Hi, the easiest approach I have ever seen works like this:
The web server on distributed redirects (easy to implement in distributed http.conf) to the HTTP Server on z/OS (this is the free one, not WebSphere Application Server). I recall the ITSO wrote a simple CGI program/Exit, which allows to autenticate with RACF and even change the RACF password, if it is expired. On successful authentication the z/OS HTTP Server can redirect back to the distributed web server and it can proceed working with the request. Nevertheless there are some additonal considerations, e.g. what data to send with the redirect (e.g. generated 128 byte hex token send to z/OS and back and of course by using SSL/HTTPS) in order to make sure that this authentication cannot be bypassed. But this is not rocket sience and the CGI programs for HTTP Server on z/OS can be REXX, so any additional logic would be easy to implement. Denis. -----Original Message----- From: Bob Bonhard <[email protected]> To: [email protected] Sent: Fri, Jul 17, 2009 12:10 am Subject: Authenticate with RACF from Web App Thanks in advance for all/any advice, direction, samples, expertise related to my question. I was approached by one of our distributed application folks with a request that I believe should be very possible to accommodate based on my experiences with zOS system sftwr/hdwr, WAS, etc. The app is web-based running on non-zOS platform. They would likebe able to connect to the mainframe to authenticate a RACF ID/password; if the ID and password are OK, continue with the app (possibly return a RC=0 or any other "OK"); if ID unknown, pswd wrong, pswd revoked or expired, provide a non-zero return code or "not OK" msg with explicit reason, even routing user to a web page where they can update an expiring password, correct an invalid password. I'm hoping to find something that is *easy* and *cheap* to implement ("free" being the key word), and generic enough to be used by any subsequent apps. I figure there has to be an easy way to do this but I don't know what that way is, whether a direct call to RACF or USS, some kind of non-html call to the IBM HTTP server, WebSphereAS, MQ ... something simple and free. Thank you, Bob Bonhard/UPS I.S. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
