Use LTPA tokens to allow CMCI "sessions"

[davenice]

The CMCI JVM server is available in most modern CICS installations - it puts a Liberty instance in front of the CMCI connection.

The was used by the Eclipse-based CICS Explorer as a route to provide MFA support, because the Liberty instance supports LTPA tokens out-of-the-box.

LTPA tokens give the concept of a session to the CMCI REST interface - after the initial authentication with basic auth, a cookie with an LTPA token is returned. If that LTPA token is presented (instead of basic auth) on subsequent REST calls, Liberty will make the request as the originally authenticated user.

This has a couple of key benefits...

1. Basic auth information is transferred across the wire less frequently, reducing the window for any attack to grab credentials
2. The connection becomes possible to use with MFA

This piece of work should cover:

• Connecting with basic auth
• In the response from the server, detecting an LTPA token has been returned
• Caching the LTPA token in memory
• Using the LTPA token on subsequent REST requests
• When a request using the LTPA token gets a 401 retrying with basic auth

[github-actions]

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 5 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.