WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Simplified authentication with the zosIdentityPropagation-1.0 feature for Liberty on z/OS 25.0.0.9

By Scott Kurz posted Mon September 15, 2025 08:02 AM

  

Background

This leverages the z/OS Trusted TCP Connections support and adds this as an authentication option on Liberty for z/OS.

Enabling this feature allows your OS identity to be used within the web container without passing authentication info like userid and password via HTTP headers.

You can use this to make HTTP requests to:

  • servlets & RESTful resources in your own web applications
  • Liberty admin APIs.
  • Liberty feature APIs (e.g. the Liberty Batch Management REST API)

Example - Using the feature to invoke an Admin API

Though the official documentation mentions a couple additional setup considerations, the key points are listed here:

RACF

We can set up identity propagation in RACF with a command sequence like the following, where MSTONE1 is the userid used to start the Liberty server

  • RDEFINE SERVAUTH EZB.IOCTL.SY1.TCPIP.PARTNERINFO UACC(NONE) PERMIT EZB.IOCTL.SY1.TCPIP.PARTNERINFO CLASS(SERVAUTH) ACCESS(READ) ID(MSTONE1)
  • SETROPTS RACLIST(SERVAUTH) REFRESH

    Server config

    We can illustrate the sample with a server XML snippet like: 

    <server>
    <featureManager>
        <feature>restConnector-2.0</feature>
        <feature>appSecurity-4.0</feature>
        <feature>zosIdentityPropagation-1.0</feature>
    </featureManager>

    <safRegistry/>

    <administrator-role>
        <user>JANE</user>
    </administrator-role>

    <!--  everything else -->
</server>

    Here we configure the administrator (user ID = "JANE") in Liberty server XML to make this post more self-contained.  In practice, note that SAF authorization would often be used to configure administrator access using SAF profiles like BBGZDFLT.com.ibm.ws.management.security.resource.Administrator, etc. 

    Procedure

    First, we login via SSH to create a shell session, using nothing more than normal SSH-related methods (keys, passwords, etc.) to authenticate.

    > ssh JANE@myhost

    Next, from this shell, we issue a client request using "curl" to the config REST API which the adminstrator role authorizes us for

    > curl -k https://localhost:9443/ibm/api/config 

    This returns a JSON representation of the resolved server configuration.

    Also we could call IBMJMXConnectorREST APIs like:

    > curl -k https://localhost:9443/IBMJMXConnectorREST/mbeanCount

    again using the identity of JANEauthorized to the administrator role. 

    In both cases, we make a curl request without passing authentication information via a cookie or auth header.    (The -k option disables TLS certificate validation, making the sample commands easier to step through but this has no relevance to the zosIdentityPropagation-1.0 feature).

    References

    • Official Liberty documentation on the new zosIdentityPropagation-1.0 feature
    • post on the same subject from Dave Follis' WebSphere Liberty on z/OS blog, from a more high-level point of view
    0 comments
    6 views

    Permalink

    https://community.ibm.com/community/user/blogs/scott-kurz/2025/08/27/new-zosidentitypropagation-feature