Define SAF JSON Web Token (JWT) support for RSE

z/OS security software, SAF (System Authorization Facility), supports providing and verifying identity tokens in JSON Web Token (JWT) format, which can be used for authentication purposes. z/OS Explorer makes this SAF JWT support available to select consumers, like RSE API. RSE uses a signed, application-specific, SAF JWT.

In the following sample RACF commands, replace #crypto with valid user IDs or RACF group names of the cryptographic administrators that will create the PKCS#11 token holding the private key.

RDEFINE CRYPTOZ SO.JWTTOK.FEKAPPL UACC(NONE) DATA('CREATE PKCS#11 TOKEN')
PERMIT SO.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(CONTROL) ID(#crypto)
RDEFINE CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL UACC(NONE) DATA('CREATE PKCS#11 KEY')
PERMIT CLEARKEY.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(READ) ID(#crypto)
SETROPTS RACLIST(CRYPTOZ) REFRESH

RACDCERT ADDTOKEN (JWTTOK.FEKAPPL)
RDEFINE IDTDATA JWT.FEKAPPL.*.SAF IDTPARMS(SIGTOKEN(JWTTOK.FEKAPPL) SIGALG(HS512) ANYAPPL(NO) IDTTIMEOUT(30)) UACC(NONE) DATA('IBM EXPLORER FOR z/OS') 
SETROPTS RACLIST(IDTDATA) REFRESH

Note: Support for JWT requires z/OS 2.4 or higher.

After the RACDCERT ADDTOKEN command is completed, the cryptographic administrator can customize and submit the sample FEKPKCS1 member, which will create a PKCS#11 private key for usage by the SAF JWTs.