Skip to content

Use LTPA tokens to allow CMCI "sessions" #217

New issue
New issue
Open
Open
Use LTPA tokens to allow CMCI "sessions"#217
Assignees
enamkhan
Labels
enhancementNew feature or request
@davenice

Description

@davenice
davenice
opened on Jan 28, 2025

The CMCI JVM server is available in most modern CICS installations - it puts a Liberty instance in front of the CMCI connection.

The was used by the Eclipse-based CICS Explorer as a route to provide MFA support, because the Liberty instance supports LTPA tokens out-of-the-box.

LTPA tokens give the concept of a session to the CMCI REST interface - after the initial authentication with basic auth, a cookie with an LTPA token is returned. If that LTPA token is presented (instead of basic auth) on subsequent REST calls, Liberty will make the request as the originally authenticated user.

This has a couple of key benefits...

  1. Basic auth information is transferred across the wire less frequently, reducing the window for any attack to grab credentials
  2. The connection becomes possible to use with MFA

This piece of work should cover:

  • Connecting with basic auth
  • In the response from the server, detecting an LTPA token has been returned
  • Caching the LTPA token in memory
  • Using the LTPA token on subsequent REST requests
  • When a request using the LTPA token gets a 401 retrying with basic auth

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

Zowe Explorer for VS Code

  • Status

    New Issues

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions