Configuring JSON Web Token (SC15)
This scenario shows how CICS® Transaction Gateway can be configured to consume a JSON Web Token (JWT) as an authentication token.
In this scenario, JWT is generated using JwtBuilder class of WebSphere® Application Server Liberty. The JWT will have the distributed identity as one of the claims. On successful validation of the JWT, CICS TG will pass the distributed identity to CICS TS. The distributed identity is mapped to a RACF® user ID which is used for authorization by CICS TS.
The flow of this scenario:
Figure1 display the following steps:
- The user sends request to the client application.
- The client application running on Liberty generates the JWT with username as subject claim in the token.
- The client application passes the request including the token to CICS TG through resource adapter deployed on Liberty server.
- CICS TG validates the token and extracts the user from the token, and makes the request to CICS TS with the distributed user.
- CICS TS sends the distributed user to RACF.
- RACF returns the RACF user mapped to the distributed user.
- CICS TS runs the transaction with RACF user and sends the response back.
| Component | Parameter | Where set | Example value |
|---|---|---|---|
| WAS Liberty Server | resourceAdapter | server.xml | eciResourceAdapter |
| WAS Liberty Server | jwtBuilder | server.xml | Jwtb1 |
| WAS | signatureAlgorithm | jwtBuilder section of server.xml | HS256 |
| WAS Liberty Server | sharedKey | jwtBuilder section of server.xml | secret |
| WAS Liberty Server | enterpriseApplication | server.xml | ECIJWT |
| CICS Transaction Gateway | JWTTOKENPROVIDER | ctg.ini | TOKENPROVIDERA |
| CICS Transaction Gateway | ALGORITHM | JWTTOKENPROVIDER section in ctg.ini | HS256 (should match with signatureAlgorithm in Liberty server.xml) |
| CICS Transaction Gateway | SECRETKEY | JWTTOKENPROVIDER section in ctg.ini | secret (should match with sharedKey in Liberty server.xml) |
| CICS Transaction Gateway | USERIDENTIFIER | JWTTOKENPROVIDER section in ctg.ini | sub |
| CICS Transaction Gateway | IPICSERVER | ctg.ini | CICSS1 |
| CICS Transaction Gateway | HOSTNAME | ctg.ini | server.ibm.com |
| CICS Transaction Gateway | PORT | ctg.ini | 1234 |
| CICS Transaction Gateway | TOKENPROVIDERS | ctg.ini | TOKENPROVIDERA |
| CICS Transaction Server | TCPIPService | TCPIPService definition | JWTTEST1 |
| CICS Transaction Server | Portnumber | TCPIPService definition | 1234 |
| CICS Transaction Server | IPConn | IPConn definition | JWTIPIC1 |
| CICS Transaction Server | TCPIPService | IPConn definition | JWTTEST1 |
| CICS Transaction Server | Userauth | IPConn definition | Identify |
| RACF | USERID | RACF resource access list | RheaPark |
- server.xml - Liberty server xml file
- ctg.ini – CICSTG configuration file
- ECIJWT.ear – Application ear file to be deployed on Liberty server