From fff495fac0ee8f17eaad587991e239420e56b629 Mon Sep 17 00:00:00 2001 From: Joe Winchester Date: Thu, 5 Feb 2026 18:05:47 +0000 Subject: [PATCH 1/9] Delegated passticket API Signed-off-by: Joe Winchester --- .../configuration-authorization.md | 3 +- .../configuration-delegated-passticket.md | 80 +++++++++++++++++++ 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 docs/user-guide/api-mediation/configuration-delegated-passticket.md diff --git a/docs/user-guide/api-mediation/configuration-authorization.md b/docs/user-guide/api-mediation/configuration-authorization.md index 1b1f13e79c..6fb2b3bd49 100644 --- a/docs/user-guide/api-mediation/configuration-authorization.md +++ b/docs/user-guide/api-mediation/configuration-authorization.md @@ -7,4 +7,5 @@ In Zowe's API Mediation Layer, system administrators can limit access to service - [Limiting access to information or services in the API Catalog](./configuration-limiting-access-to-info-or-services-in-api-catalog.md) - [Configuring SAF resource checking](./configuration-saf-resource-checking.md) -- [Configurint Health Endpoint Protection](./configuration-health-endpoint-protection.md) \ No newline at end of file +- [Configuring Health Endpoint Protection](./configuration-health-endpoint-protection.md) +- [Configuring delegated passticket generation](./configuration-delegated-passticket.md) \ No newline at end of file diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md new file mode 100644 index 0000000000..c3e88c1aae --- /dev/null +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -0,0 +1,80 @@ +# Configuring Delegated Passticket Generation + +:::info Role: system administrator +::: + +As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for priviledge escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. + +Use the following procedure to enable the delegated passticket endpoint of the API Gateway: + +1. Open the file `zowe.yaml`. +2. Configure the following property: + +* `components.gateway.apiml.security.delegatedPassticket` +This property defines whether the endpoint `/gateway/api/v1/auth/delegate/passticket` is available + +:::note +The default value of this parameter is `false`. +::: + +**Example:** +```yaml +components: + gateway: + apiml: + gateway: + security: + delegatePassticket: false +``` + +The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For more information on how to configure this see [Configuring User permission call delegated passticket API](#configuring-user-permission-to-generate-delegated-passtickets) + +## Configuring user permission to generate delegated passtickets + +The delegated passticket API must be called with a client certificate. The z/OS user ID associated with the certificate must have `READ` permission for the `ZOWE.APIML.DELEGATE.PASSTICKET` class. + +
+ +Click here for command details about configuring user access using RACF + +In your ESM command line interface or other security environment, perform the following steps: + +1. Define the resource class by running the command: + + ```racf + RDEFINE ZOWE APIML.DELEGATE.PASSTICKET UACC(NONE) + ``` + +2. Permit the user associated with the client certificate `READ` access + ```racf + PERMIT APIML.DELEGATE.PASSTICKET CLASS(ZOWE) ID() ACCESS(READ) + SETROPTS RACLIST(ZOWE) REFRESH + ``` + +- **`userID`** + The userID associated with the client certificate calling the API + +3. (optional) To see the all permissions for users + ```racf + RLIST ZOWE APIML.DELEGATE.PASSTICKET AUTHUSER + ``` + +
+ +## Calling the /auth/delegate/passticket API + +To call the API `GET` `/gateway/api/v1/auth/delegate/passticket` the body should be `JSON` + +``` +{ + "applId": "APPLID", + "emailId": "email@domain.com" +} +``` + +-**`APPLID`** + The applicationID associated with the address space the passticket is being generated for. As an example, to create a passticket for z/OSMF this value will be `IZUDFLT` + +-**`emailId`** + The e-mail ID of the user that is associated with the z/OS userID, see [ESM configuration](../../extend/extend-apiml/api-mediation-oidc-authentication.md#esm-configuration-prerequisites). + From 8ec850d02189276c3e46467dde2c229b9d7c6caf Mon Sep 17 00:00:00 2001 From: Joe Winchester Date: Mon, 9 Feb 2026 18:25:32 +0000 Subject: [PATCH 2/9] Updates following PR review Signed-off-by: Joe Winchester --- docs/appendix/zowe-yaml-configuration.md | 5 ++- .../configuration-delegated-passticket.md | 34 +++++++++++++++---- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/docs/appendix/zowe-yaml-configuration.md b/docs/appendix/zowe-yaml-configuration.md index a9519f14bb..cb83d5da4e 100644 --- a/docs/appendix/zowe-yaml-configuration.md +++ b/docs/appendix/zowe-yaml-configuration.md @@ -536,8 +536,11 @@ These configurations can be used under the `components.gateway` section: - **apiml.security.oidc.identityMapperUser** (Optional) If the userId is different from the default Zowe runtime userId (`ZWESVUSR`), specify the `identityMapperUser` userId to configure API ML access to the external user identity mapper. - **apiml.security.oidc.userIdField** - Specifies the name of the field from the OIDC token with the value that is used for user mapping in SAF. Supports also nested objects via a dot-separated list. When the field contains multiple values, all values are used as distributed identifiers for mapping. Each value for mapping is evaluated sequentially and the first successfully mapped user is used. This parameter is used to specify, for example, a custom field with email or LDAP groups for user mapping. This parameter applies to Zowe version 3.4.0 and later versions. + Specifies the name of the field from the OIDC token with the value that is used for user mapping in SAF. Supports also nested objects via a dot-separated list. When the field contains multiple values, all values are used as distributed identifiers for mapping. Each value for mapping is evaluated sequentially and the first successfully mapped user is used. This parameter is used to specify, for example, a custom field with email or LDAP groups for user mapping. This parameter applies to Zowe version 3.4.0 + and later versions. **Default:** `sub` +- **apiml.security.delegatePassticket.enabled** + Specifies whether the API `POST` for endpoint `/gateway/api/v1/auth/delegate/passticket` is enabled. The default value is `false`. For more information, see [Configuring Delegated Passticket Generation](../user-guide/api-mediation/configuration-delegated-passticket.md). :::note diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index c3e88c1aae..243187eb23 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -3,7 +3,7 @@ :::info Role: system administrator ::: -As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for priviledge escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. +As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for privilege escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. Use the following procedure to enable the delegated passticket endpoint of the API Gateway: @@ -14,7 +14,7 @@ Use the following procedure to enable the delegated passticket endpoint of the A This property defines whether the endpoint `/gateway/api/v1/auth/delegate/passticket` is available :::note -The default value of this parameter is `false`. +The default value of this parameter is `false`. To enable the endpoint set it to be `true`. ::: **Example:** @@ -22,9 +22,8 @@ The default value of this parameter is `false`. components: gateway: apiml: - gateway: - security: - delegatePassticket: false + security: + delegatePassticket: true ``` The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For more information on how to configure this see [Configuring User permission call delegated passticket API](#configuring-user-permission-to-generate-delegated-passtickets) @@ -61,14 +60,35 @@ In your ESM command line interface or other security environment, perform the fo +
+ +Click here for command details about configuring user access using ACF2 + +In your ESM command line interface or other security environment, perform the following step + +1. Grant the userID `READ` access + ```acf2 + SET RESOURCE(RDA) $KEY(ZOWE) TYPE(RDA) APIML.DELEGATE.PASSTICKET UID() SERVICE(READ) ALLOW + ``` + +
+ +
+ +Click here for command details about configuring user access using Top Secret + +In your ESM command line interface or other security environment, perform the following steps + +
