Configuring RACF for JWT

CICS® Transaction Server for z/OS® provides support for JSON Web Tokens (JWTs) using RACF®. For information, see How it works: JSON Web Token (JWT).

This capability requires RACF APAR OA55926 and SAF APAR OA55927.

For a CICS region to support JWTs, you must create profiles in the IDTDATA class. Ensure to specify the IDTPARMS SIGTOKEN option because CICS supports only signed JWTs. The IDTDATA class must be active and RACLISTed.

Figure 1 shows example RDEFINE statements to create such profiles. For details of the commands, see Security Server RACF Command Language Reference.

Figure 1. Example RDEFINE statements to create profiles for JWT support


SETROPTS CLASSACT(IDTDATA)
RDEFINE IDTDATA JWT.applid.userid.SAF IDTPARMS(SIGTOKEN(icsftoken))

applid: Specify the APPLID of the CICS region. If all CICS regions are supported, specify an asterisk *.
userid: Specify the CICS task user ID that is allowed to process JWTs. If all user IDs are supported, specify an asterisk *.