The ZMFAClient object

The zMFAClient object encapsulates the passticket requests.

Note:
If you are using a custom OpenID Connect (OIDC) implementation in ZIETrans that is not configured through the ZIETrans Project properties, you must ensure the following:
  • The active HTTP session object must contain an attribute named id_token.
  • The value of this attribute must be the JWT Token received from your OIDC provider.

The following are its members and methods:

Members:

  • zMFA JWT2CTC URL.
  • zMFA Version.
  • Host User ID.
  • Keystore File Name.
  • Keystore Password.
  • Trace Level.

Methods:

public ZMFAClient()
This constructor should be used if you want to use the default trace level when the object is created.
public ZMFAClient (int traceLevel)
This constructor should be used if you want to specify a trace level when the object is created.
  • traceLevel - Trace level (0=None, 1=Minimum, 2=Normal, 3=Maximum)
public int Init(String zmfaCtcUrl, int zmfaVersion, String trustStoreName, String trustStorePassword, String trustStoreType)
zmfaCtcUrl: IBM Z MFA service URL, which generates an authentication code, known as a Cache Token Credential (CTC).
zmfaVersion: The request format. Specify a value of 1.
trustStoreName: The name of the truststore to be used to connect securely with the zMFA service. It should include the full path name.
Following is an example of code that you can use to convert a provided file name parameter into a fully qualified file name, relative to the EAR directory, at runtime: 
import com.ibm.eNetwork.security.sso.cms.CredMapper;
import com.ibm.eNetwork.security.sso.cms.PluginResourceLocator;

    if ( (jksFileName != null) && 
					(CredMapper.getPluginResourceLocator() != null))  
       	jksFileName = 
					CredMapper.getPluginResourceLocator().findResource(jksFileName);
trustStorePassword: The password of the specified trustStoreName.
trustStoreType: The type of the specified truststore. Valid values are pkcs12 and jks.

More information on IBM Z MFA jwt2ctc: https://www.ibm.com/docs/en/zma/2.4.0?topic=formats-jwt2ctc-generate-cached-token-from-jwt-service

public CMResponse getPassticket(String hostUserID, String jwtIdToken)
hostUserID: The mainframe user ID that should be used for the request.
jwtIDToken: A JWT to check for the request's validity. This JWT should be retrieved from the token endpoint of the OIDC Provider.
In case you are implementing ZIETrans OIDC feature, then retrieve the jwtIDToken from the session attribute as ‘id_token’ as shown here:
HttpServletRequest httpReq = cmReq.getHttpRequestObject();
HttpSession sess = httpReq.getSession(false);
String idToken = (String) sess.getAttribute("id_token");