How to avoid user revocation in case of wrong password in Zowe CLI access #1094
-
|
Hi, Our users work both with TSO/ISPF and with Zowe CLI through extensions for VS Code, (Zowe Explorer in particular). MVS passwords should be changed regularly. If the password used in Zowe CLI profiles are not kept up to date at the same time, this triggers a user revocation at the security system level (RACF), especially when using VS extensions Code because in this case several connections attempts are sent, which fail, and the limit of 5 connections before revocation arrives quickly. How to avoid these user revocations? We use the RACF security system and connections are made at z/OSMF level, and possibly FTP, CICS, Db2, Endevor (Web Services). Our security teams tell us that they cannot set up an access blocking (invalid password) without at the same time activating the user revocation system after 5 failed attempts. A solution could be not to save the password in the Zowe CLI profiles (encrypted with SCS) but:
We would be interested in hearing feedback from user sites on Zowe CLI password management. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
For REST APIs - like z/OSMF - token authentication appears to avoid revocation. That is, if you obtain a token from a service, you can attempt to authenticate any number of times with an expired / invalid token and you should not revoke your user ID. Right now, the only tokens we support in "Zowe" is the API ML token (e.g. we'd don't support token auth directly to z/OSMF). |
Beta Was this translation helpful? Give feedback.
For REST APIs - like z/OSMF - token authentication appears to avoid revocation. That is, if you obtain a token from a service, you can attempt to authenticate any number of times with an expired / invalid token and you should not revoke your user ID.
Right now, the only tokens we support in "Zowe" is the API ML token (e.g. we'd don't support token auth directly to z/OSMF).