+ ## Calling the /auth/delegate/passticket API -To call the API `GET` `/gateway/api/v1/auth/delegate/passticket` the body should be `JSON` +To call the API `POST` `/gateway/api/v1/auth/delegate/passticket` the body should be `JSON` ``` { "applId": "APPLID", - "emailId": "email@domain.com" + "emailId": "email@example.com" } ``` From f218a661a9b2d3edca1063e043cb761b199206db Mon Sep 17 00:00:00 2001 From: Joe Winchester Date: Mon, 9 Feb 2026 18:29:42 +0000 Subject: [PATCH 3/9] Fixed space indent from 4 to 2 Signed-off-by: Joe Winchester --- .../api-mediation/configuration-delegated-passticket.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index 243187eb23..8dd9832db5 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -20,10 +20,10 @@ The default value of this parameter is `false`. To enable the endpoint set it t **Example:** ```yaml components: - gateway: - apiml: - security: - delegatePassticket: true + gateway: + apiml: + security: + delegatePassticket: true ``` The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For more information on how to configure this see [Configuring User permission call delegated passticket API](#configuring-user-permission-to-generate-delegated-passtickets) From 0df2edbad6c5df7b0e62388ae5f0802af4e6b91d Mon Sep 17 00:00:00 2001 From: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com> Date: Tue, 10 Feb 2026 08:36:03 +0100 Subject: [PATCH 4/9] Fix formatting in YAML Corrected indentation in YAML example and improved formatting. Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com> --- .../api-mediation/configuration-delegated-passticket.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index 8dd9832db5..a536f99833 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -14,16 +14,16 @@ Use the following procedure to enable the delegated passticket endpoint of the A This property defines whether the endpoint `/gateway/api/v1/auth/delegate/passticket` is available :::note -The default value of this parameter is `false`. To enable the endpoint set it to be `true`. +The default value of this parameter is `false`. To enable the endpoint set it to be `true`. ::: **Example:** ```yaml components: gateway: - apiml: - security: - delegatePassticket: true + apiml: + security: + delegatePassticket: true ``` The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For more information on how to configure this see [Configuring User permission call delegated passticket API](#configuring-user-permission-to-generate-delegated-passtickets) From 8df93235b6fcf914e288fe78c013537af129a98d Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 10 Feb 2026 10:57:40 +0100 Subject: [PATCH 5/9] initial language refactoring Signed-off-by: Andrew Jandacek --- .../configuration-authorization.md | 4 ++-- .../configuration-delegated-passticket.md | 18 ++++++++++-------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-authorization.md b/docs/user-guide/api-mediation/configuration-authorization.md index 6fb2b3bd49..85d6013e45 100644 --- a/docs/user-guide/api-mediation/configuration-authorization.md +++ b/docs/user-guide/api-mediation/configuration-authorization.md @@ -3,9 +3,9 @@ :::info Role: system administrator ::: -In Zowe's API Mediation Layer, system administrators can limit access to services and information in the API Catalog by hiding sensitive data like service instance URLs, configurable via the apiml.catalog.hide.serviceInfo property in zowe.yaml. Additionally, SAF resource checking for user authorization on specific endpoints is facilitated through various providers, such as Endpoint, Native, and Dummy. These configurations, modifiable in the zowe.yaml file, enhance security by controlling service exposure and ensuring proper authorization checks within the Zowe ecosystem. +In Zowe's API Mediation Layer, system administrators can limit access to services and information in the API Catalog by hiding sensitive data like service instance URLs, configurable via the `apiml.catalog.hide.serviceInfo` property in zowe.yaml. Additionally, SAF resource checking for user authorization on specific endpoints is facilitated through various providers, such as **Endpoint**, **Native**, and **Dummy**. These configurations, which can be modified in the zowe.yaml file, enhance security by controlling service exposure and ensuring proper authorization checks within the Zowe ecosystem. - [Limiting access to information or services in the API Catalog](./configuration-limiting-access-to-info-or-services-in-api-catalog.md) - [Configuring SAF resource checking](./configuration-saf-resource-checking.md) - [Configuring Health Endpoint Protection](./configuration-health-endpoint-protection.md) -- [Configuring