SAF JSON Web Token (JWT) services

z/OS security software, SAF (System Authorization Facility), supports providing and verifying identity tokens in JSON Web Token (JWT) format, which can be used for authentication purposes. z/OS Explorer makes this SAF JWT support available to select consumers, like RSE API. RSE uses a signed, application-specific, SAF JWT.

JSON (JavaScript Object Notation) is a structured, text-based, data-exchange format with limited overhead. When used in an SAF JWT, the (UTF-8 base-64 encoded) JSON structure holds information like the related user ID and expiration time, which is signed using a site-specific private key (stored in PKCS#11 token) to ensure authenticity. More details on SAF JWT as utilized by z/OS security software can be found in the “Activating and using the IDTA parameter in RACROUTE REQUEST=VERIFY” chapter of the Security Server RACROUTE Macro Reference (SA23-2294).

The creation and storage of the PCKS#11 token holding the private key relies on ICSF (Integrated Cryptographic Service Facility), the cryptographic component of z/OS. The cryptographic administrator creating the secret key used for signing will need ICSF-specific permits, as described in Define JSON Web Token (JWT) support for RSE.