Enabling Db2 for token authentication
FL 505 Token-based authentication enables an application (client) to use a generalized token for authentication at a remote server. Db2 supports token authentication by leveraging the RACF Identity Token (IDT) capability. You can enable Db2 to send and receive an authentication token, instead of a PassTicket or a user ID and password, in a connection request.
You can obtain an authentication token of the JWT (JSON web token) type from RACF. RACF generates the authentication token based on the current authentication environment of the Db2 requester (the running application) or the outbound translated user ID. If an outbound translated user ID is used for the connection, the same user ID must exist on both the requesting and receiving (remote) systems. As a result, the authentication token contains all the authentication information that is required for use.
The authentication token from RACF references a PKCS#11 token as part of the RACF IDTDATA class profile. The PKCS#11 token is defined with REXX execs in a TSO batch environment. A sample REXX exec, CSFTRIDT
, for defining the PKCS#11 token is included in SYS1.SAMPLIB (ICSF APAR OA63657).
The PKCS#11 token uses an HMAC key, and RACF generates and validates the signature for the token. Successful token validation requires that both the generating and evaluating systems share the same HMAC key or the same original source key material.
After obtaining the authentication token, the Db2 requester passes the token in a connection request to a remote Db2 server. If the server is also enabled for token authentication, it presents the token to RACF for validation. Upon successful validation of the authentication token, the Db2 server authenticates the connection request.
When compared to other security mechanisms, RACF IDT provides the most secure and efficient way to protect user credentials because the authentication is replayed. With sysplex workload balancing enabled, IDT-supported token authentication is securely replayed and remains in effect when a connection is automatically rerouted due to a failure.
Consider using RACF IDT, instead of PassTickets, and enabling Db2 for token authentication, particularly when you want to use a RACF protected ID to access a Db2 server. See z/OS Security Server RACF Command Language Reference and z/OS Security Server RACROUTE Macro Reference for more information about the RACF IDT capability.