You can do all of that in C code using the __passwd() and
__check_resource_auth_np library functions. You will need to be program
controlled which means Python and it's runtime will also need to be
platform controlled. Most modern services do this using an API like the
Zowe authenication API. If you're writing a web application in Flask you
should consider using JWTs. If it were me, I would prefer to use a
Spring Boot Java application instead of Python. There is a much richer
set of SAF APIs and the entire Java JRE is program controlled.
On 21/2/22 8:38 pm, Erik Janssen wrote:
Hello List,
We are creating some APIs with python flask running on z/os (some in
combination with z open automation utilities in order to drive existing rexx /
ispf edit macro logic) and that is looking very promising. In order to properly
protect those APIs I am trying to create a authorization API, that would call a
module that can verify a RACF user/password/appl combination so that it can
return a token with which - for some time - you can then call the actual API's.
I've managed to create an assembler DLL that works with that principe, calling
the neccessary RACROUTE's. But, since this module needs APF authorisation I can
only see a way to call the module as a subprocess through an - apf authorized -
c main wrapper program. In this case it will return the SAF RC and the actual
wto message as stdout. But, specifying a password this way as a cmdline parm
means that it would show up in ps screen in SDSF for example.
Loading the assembler DLL in python through CDLL technically works, but
actually will get a S683 abend, since it lost its APF authorisation.
My idea was that the module will check if the caller is authorized to actually
check the specified user/password by some custom racf profile, so that I can
prevent it from generally being allowed to check all user/password combinations.
Apart from the obvious risks involved in APF authorized routines, giving this
principe that I would like to create a routine that - in a controlled way -
could do password checking for unauthorized callers, what options are there to
do so?
As far as I can see, the only option would be to provide some PC routine, with
a unauthorized stub that can call the authorized running PC 'backend', but I'm
not even sure if that would be a proper way to use a PC routine (let alone the
fact if I would ever manage to - securely - create one).
Kind regards,
Erik.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
