API Enablement

  • 1.  SMF data has wrong user information

    IBM Champion
    Posted Thu September 24, 2020 06:22 AM
    I used certificates to connect to z/OSConnect and use services

    The sample program reports

    SMF123S1_USER_NAME = ADCDC                                        
    SMF123S1_USER_NAME_MAPPED =                                       

    which is not wha tI would expect  I identify using a certificate... which is mapped using RACDCERT Mapping to ADCDC

    I would expect
    SMF123S1_USER_NAME="CN=ADCDD.O=cpwebuser.C=GB"
    SMF123S1_USER_NAME_MAPPED =    ADCDC

    regards
    Colin


  • 2.  RE: SMF data has wrong user information

    Posted Fri September 25, 2020 03:57 AM
    Edited by Sue BAYLISS Fri September 25, 2020 03:57 AM

    Hi Colin,

    When using a TLS certificate and a safRegistry to authenticate to a z/OS Connect EE server the SMF values will be as you are seeing:

    • SMF123S1_USER_NAME = the authenticated user name (SAF user ID) associated with the certificate
    • SMF123S1_USER_NAME_MAPPED =  will be blank

    This is because z/OS Connect EE uses WebSphere Liberty function for SAF authentication, which does not consider the fact that a TLS certificate is associated with a SAF user ID as a user mapping.

     

    If instead, you had used a distributed ID (for example an LDAP identity) and a safRegistry to authenticate to a z/OS Connect EE server then the SMF values will be as follows:

    • SMF123S1_USER_NAME = the Distributed ID
    • SMF123S1_USER_NAME_MAPPED =  the authenticated user name (SAF user ID) mapped (e.g. using RACMAP) to the  Distributed ID

    We will review the product documentation, to try to make it clearer what values these fields will contain. 

    Regards, Sue

    ------------------------------
    Sue Bayliss
    IBM z/OS Connect EE
    ------------------------------

    Original Message


  • 3.  RE: SMF data has wrong user information

    IBM Champion
    Posted Mon September 28, 2020 04:52 AM

    Hi Sue,

    Thanks for the clarification.  Please can SMF123S1_USER_NAME_MAPPED have the userid regardless of where it came from.

    I am trying to process the SMF records, and instead of printing out the "userid" I currently have to do
    If SMF123S1_USER_NAME_MAPPED is not blank, and SMF123S1_USER_NAME  is blank
         then use  SMF123S1_USER_NAME_MAPPED
    else use SMF123S1_USER_NAME.


    This makes it difficult if you are using tools like ICETOOL which just prints the records, and has no if then logic.


    For the certificate authentication, I can see from the trace, that Liberty knows about the DN in the certificate.  Would it be possible to extract this, and put it in the  SMF123S1_USER_NAME.
    I cannot get a mapping from RACF of the certificate to userid, so currently I do not know the identification of the requestor.  Many users can map to the same SAF userid.  z/OS Connect does not meet the strictest security standards where you have to be able to uniquely identify the requestor.



    ------------------------------
    Colin Paice
    ------------------------------

    Original Message