delegated passticket generation](./configuration-delegated-passticket.md) \ No newline at end of file +- [Configuring delegated PassTicket generation](./configuration-delegated-passticket.md) \ No newline at end of file diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index a536f99833..c2840273d1 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -1,20 +1,22 @@ -# Configuring Delegated Passticket Generation +# Configuring Delegated PassTicket Generation :::info Role: system administrator ::: -As a system administrator, you can enable the endpoint of the API Gateway that allows passticket generation for a delegated e-mail. This API allows the authenticated user to create a passticket for another user, so has the potential be be misused for privilege escalation or impersonation. For that reason the API authentication must be done with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET` and the endpoint must be enabled by setting `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. +As a system administrator, you can enable the endpoint of the API Gateway that allows PassTicket generation for a delegated e-mail. This API allows the authenticated user to create a PassTicket for another user. As such, there is the potential for misuse resulting from privilege escalation or impersonation. -Use the following procedure to enable the delegated passticket endpoint of the API Gateway: +In addressing this risk, it is necessary that the API authentication be performed with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. Additionally, the endpoint must be enabled by setting the `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. + +Use the following procedure to enable the delegated PassTicket endpoint of the API Gateway: 1. Open the file `zowe.yaml`. 2. Configure the following property: -* `components.gateway.apiml.security.delegatedPassticket` -This property defines whether the endpoint `/gateway/api/v1/auth/delegate/passticket` is available +* **components.gateway.apiml.security.delegatedPassticket** +This property defines whether the endpoint `/gateway/api/v1/auth/delegate/passticket` is available. :::note -The default value of this parameter is `false`. To enable the endpoint set it to be `true`. +The default value of this parameter is `false`. To enable the endpoint, set the value to `true`. ::: **Example:** @@ -28,9 +30,9 @@ components: The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For more information on how to configure this see [Configuring User permission call delegated passticket API](#configuring-user-permission-to-generate-delegated-passtickets) -## Configuring user permission to generate delegated passtickets +## Configuring user permission to generate delegated PassTickets -The delegated passticket API must be called with a client certificate. The z/OS user ID associated with the certificate must have `READ` permission for the `ZOWE.APIML.DELEGATE.PASSTICKET` class. +The delegated PassTicket API must be called with a client certificate. The z/OS user ID associated with the certificate must have `READ` permission for the `ZOWE.APIML.DELEGATE.PASSTICKET` class.
From 13a9a73fdc9c244145038615a93dab21a71bfef3 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 10 Feb 2026 12:20:55 +0100 Subject: [PATCH 6/9] language refactor and restructure Signed-off-by: Andrew Jandacek --- .../configuration-delegated-passticket.md | 96 ++++++++++++------- 1 file changed, 62 insertions(+), 34 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index c2840273d1..ab7d032057 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -3,21 +3,27 @@ :::info Role: system administrator ::: -As a system administrator, you can enable the endpoint of the API Gateway that allows PassTicket generation for a delegated e-mail. This API allows the authenticated user to create a PassTicket for another user. As such, there is the potential for misuse resulting from privilege escalation or impersonation. +As a system administrator, you can enable the endpoint of the API Gateway that allows PassTicket generation for a delegated e-mail. -In addressing this risk, it is necessary that the API authentication be performed with a client certificate for a userID who has `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. Additionally, the endpoint must be enabled by setting the `zowe.components.gateway.apiml.security.delegatePassticket` parameter to `true`. +:::important Warning +This API allows the authenticated user to create a PassTicket for another user.This presents a potential risk for privilege escalation or impersonation. To mitigate this risk, you must ensure strict access control via client certificates and ESM permissions. +::: -Use the following procedure to enable the delegated PassTicket endpoint of the API Gateway: +To enable and use this feature, complete the following steps: -1. Open the file `zowe.yaml`. -2. Configure the following property: +1. Enable the delegated PassTicket endpoint in the Zowe configuration. -* **components.gateway.apiml.security.delegatedPassticket** -This property defines whether the endpoint `/gateway/api/v1/auth/delegate/passticket` is available. +2. Configure user permissions in your External Security Manager (ESM). -:::note -The default value of this parameter is `false`. To enable the endpoint, set the value to `true`. -::: +3. Call the API using the correct JSON payload. + +## Enabling the delegated PassTicket endpoint of the API Gateway + +By default, the delegated PassTicket endpoint is set to `false` (disabled). Enable this parameter in your zowe.yaml configuration file. + +1. Open the file `zowe.yaml`. +2. Locate the `components.gateway.apiml.security` section. +3. Set the `delegatePassticket` property to `true`. **Example:** ```yaml @@ -28,34 +34,42 @@ components: delegatePassticket: true ``` -The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For more information on how to configure this see [Configuring User permission call delegated passticket API](#configuring-user-permission-to-generate-delegated-passtickets) +4. Restart API ML to apply the changes. + +:::note +The userID that makes the call to the API must have `READ` access to the class `ZOWE.APIML.DELEGATE.PASSTICKET`. For details, see the following section, _Configuring user permission to generate delegated PassTickets_. +::: + +## Configuring user permissions to generate delegated PassTickets -## Configuring user permission to generate delegated PassTickets +The delegated PassTicket API requires authentication via a client certificate. The z/OS user ID associated with that certificate must have `READ` access to the `ZOWE.APIML.DELEGATE.PASSTICKET` resource class. -The delegated PassTicket API must be called with a client certificate. The z/OS user ID associated with the certificate must have `READ` permission for the `ZOWE.APIML.DELEGATE.PASSTICKET` class. +Follow the instructions for your specific External Security Manager (ESM):
-Click here for command details about configuring user access using RACF +Click here for command details to configure user access using RACF. +**For RACF:** In your ESM command line interface or other security environment, perform the following steps: -1. Define the resource class by running the command: +1. Define the resource class: ```racf RDEFINE ZOWE APIML.DELEGATE.PASSTICKET UACC(NONE) ``` -2. Permit the user associated with the client certificate `READ` access +2. Permit the user associated with the client certificate `READ` access: ```racf PERMIT APIML.DELEGATE.PASSTICKET CLASS(ZOWE) ID() ACCESS(READ) SETROPTS RACLIST(ZOWE) REFRESH ``` -- **`userID`** - The userID associated with the client certificate calling the API + * **`userID`** + The userID associated with the client certificate calling the API. -3. (optional) To see the all permissions for users +3. (Optional) Verify userr permissions: + ```racf RLIST ZOWE APIML.DELEGATE.PASSTICKET AUTHUSER ``` @@ -64,28 +78,35 @@ In your ESM command line interface or other security environment, perform the fo
-Click here for command details about configuring user access using ACF2 +Click here for command details to configure user access using ACF2. -In your ESM command line interface or other security environment, perform the following step +**For ACF2:** +In your ESM command line interface or other security environment, grant the userID `READ` access: -1. Grant the userID `READ` access - ```acf2 - SET RESOURCE(RDA) $KEY(ZOWE) TYPE(RDA) APIML.DELEGATE.PASSTICKET UID() SERVICE(READ) ALLOW - ``` +```acf2 +SET RESOURCE(RDA) $KEY(ZOWE) TYPE(RDA) APIML.DELEGATE.PASSTICKET UID() SERVICE(READ) ALLOW +``` +* **`userID`** +The userID associated with the client certificate calling the API.
