Enabling Db2 to send authentication tokens

FL 505 To enable token authentication, you must configure the Db2 requester to send a RACF®-generated authentication token in a connection request to the Db2 remote server.

Procedure

Activate the RACF IDTDATA resource class by issuing the following commands:

SETROPTS CLASSACT(IDTDATA)  
SETROPTS RACLIST(IDTDATA) 
SETROPTS GENERIC(IDTDATA)

Define an IDTDATA class profile for the Db2 requester that is configured to send an authentication token. Issue the following RACF command to create the profile:
```
RDEFINE IDTDATA JWT.applid.*.SAF                         
     IDTPARMS(SIGTOKEN(token-name)      
              SIGSEQNUM(token-sequence-number)               
              SIGCAT(token-category)                         
              SIGALG(HS256|HS384|HS512)                     
              ANYAPPL(YES|NO)                      
              IDTTIMEOUT(timeout-minutes)                   
              PROTALLOWED(YES|NO)                  
             )
```
Where:
JWT.applid.*.SAF
Specifies the name of the IDTDATA class profile that is used for creating and validating an authentication token. You can specify the profile name in one of the following formats:
- JWT.applid.authid.SAF
- JWT.applid.*.SAF
For a Db2 requester, applid must be the value of the LINKNAME column in the row of the SYSIBM.LOCATIONS table where the SECURITY_OUT column of the related SYSIBM.IPNAMES table is set to 'T'.
SIGTOKEN

Specifies the ICSF PKCS#11 token name for the generation and validation of the token signature associated with this profile. If the token names on the Db2 requester and server are different, make sure that the HMAC key for both tokens is sourced from the same key material. Otherwise, RACF validation of the token presented by the server will fail.

SIGSEQNUM

Specifies the ICSF PKCS#11 sequence number of the HMAC key for the generation and validation of the token signature associated with the profile. The sequence number must be related to how the PKCS#11 was created.

SIGCAT

Specifies the ICSF PKCS#11 category of the HMAC key for the generation and validation of the token signature associated with the profile. The category must be either T (clear token) or Y (secure token), with T as the default. You can create a secure token by using the z/OS® Crypto Express coprocessors in EP11 mode.

SIGALG

Specifies the signature algorithm for the HMAC key for the generation of the token signature associated with the profile. Valid values are HS256, HS384, and HS512, with HS256 as the default.

ANYAPPL

Specifies whether the token can be used for any application other than the one that performs authentication validation, with YES as the default.

Setting the ANYAPPL option to YES allows the token to be generated and validated under different applid values. Db2 utilizes the LINKNAME column value of the SYSIBM.LOCATIONS table for generating the token. The LINKNAME value must match the applid of the remote Db2 server.

IDTTIMEOUT

Specifies the number of minutes during which the token associated with the profile is active.

PROTALLOWED

Specifies whether the token associated with this profile can be used to authenticate a RACF protected user ID.

If the token is generated at the Db2 requester and represents a RACF protected user ID, you must specify the PROTALLOWED option and set it to YES in the IDTDATA profile at the remote Db2 server.
Refresh the RACF IDTDATA resource class and the class profile by issuing the following commands:
```
SETROPTS RACLIST(IDTDATA) REFRESH 
RLIST IDTDATA JWT.<applid>.*.SAF IDT
```
Specify 'T' in the SECURITY_OUT column of the SYSIBM.IPNAMES table for each remote Db2 server to which you want to send the authentication token.

What to do next

Verify that the remote Db2 server is also configured to receive the authentication token. If the remote system is a data sharing group, make sure that all members of the group are enabled to receive the token.