Enable JWT function on zOSMF HA servers

JWT must be enabled for all z/OSMF instances in Sysplex. Please follow the link below to enable JWT: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.izua300/izuconfig_EnableJSONWebTokens.htm

Note:

To build the JWT token, all z/OSMF instances should be pointed to the same keyAlias parameter of JWT builder. This attribute is used to locate the private key for signing the token with an asymmetric algorithm. The value is the server certificate name which is identical in all z/OSMF servers. DefaultzOSMFCert.IZUDFLT is the default certificate name.

<jwtBuilder id="zOSMFBuilder" issuer="zOSMF" keyAlias="DefaultzOSMFCert.IZUDFLT" expiresInSeconds="${izu.ltpa.expiration}"/>

Test Scenario: Check the validity of jwtToken generated by z/OSMF preferred server when failover occurs

For example, suppose a Sysplex consists of two z/OS systems (SYSA, SYSB). z/OSMF server A (IZUSVRA) is autostarted on SYSA and similarly, z/OSMF server B (IZUSVRB) is autostarted on SYSB. IZUSVRA as preferred receives all incoming requests.

1. Generate jwtToken by making a request to a z/OSMF REST Service:

curl -k -v https://x.x.x.V/zosmf/services/authenticate -H 'X-CSRF-ZOSMF-HEADER: *' -u userid -X POST

2. Make sure that the generated jwtToken works properly:

curl -k -v https://x.x.x.V/zosmf/restjobs/jobs?owner=* -H "Cookie: jwtToken=jwt token value"

3. Stop z/OSMF server A (IZUSVRA) on SYSA, P IZUSVRA or remove SYSA from the Sysplex so that the failover happens

4. Make a request to a z/OSMF REST Service to validate jwtToken you got in step 2:

curl -k -v https://x.x.x.V/zosmf/restjobs/jobs?owner=* -H "Cookie: jwtToken=jwt token value"

Expected result:

• Dynamic VIPA takeover will happen, z/OSMF server B (IZUSVTB) becomes the preferred server and accepts all new incoming requests.
• The successful response for your request (step 4) which indicates the jwtToken is still valid.