Skip to Main Content
IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Workspace z/OS Connect
Created by Guest
Created on Sep 16, 2016

zCEE to add support for basic authentication without requiring CLIENT-CERT

We are using zConnect (FMID HZCN200) to run IMS mobile feature pack services. We have IHS (web server) frontend the zConnect server. Most of our traffic will go through IHS to zConnect server. In our development environment we allow users to go directly to the zConnect
server. For request coming to IHS, a client cert is required by IHS. For request coming directly to zConnect server, userid & password is required.

In our zConnect environment, we use TAI (trust associate interceptor) to verify the request. If traffic is from IHS, then TAI would allow it, defaulting to a runtime userid TAI specifies. If the traffic is not from IHS, then TAI would default to userid/password authentication.

For each request coming from IHS to zConnect, we could see an ACF2 message in the task joblog:
ACF01097 NO USERID SPECIFIED ON SYSTEM ENTRY VALIDATION REQUEST

In this situation, a client cert has been verified by IHS, and the traffic goes to zConnect, which then defaults to a runtime id by TAI. It seems zConnect still makes a call to ACF2 to check the userid. Can you please take a look at it to see if the call to ACF2 is needed, and what we could do to avoid the extra step, and extra message?

Idea priority Urgent
  • Guest
    Reply
    |
    May 6, 2020

    This RFE has been addressed by an update to the z/OS Connect EE V3.0 Knowledge Center, by the addition of the topic “Using a Trust Authentication Interceptor (TAI) to allow selected unauthenticated requests”:

    https://www.ibm.com/support/knowledgecenter/en/SS4SVW_3.0.0/securing/tai_selected_requests.html

    The topic outlines how to eliminate the unwanted issuance of erroneous authentication failure messages through configuration changes. The original request to remove the need for a client certificate proved to be unnecessary.