Supported methods of authentication for z/OS using Zowe
Zowe CLI and its plugins provide various methods for users to authenticate and secure credentials. Secure credential encryption is included in Zowe CLI, storing credentials and other values set by the user to be stored securely using the local device's credential manager or external secret vaults, and provided as environment variables.
Types of authentication supported by Zowe include passwords, passphrases, JSON web token (JWT) authentication, single sign-on (SSO), and multi-factor authentication (MFA). Zowe CLI requires authenticating with the Zowe API Mediation Layer (ML) for SSO, JWT, and MFA support.
The RSE CLI plug-in supports passwords, passphrases, and JWT authentication directly with the RSE API host component. If the RSE API host component is registered with the Zowe API ML, all of the methods of authentication supported by the API ML will be available for RSE profiles as well.
Single sign-on support
After an RSE profile is created and is accessible in Zowe Explorer, users can use single sign-on (SSO) for connecting to the RSE API host component in Zowe Explorer 1.22.0 and later versions. JWTs are stored securely in the profile's file. For RSE profiles connecting directly to the RSE API, follow the steps below:
Logging in to authentication service
Zowe Explorer UI
- Right-click the profile name in the Zowe Explorer tree view and click
Login to Authentication Service. - Enter credentials for z/OS connection when prompted.
When the login is successful, you will receive the message Login to authentication service was successful. from Zowe Explorer.
Zowe CLI
- In the terminal, enter the command
zowe rse auth login. - Enter credentials for z/OS connection when prompted.
When the login is successful, you will receive a message with information about the JWT, including the expiration date and time as well as the creation date and time of it.
Logging out of authentication service
Zowe Explorer UI
Right-click on the profile name in the Zowe Explorer tree view and select Logout from Authentication Service.
When the logoff is successful, you will receive the message Logout from authentication service was successful. from Zowe Explorer.
Zowe CLI
In the terminal, enter the command zowe rse auth logout.
When the logoff is successful, you will receive the message JWT Token has been retired..
If you are obtaining authentication tokens from the API Mediation Layer, see Connecting profiles to API Mediation Layer.
For an example of the team configuration file with RSE profile authenticating with API Mediation Layer, see Single sign-on support for IBM RSE CLI plugin.
Multi-factor authentication
You can use multi-factor authentication (MFA) and Zowe team configuration profiles. MFA is supported when API Mediation Layer is enabled on the host side.
Zowe Explorer supports multi-factor authentication login. Simply use your temporary code as a password or choose the "Log into Authentication Service" option.
Using environment variables for authentication in Zowe Explorer
To support development environments such as OpenShift Red Hat Dev Spaces, GitHub Codespaces, or any development environment where credentials are managed in external or Cloud-based credential vaults, you can set user credentials through environment variables to be referenced in Zowe CLI and Explorer team configuration profiles.
See
- Managing secrets in the Dev Spaces section on how to create such environment variables in OpenShift Dev Spaces,
- Connect to a z/OS® system using a VPN in the Codespaces section on how to create such environment variables in GitHub Codespaces, or
- Check with your system administrator on how to securely initialize environment variables on your system, if you are using another technology with an external credentials vault.
Configure your Zowe team configuration profiles to use the environment variables as values for the
userandpasswordproperties, as shown below.{ "profiles": { "rse1": { "type": "rse", "properties": { "port": 443, "host": "example.host", "user": "$ZOWE_OPT_USER", "password": "$ZOWE_OPT_PASSWORD" } } } }
After you configure it, you are automatically logged on using the credentials provided by the environment variables when you start interacting with your Zowe connection profiles, for example by running a search query for data sets in Zowe Explorer.