Security

The Z Data Tools Service Provider for z/OSĀ® Connect EE requires an API caller to pass an HTTP Basic Authorization header that identifies the user ID and password of the caller.

The header is in the following format:
Authorization : Basic credentials_string
where credentials_string represents a Base64 encoding of userid:password. For example:
Authorization : Basic "dXNlcmlkOnBhc3N3b3Jk"

The Z Data Tools Service Provider performs all accesses to z/OS resources as the userid identified by the Basic Authorization credentials. Consequently, API callers can only access data resources they are authorized to access.

Important: Regardless of whether the API network is private or public, the Basic Authorization header only obfuscates rather than encrypts the user ID and password. For this reason, it is important that API requests to your z/OS Connect WLP server use HTTPS.

When requested, a successful API request returns a token that can be used on subsequent API requests to read data from the same data resource. When using a token, the API does not need to pass the Basic Authorization header.

Tokens returned by the service provider have a default expiry of 5 minutes of inactivity. In some cases, the timeout can be overridden by the request. If the token is not used for the timeout period, it expires and can no longer be used by the API caller.

When using the Z Data Tools Build Toolkit plug-in to create service archives (SAR files), the plug-in needs to connect to a ZCC server (HFISRV) to extract Z Data Tools template or copybook information. If the Toolkit environment is remote to your HFISRV host, you should run the server with TLS enabled. Refer to the Z Data Tools Customization Guide.