Support for JWT using RACF
CICS® Transaction Server for z/OS® supports the use of JSON Web Tokens (JWTs) generated by RACF®. With this capability, you can convert basic authentication credentials of a user to a time-limited secure token and then validate this secure token. This facility is particularly useful where applications that use passwords are being converted to using MFA tokens.
CICS supports only signed JWTs that are generated by using RACF. A JWT is in the form that is described by JSON Web Token (JWT) Specification RFC 7519.
Converting basic authentication credentials to JWTs
Using the VERIFY TOKEN command, CICS can convert basic authentication credentials of a user to a JWT and then validate the JWT. For more information about VERIFY TOKEN, see VERIFY TOKEN.
CICS can convert MFA tokens to JWTs to support the use of MFA tokens on stateless requests that cache credentials. For more information, see Support for Multi-Factor Authentication using RACF.
The VERIFY TOKEN BASICAUTH command can be used to generate a RACF JWT by using the OUTTOKEN option. The user application must return this information securely to the client (such as in the header). On return, the application can use this token in a VERIFY TOKEN JWT. The principle use case is when MFA is used for the basic auth token.
Configuring RACF for JWT
For a CICS region to support JWTs, you must create profiles in the IDTDATA class. Ensure to specify the IDTPARMS SIGTOKEN option because CICS supports only signed JWTs. The IDTDATA class must be active and RACLISTed.
Figure 1 shows example RDEFINE statements to create such profiles. For more information, see Security Server RACF Command Language Reference.
SETROPTS CLASSACT(IDTDATA)
RDEFINE IDTDATA JWT.applid.userid.SAF IDTPARMS(SIGTOKEN(icsftoken))- applid
- Specify the APPLID of the CICS region. If all CICS regions are supported, specify an asterisk *.
- userid
- Specify the CICS task user ID that is allowed to process JWTs. If all user IDs are supported, specify an asterisk *.