Supported methods of authentication for z/OS using Zowe
Zowe CLI and it's plug-ins have numerous ways available for users to authenticate and secure credentials. Secure credential encryption is now included in Zowe CLI, storing credentials and other values set by the user to be stored securely, using the local device's credential manager.
Types of authentication supported by Zowe include passwords, passphrases, JSON web token (JWT) authentication, single sign-on (SSO), and multi-factor authentication (MFA). Zowe CLI requires authenticating with the Zowe API Mediation Layer (ML) for SSO, JWT, and MFA support.
The RSE CLI plug-in supports passwords, passphrases, and JWT authentication directly with the RSE API host component. If the RSE API host component is registered with the Zowe API ML, all of the methods of authentication supported by the API ML will be available for RSE profiles as well.
Single sign-on support
After an RSE profile is created and is accessible in Zowe Explorer, users can use single sign-on (SSO) for connecting to the RSE API host component in Zowe Explorer 1.22.0 and later versions. JWTs are stored securely in the profile's file. For RSE profiles connecting directly to the RSE API, follow the steps below:
Logging in to authentication service
Zowe Explorer UI:
- Right-click the profile name in the Zowe Explorer tree view and click
Login to Authentication Service
. - Enter credentials for z/OS connection when prompted.
When the login is successful, you will receive the message Login to authentication service was successful.
from Zowe Explorer.
Zowe CLI:
- In the terminal, enter the command
zowe rse auth login
. - Enter credentials for z/OS connection when prompted.
When the login is successful, you will receive a message with information about the JWT, including the expiration date and time as well as the creation date and time of it.
Logging out of authentication service
Zowe Explorer UI:
Right-click on the profile name in the Zowe Explorer tree view and select Logout from Authentication Service
.
When the logoff is successful, you will receive the message Logout from authentication service was successful. from Zowe Explorer.
Zowe CLI:
In the terminal, enter the command zowe rse auth logout
.
When the logoff is successful, you will receive the message JWT Token has been retired.
.
If you are obtaining authentication tokens from the API Mediation Layer, see Connecting profiles to API Mediation Layer.
For an example of the team configuration file with RSE profile authenticating with API Mediation Layer, see Single sign-on support for IBM RSE CLI plugin.
Multi-factor authentication
You can do multi-factor authentication (MFA) and use Zowe team configuration profiles. MFA is supprted when API Meditation Layer is enabled on the host side. Zowe Explorer supports multi-factor authentication login. Simply use your temporary code as a password or choose the "Log into Authentication Service" option.