Define SAF JSON Web Token (JWT) support for RSE

z/OS security software, SAF (System Authorization Facility), supports providing and verifying identity tokens in JSON Web Token (JWT) format, which can be used for authentication purposes. z/OS Explorer makes this SAF JWT support available to select consumers, like RSE API. RSE uses a signed, application-specific, SAF JWT.

In the following sample RACF commands, replace #crypto with valid user IDs or RACF group names of the cryptographic administrators that will create the PKCS#11 token holding the private key.

RDEFINE CRYPTOZ SO.JWTTOK.FEKAPPL UACC(NONE) DATA('CREATE PKCS#11 TOKEN')
PERMIT SO.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(CONTROL) ID(#crypto)
RDEFINE CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL UACC(NONE) DATA('CREATE PKCS#11 KEY')
PERMIT CLEARKEY.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(READ) ID(#crypto)
SETROPTS RACLIST(CRYPTOZ) REFRESH

RACDCERT ADDTOKEN (JWTTOK.FEKAPPL)
RDEFINE IDTDATA JWT.FEKAPPL.*.SAF IDTPARMS(SIGTOKEN(JWTTOK.FEKAPPL) SIGALG(HS512) ANYAPPL(NO) IDTTIMEOUT(30)) UACC(NONE) DATA('IBM EXPLORER FOR z/OS') 
SETROPTS RACLIST(IDTDATA) REFRESH
Note:
  • The format for profiles in the IDTDATA class is <Identity Token (IDT) type>.<application ID>.<user ID>.<IDT issuer name>.
  • RSE supports using an application ID other than FEKAPPL. The JWT.FEKAPPL.*.SAF profile name in the IDTDATA class must use the actual application ID used by RSE. See Define PassTicket support for RSE for more information.
  • Substitute the wildcard (*) in the JWT.FEKAPPL.*.SAF profile definition with a valid user ID mask to limit the user IDs for which RSE can generate an SAF JWT.
  • The PKCS#11 token name (JWTTOK.FEKAPPL by default) can be changed but the same token name must be used in all commands.
  • IDTTIMEOUT specifies the number of minutes that the SAF JWT is valid. The value must be between 1 and 1440. The default is 5. The setting value in the RSE sample command is 30 minutes. Ensure to use a value long enough to suit your need.
  • Support for SAF JWT requires z/OS 2.4 or higher.

After the RACDCERT ADDTOKEN command is completed, the cryptographic administrator can customize and submit the sample FEKPKCS1 member, which will create a PKCS#11 private key for usage by the SAF JWTs.