FL 505 To enable token authentication, you must also configure the remote Db2 server to receive a RACF®-generated authentication token in the connection request from a Db2 requester. If the server is a data sharing group, make sure that all members of the group are enabled to receive the token.
Before you begin
Verify that the Db2 requester has successfully obtained an authentication token from RACF and is configured to send the token to the remote server.
Procedure
- Activate the RACF IDTDATA resource class by issuing the following commands:
SETROPTS CLASSACT(IDTDATA)
SETROPTS RACLIST(IDTDATA)
SETROPTS GENERIC(IDTDATA)
- Define an IDTDATA class profile for the Db2 server that is configured to receive an authentication token. Issue the following RACF command to create the profile:
RDEFINE IDTDATA JWT.applid.*.SAF
IDTPARMS(SIGTOKEN(token-name)
SIGSEQNUM(token-sequence-number)
SIGCAT(token-category)
SIGALG(HS256|HS384|HS512)
ANYAPPL(YES|NO)
IDTTIMEOUT(timeout-minutes)
PROTALLOWED(YES|NO)
)
Where:
- JWT.applid.*.SAF
- Specifies the name of the IDTDATA class profile that is used for creating and validating the authentication token. You can specify the profile name in one of the following formats:
- JWT.applid.authid.SAF
- JWT.applid.*.SAF
For a Db2 server that is not a member of a data sharing group, applid is the value of the LUNAME or IPNAME column of the SYSIBM.IPNAMES table. If the Db2 server is a data sharing group, applid is the value of the generic LUNAME or IPNAME column in the BSDS.
- SIGTOKEN
-
Specifies the ICSF PKCS#11 token name for the generation and validation of the token signature associated with this profile. If the token names on the Db2 requester and server are different, make sure that the HMAC key for both tokens is sourced from the same key material. Otherwise, RACF validation of the token presented by the server will fail.
- SIGSEQNUM
-
Specifies the ICSF PKCS#11 sequence number of the HMAC key for the generation and validation of the token signature associated with the profile. The sequence number must be related to how the PKCS#11 was created.
- SIGCAT
-
Specifies the ICSF PKCS#11 category of the HMAC key for the generation and validation of the token signature associated with the profile. The category must be either T (clear token) or Y (secure token), with T as the default. You can create a secure token by using the z/OS® Crypto Express coprocessors in EP11 mode.
- SIGALG
-
Specifies the signature algorithm for the HMAC key for the generation of the token signature associated with the profile. Valid values are HS256, HS384, and HS512, with HS256 as the default.
- ANYAPPL
-
Specifies whether the token can be used for any application other than the one that performs authentication validation, with YES as the default.
Setting the ANYAPPL option to YES allows the token to be generated and validated under different applid values. Db2 utilizes the LINKNAME column value of the SYSIBM.LOCATIONS table for generating the token. The LINKNAME value must match the applid of the remote Db2 server.
- IDTTIMEOUT
-
Specifies the number of minutes during which the token associated with the profile is active.
- PROTALLOWED
-
Specifies whether the token associated with this profile can be used to authenticate a RACF protected user ID.
If the token is generated at the Db2 requester and represents a RACF protected user ID, you must specify the PROTALLOWED option and set it to YES in the IDTDATA profile at the remote Db2 server.
See z/OS Security Server RACF Command Language Reference for more information about the IDTPARMS parameters and the RACF IDT support.
- Refresh the RACF IDTDATA resource class and the class profile by issuing the following commands:
SETROPTS RACLIST(IDTDATA) REFRESH
RLIST IDTDATA JWT.<applid>.*.SAF IDT
What to do next
Verify that the Db2 requester is also configured to send the authentication token.
