Enhanced profile token security protection
A profile token can be passed to one or more additional processes which can then use it to perform tasks on behalf of the authenticated user.
Enhanced profile token security protection is associated with a profile token when restrictions are added during generation. Providing values for the Verification ID and/or Remote IP parameters produces an enhanced profile token. The returned profile token does not have an indication that it is an enhanced token. However, to successfully use the enhanced token, the set to profile token or generate profile token from profile token call must provide the same values used on the generate.
The verification ID is an application defined value that identifies the specific application, service, or action associated with the profile token. The application uses the value to protect the token from being used for an unintended purpose. This is enforced by requiring the matching value be specified on the set or generate profile token from profile token request.
The remote IP address identifies the network connection associated with the profile token. The application uses this value to protect the token from being used from an unintended network client. This is enforced by requiring the matching value be specified on the set generate profile token from profile token request. Profile token generation/verification does not validate the caller provided IP address is from an active network connection.
The verification ID value and remote IP address value cannot be retrieved from a profile token however they are passed to the QIBM_QSY_AUTH exit point prior to generation when the user profile has an authentication method of *REGFAC. The enhanced profile token helps to protect against replay and pre-play token attacks however, applications should consider additional protection of profile tokens used from network clients.
Generation of the Multiple-use profile token type requires enhanced profile token values to be provided in some situations. See Generate Profile Token (QSYGENPT) API under the Profile Token Type description for details.
Application code changes are required to take advantage of enhanced profile token protections. It is recommended that all applications be updated to use enhanced profile tokens.
| Original API | API with enhanced parameters |
|---|---|
| QSYGENPT | QSYGENPT, with all optional parameters |
| QsyGenPrfTkn | QsyGenPrfTkn2 |
| QsyGenPrfTknE | QsyGenPrfTknE2 |
| QSYGENFT | QSYGENFT, with same parameter values used to generate original profile token |
| QsyGenPrfTknFromPrfTkn | QsyGenPrfTknFromPrfTkn2, with same parameter values used to generate original profile token |
| QSYSETPT | QSYSETPT, with same parameters values used to generate profile token |
| QsySetToPrfTkn | QsySetToPrfTkn2, with same parameter values used to generate profile token |