJWTserver]}]
[11/30/21 10:32:27:920 EST] 00000023 Authorization > setBasicAuth Entry
com.ibm.zosconnect.internal.security.AuthDataImpl@22cfbae6
[11/30/21 10:32:27:920 EST] 00000023 Authorization < setBasicAuth Exit
[11/30/21 10:32:27:920 EST] 00000023 ConnectionSer > activate Entry
org.apache.felix.scr.impl.manager.ComponentContextImpl@36041b56
{component.name=com.ibm.zosconnect.endpoint.connection.internal.AuthorizationServerImpl, id=myJWTserver, config.source=file, service.vendor=IBM, service.factoryPid=com.ibm.zosconnect.endpoint.connection.authServer, basicAuthRef=[Ljava.lang.String;@e55a9101, tokenEndpoint=https://test-xxxxxx.xxxxxx.com:48022/v1/auth, basicAuth.target=(service.pid=com.ibm.zosconnect.security.authdata_74), receiveTimeout=60000, service.pid=com.ibm.zosconnect.endpoint.connection.authServer_102, config.overrides=true, component.id=457, config.displayId=zosconnect_authorizationServer[myJWTserver], connectionTimeout=30000, proxyConfig.target=(service.pid=${proxyConfigRef}), config.id=com.ibm.zosconnect.endpoint.connection.authServer[myJWTserver]}
[11/30/21 10:32:27:920 EST] 00000023 Authorization > updateConfig Entry
{component.name=com.ibm.zosconnect.endpoint.connection.internal.AuthorizationServerImpl, id=myJWTserver, config.source=file, service.vendor=IBM, service.factoryPid=com.ibm.zosconnect.endpoint.connection.authServer, basicAuthRef=[Ljava.lang.String;@e55a9101, tokenEndpoint=https://test-xxxxxx.xxxxxx.com:48022/v1/auth, basicAuth.target=(service.pid=com.ibm.zosconnect.security.authdata_74), receiveTimeout=60000, service.pid=com.ibm.zosconnect.endpoint.connection.authServer_102, config.overrides=true, component.id=457, config.displayId=zosconnect_authorizationServer[myJWTserver], connectionTimeout=30000, proxyConfig.target=(service.pid=${proxyConfigRef}), config.id=com.ibm.zosconnect.endpoint.connection.authServer[myJWTserver]}
[11/30/21 10:32:27:920 EST] 00000023 ConnectionSer > updateConfig Entry
{component.name=com.ibm.zosconnect.endpoint.connection.internal.AuthorizationServerImpl, id=myJWTserver, config.source=file, service.vendor=IBM, service.factoryPid=com.ibm.zosconnect.endpoint.connection.authServer, basicAuthRef=[Ljava.lang.String;@e55a9101, tokenEndpoint=https://test-xxxxxx.xxxxxx.com:48022/v1/auth, basicAuth.target=(service.pid=com.ibm.zosconnect.security.authdata_74), receiveTimeout=60000, service.pid=com.ibm.zosconnect.endpoint.connection.authServer_102, config.overrides=true, component.id=457, config.displayId=zosconnect_authorizationServer[myJWTserver], connectionTimeout=30000, proxyConfig.target=(service.pid=${proxyConfigRef}), config.id=com.ibm.zosconnect.endpoint.connection.authServer[myJWTserver]}
[11/30/21 10:32:27:920 EST] 00000023 ConnectionSer < updateConfig Exit
[11/30/21 10:32:27:920 EST] 00000023 Authorization < updateConfig Exit
[11/30/21 10:32:27:920 EST] 00000023 ConnectionSer < activate Exit
[11/30/21 10:32:27:925 EST] 00000023 TokenCacheImp > getCache Entry
Call is not even going to the server located for end point for /v1/auth...
What am i ding wrong or why Zos connect is failing ...
------------------------------
Varma Nadimpally
Original Message:
Sent: Wed November 24, 2021 03:34 AM
From: Sue BAYLISS
Subject: Zos Connect Calling Api with JWT.
Hello Varma @Varma Nadimpally
Please can you try updating your <zosconnect_authToken id="myJWTConfig" .../> element to add the subelement:
<tokenRequest credentialLocation="header" header="Authorization" requestMethod="POST" />
This is required so that z/OS Connect EE knows that it needs to send a basic authentication request using the HTTP "Authorization" header on a POST request to the authorization server. It will use the basic authentication credentials you have configured in <zosconnect_authData id="tokenCredential" ... /> and referenced using the basicAuthRef attribute of <zosconnect_authorizationServer id="myJWTserver" .../>.
Regards, Sue
------------------------------
Sue Bayliss
IBM z/OS Connect EE
Original Message:
Sent: Tue November 23, 2021 11:01 AM
From: Varma Nadimpally
Subject: Zos Connect Calling Api with JWT.
Have a need to call following Api with POST method using JWT token obtained from the same base path with different end point... i have setup the server properly below... Please let me know if there is anything wrong the way it is setup below.
it is a POST CALL and doesn't have any Body for Request.
I have the following setup in server.xml.
<zosconnect_endpointConnection id="Api_Conn"
host="https://test-postcall.xxxx.com"
port="0433"
authenticationConfigRef="myJWTConfig"/>
<zosconnect_authToken id="myJWTConfig" authServerRef="myJWTserver" header="Authorization" >
<tokenResponse tokenLocation="body" responseFormat="JSON" tokenPath="$.bearer" />
</zosconnect_authToken>
<zosconnect_authorizationServer id="myJWTserver"
tokenEndpoint="https://test-postcall.xxxx.com:0433/v1/auth" This is the call that will get the JWT in Body
basicAuthRef="tokenCredential" />
<zosconnect_authData id="tokenCredential" password="password" user="TEST_CALL"/>
POSTMAN setup.
I call POST
https://test-postcall.xxxx.com:0433/v1/auth
BASIC AUTH
password="password" user="TEST_CALL"
RESPONSE from this call is .
{
"bearer": "ebhgABCDFERTRELX123shgdjdakjdD.eyJsb2dnZWRJbkFzIjoiUBXFETTHEwertereASDFFGHcbvnaamsm.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI"
}
Once i have this i will make the call to the actual Api with this Token specified in Header Authorization.
https://https://test-postcall.xxxx.com:0433/v1/groupids.
This is using bearer Token Authorization and the token is passed in the Header Authorization...
I have everything setup properly i am trying to call this from BATCH and i am getting the following error...
Trace fromZos connect does not show a call go to /v1/auth where it should get the JWT and even the server end point didnt see the call come for /v1/auth.
i see the call to /v1/groupids and it is failing since there is not authorization in header with JWT in it.. i am getting 500 error.
Where can i check if the Zos connect issues the call to the JWT Server specified in tokenEndpoint="https://test-postcall.xxxx.com:0433/v1/auth"
i can check the server on the other end i dont see the call what am i missing here....
------------------------------
Varma Nadimpally
------------------------------