Skip to content

Delegated passticket API#4925

Open
Joe-Winchester wants to merge 9 commits intodocs-stagingfrom
joewinchester/address-issue-4920
Open

Delegated passticket API#4925
Joe-Winchester wants to merge 9 commits intodocs-stagingfrom
joewinchester/address-issue-4920

Conversation

@Joe-Winchester
Copy link
Member

@Joe-Winchester Joe-Winchester commented Feb 5, 2026

PR to support the APIML PR zowe/api-layer#4368

@Joe-Winchester
Delegated passticket API
fff495f 
Signed-off-by: Joe Winchester <winchest@uk.ibm.com>
@github-actions
Copy link

github-actions bot commented Feb 5, 2026

😺 Thank you for creating this PR! To publish your content to Zowe Docs, follow these required steps.

  • Add the label review: doc.
  • Identify your content topic with a label. (Examples: area: apiml, area: cli, area: install and config, etc.)
  • Specify the major Zowe release(s) for your content. (Examples: release: V1, release: V2, release: V3)
    • If adding content that needs to be removed from V3 documentation, add the V3 N/A tag.
  • Select the master branch if your PR updates content that is on the live site. Select docs-staging if your PR updates content for a future release.
  • Notify the Doc Squad about this PR. If you don't know whom should review your content, message the #zowe-doc Slack channel. If you know which Doc Squad writer should approve your content, add that person as a reviewer.

Need help? Contact the Doc Squad in the #zowe-doc Slack channel.

@github-actions
Copy link

github-actions bot commented Feb 5, 2026

⚠️ Looks like something is wrong with the PR description. Remember to add a description and the file(s) included in this PR.

If you have addressed this issue already, refresh this page in your browser to remove this comment.

@Joe-Winchester Joe-Winchester added review: doc Needs review by Doc Squad member area: apiml This issue is related to Zowe API Mediation Layer release: V3 Zowe V3 content labels Feb 5, 2026
@github-actions
Copy link

github-actions bot commented Feb 5, 2026
edited
Loading

🚀 Deployed on https://698c8be7b7ed8434ecbd4541--zowe-docs-master.netlify.app

@github-actions github-actions bot temporarily deployed to pull request February 5, 2026 18:13 Inactive
@Joe-Winchester Joe-Winchester mentioned this pull request Feb 5, 2026
Open
15 tasks
taban03
taban03 reviewed Feb 6, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md Outdated
:::info Role: system administrator
:::

As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for priviledge escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`.
Copy link
Contributor

@taban03 taban03 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this property should also be listed here docs/appendix/zowe-yaml-configuration.md.

Copy link
Member Author

@Joe-Winchester Joe-Winchester Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch !
I've added a section to https://github.com/zowe/docs-site/pull/4925/changes#diff-4aa9da9e24586a19b2d4ccf057707a6f4b9f0f7cb559d83c4c8339e0ad437d39.

Copy link
Contributor

@taban03 taban03 Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

taban03
taban03 reviewed Feb 6, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md

1. Define the resource class by running the command:

```racf
Copy link
Contributor

@taban03 taban03 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we include the equivalent commands for TSS and ACF2 as well?

taban03
taban03 reviewed Feb 6, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md Outdated
apiml:
gateway:
security:
delegatePassticket: false
Copy link
Contributor

@taban03 taban03 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't be true in this example?

Copy link
Member Author

@Joe-Winchester Joe-Winchester Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes my bad - thank you for picking that up

@taban03
Copy link
Contributor

taban03 commented Feb 6, 2026

Left few comments, otherwise LGTM. Leaving it for @janan07 review

@taban03 taban03 requested a review from janan07 February 6, 2026 09:45
@taban03
Copy link
Contributor

taban03 commented Feb 6, 2026

As a side-note: There also used to be a file authentication-for-apiml-services.md that was documenting the auth GW endpoints (including auth/ticket) but I've seen it was removed for v3. Was there a reason for it? @janan07 It looks this endpoint is not documented anywhere now for v3.

Martin-Zeithaml
Martin-Zeithaml reviewed Feb 9, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md Outdated
:::info Role: system administrator
:::

As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for priviledge escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`.
Copy link
Collaborator

@Martin-Zeithaml Martin-Zeithaml Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

priviledge -> privilege

Copy link
Member Author

@Joe-Winchester Joe-Winchester Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - thank you. Fix in the latest PR commit.

Martin-Zeithaml
Martin-Zeithaml reviewed Feb 9, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md Outdated
Comment on lines 22 to 27
components:
gateway:
apiml:
gateway:
security:
delegatePassticket: false
Copy link
Collaborator

@Martin-Zeithaml Martin-Zeithaml Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an indentation of 4 spaces, which is fine. But we are usually using 2 spaces in examples. I would suggest to use 2 spaces.

Copy link
Member Author

@Joe-Winchester Joe-Winchester Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes my bad for using 4 as I had done tab indents.
2 is the right indent for yaml so I've fixed this in the latest commit

Martin-Zeithaml
Martin-Zeithaml reviewed Feb 9, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md Outdated
```
{
"applId": "APPLID",
"emailId": "email@domain.com"
Copy link
Collaborator

@Martin-Zeithaml Martin-Zeithaml Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

email@domain.com -> email@example.com

Copy link
Member Author

@Joe-Winchester Joe-Winchester Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - fixed in the latest commit.
Thank you !

@Joe-Winchester
Updates following PR review
8ec850d 
Signed-off-by: Joe Winchester <winchest@uk.ibm.com>
@Joe-Winchester
Fixed space indent from 4 to 2
f218a66 
Signed-off-by: Joe Winchester <winchest@uk.ibm.com>
@github-actions github-actions bot temporarily deployed to pull request February 9, 2026 18:37 Inactive
@Martin-Zeithaml
Fix formatting in YAML
0df2edb 
Corrected indentation in YAML example and improved formatting.

Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com>
Martin-Zeithaml
Martin-Zeithaml reviewed Feb 10, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md Outdated
Comment on lines 22 to 26
components:
gateway:
apiml:
security:
delegatePassticket: true
Copy link
Collaborator

@Martin-Zeithaml Martin-Zeithaml Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this correct? From the PR, it looks like

 @ConditionalOnProperty(value = "apiml.security.delegatePassticket.enabled", havingValue = "true", matchIfMissing = false)

Should be

components:
  apiml:
    security:
      delegatePassticket:
        enabled: true

@taban03 Could you verify this? Thanks.

Copy link
Contributor

@taban03 taban03 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch @Martin-Zeithaml . Yes that should be like you suggested

@github-actions github-actions bot temporarily deployed to pull request February 10, 2026 07:43 Inactive
@janan07
initial language refactoring
8df9323 
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
@github-actions github-actions bot temporarily deployed to pull request February 10, 2026 10:05 Inactive
@janan07
language refactor and restructure
13a9a73 
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
janan07
janan07 reviewed Feb 10, 2026
View reviewed changes
docs/user-guide/api-mediation/configuration-delegated-passticket.md

<summary>Click here for command details to configure user access using Top Secret.</summary>

**For Top Secret:**
Copy link
Collaborator

@janan07 janan07 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TSS commands are missing.

@janan07
fix overview steps
4291f0a 
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
@github-actions github-actions bot temporarily deployed to pull request February 10, 2026 11:31 Inactive
@Martin-Zeithaml
Update delegatePassticket configuration format
a6e5ccb 
Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com>
@Martin-Zeithaml
Corrected PassTicket configuration instructions
fa1da9e 
Updated configuration steps for enabling delegated PassTicket.

Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com>
@github-actions github-actions bot temporarily deployed to pull request February 11, 2026 14:03 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janan07 janan07 janan07 left review comments

@taban03 taban03 taban03 left review comments

@Martin-Zeithaml Martin-Zeithaml Martin-Zeithaml left review comments

Assignees

No one assigned

Labels

area: apiml This issue is related to Zowe API Mediation Layer release: V3 Zowe V3 content review: doc Needs review by Doc Squad member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Joe-Winchester @taban03 @janan07 @Martin-Zeithaml