Skip to main content
Version: v3.3.x LTS

Authentication mechanisms

Authentication mechanisms

Zowe CLI uses various methods, or mechanisms, of authentication when communicating with the mainframe. The default order of precedence for these methods is outlined here.

As an extender, if your extension requires a specific type of authentication that differs from the default, you can tell your users to add the authOrder property to their configuration. Otherwise, extenders can program the addition of the authOrder property to their associated profile in the Zowe client configuration.

note

Zowe CLI users are able to change the default order of precedence by adding the authOrder property to their configuration, or changing its values. Be aware of this possibility as you develop your extension.

Default order of precedence

The method that the CLI ultimately follows is based on the service it is communicating with.

Some services can accept multiple methods of authentication. When multiple methods are provided (in a profile or command) for a service, the CLI follows an order of precedence to determine which method to apply. Extenders can modify this order for their plug-in.

To learn the authentication methods used for different services and their order of precedence, refer to the following table.

ServiceOrder of precedence
API Mediation Layer

Note: To avoid errors, update profiles for services routed
through API ML to store base path instead of port number
1. username, password
2. API ML token
3. PEM certificate
Db2,
FTP,
most other services
username, password
SSH1. SSH key
2. username, password
ZOSMF
direct connection
1. username, password
2. PEM certificate