Configuring JWT security
Configure identity propagation on RACF
CICS® Transaction Gateway (CICS TG ) can validate a JWT and then pass the user security identity information to CICS Transaction Server for IBM® z/OS®.
The steps required to configure RACF® for identity propagation.
CICSTG uses RACF to implement the z/OS Identity Propagation feature of z/OS to map the distributed ID to a RACF user ID.
RACF must contain mappings of distinguished names to RACF user IDs. The distinguished names defined in the mappings must have same format as they have in the user registry. For more information about configuring IPIC connections and RACF, see CICS® Transaction Server documentation.
- MAP
- creates a distributed identity filter.
- DELMAP
- deletes a distributed identity filter
- LISTMAP
- lists information about a distributed identity filter.
RACMAP ID(CTGMAPD) MAP +
USERDIDFILTER(NAME('CTGUSER1')) +
REGISTRY(NAME('*')) +
WITHLABEL('Test Mapping EMPLOY1')Configuring identity propagation on CICS Transaction Server
CICS Transaction Gateway should be configured with JWT consumer information to validate the JWT. JWT consumer information will be configured as part of JWTTOKENPROVIDER section in INI file.
The steps required to configure identity propagation on CICS Transaction Server.
For more information refer, Configuring identity propagation on CICS Transaction Server
Configuring JWT Security
The CICS Transaction Gateway will do the JWT validation and then pass the user security identity information (a distributed identity from JWT claims or RACF userID) across the network to CICS Transaction Server ( CICS TS ) for IBM z/OS. Then the CICS Transaction Server (CICS TS ) uses the RACF to map distributed identity to a RACF user in case a distributed identity is configured in JWT or uses the configured RACF user ID in case of JWT configured with RACF userID and execute the transaction.