-Click here for command details about configuring user access using Top Secret +Click here for command details to configure user access using Top Secret. -In your ESM command line interface or other security environment, perform the following steps +**For Top Secret:** +In your ESM command line interface or other security environment, perform the following steps:
-## Calling the /auth/delegate/passticket API +## Calling the `/auth/delegate/passticket` API + +Once enabled and secured, you can call the API to generate a PassTicket for a user based on their email mapping. -To call the API `POST` `/gateway/api/v1/auth/delegate/passticket` the body should be `JSON` +To call the API `POST` `/gateway/api/v1/auth/delegate/passticket`: + +**Request Body (JSON)** ``` { @@ -94,9 +115,16 @@ To call the API `POST` `/gateway/api/v1/auth/delegate/passticket` the body shoul } ``` --**`APPLID`** - The applicationID associated with the address space the passticket is being generated for. As an example, to create a passticket for z/OSMF this value will be `IZUDFLT` - --**`emailId`** - The e-mail ID of the user that is associated with the z/OS userID, see [ESM configuration](../../extend/extend-apiml/api-mediation-oidc-authentication.md#esm-configuration-prerequisites). +* **APPLID** + The applicationID associated with the address space the PassTicket is being generated for. + + **Example:** + Use `IZUDFLT` to create a PassTicket for z/OSMF. + +* **emailId** + The email ID of the user that is associated with the z/OS userID. + + :::tip + For more information about mapping email IDs to mainframe userIDs, see the [ESM configuration prerequisites](../../extend/extend-apiml/api-mediation-oidc-authentication.md#esm-configuration-prerequisites). + ::: From 4291f0a148cff27a54122db8843c64b472c1035c Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 10 Feb 2026 12:24:23 +0100 Subject: [PATCH 7/9] fix overview steps Signed-off-by: Andrew Jandacek --- .../api-mediation/configuration-delegated-passticket.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index ab7d032057..fc25be8c37 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -11,11 +11,11 @@ This API allows the authenticated user to create a PassTicket for another user.T To enable and use this feature, complete the following steps: -1. Enable the delegated PassTicket endpoint in the Zowe configuration. +1. Enable the delegated PassTicket endpoint of the API Gateway. -2. Configure user permissions in your External Security Manager (ESM). +2. Configure user permissions to generate delegated PassTickets. -3. Call the API using the correct JSON payload. +3. Call the `/auth/delegate/passticket` API. ## Enabling the delegated PassTicket endpoint of the API Gateway From a6e5ccb5a3f7f90dbfc3a27454168d71f23dba4b Mon Sep 17 00:00:00 2001 From: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com> Date: Wed, 11 Feb 2026 14:55:22 +0100 Subject: [PATCH 8/9] Update delegatePassticket configuration format Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com> --- .../api-mediation/configuration-delegated-passticket.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index fc25be8c37..009f277e56 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -28,10 +28,10 @@ By default, the delegated PassTicket endpoint is set to `false` (disabled). Enab **Example:** ```yaml components: - gateway: - apiml: - security: - delegatePassticket: true + apiml: + security: + delegatePassticket: + enabled: true ``` 4. Restart API ML to apply the changes. From fa1da9e7201de41cf62d64a1eb018734aef4b979 Mon Sep 17 00:00:00 2001 From: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com> Date: Wed, 11 Feb 2026 14:56:29 +0100 Subject: [PATCH 9/9] Corrected PassTicket configuration instructions Updated configuration steps for enabling delegated PassTicket. Signed-off-by: Martin Zeithaml <66114686+Martin-Zeithaml@users.noreply.github.com> --- .../api-mediation/configuration-delegated-passticket.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-delegated-passticket.md b/docs/user-guide/api-mediation/configuration-delegated-passticket.md index 009f277e56..136c589960 100644 --- a/docs/user-guide/api-mediation/configuration-delegated-passticket.md +++ b/docs/user-guide/api-mediation/configuration-delegated-passticket.md @@ -22,8 +22,8 @@ To enable and use this feature, complete the following steps: By default, the delegated PassTicket endpoint is set to `false` (disabled). Enable this parameter in your zowe.yaml configuration file. 1. Open the file `zowe.yaml`. -2. Locate the `components.gateway.apiml.security` section. -3. Set the `delegatePassticket` property to `true`. +2. Locate the `components.apiml.security` section. +3. Set the `delegatePassticket.enabled` property to `true`. **Example:** ```yaml