Changing a user password with an identity token

As of z/OS® V2R4, RACF® supports identity tokens implemented through the JSON web token assertion mechanism (JWT). You should enable identity token support whenever possible because it greatly improves the end-user logon flow for applications that support identity tokens, such as TSO/E, when the current credential is expired.

Before you begin

Note: See z/OS Security Server RACROUTE Macro Reference for important information about the IDTDATA class.

About this task

There are some IBM® MFA in-band login scenarios, particularly with compound in-band and password change, that necessitate an authentication requiring multiple RACROUTE calls to complete. In this case, state information is required so that IBM MFA and RACF perform the appropriate action for each state. You can use identity tokens to change RACF passwords, change a PIN, or change both during an in-band logon to TSO.

Consider the following scenario.
  • The user is configured for AZFLDAP1 with compound in-band authentication, and their RACF password has expired. For the purpose of example, further assume that you have configured their account to require their RACF credential first.
  • The user enters their current RACF password, the separator character, and their LDAP password.
  • If successful, the user receives the following message
    ICH70008I IBM MFA Message:                       
  • The user presses Enter to continue.
  • The user is then prompted to change their RACF password.


RACLIST and activate the IDTDATA class:

What to do next

You can control the use of identity tokens by defining profiles in the IDTDATA resource class. You use IDTPARMS to specify information for the IDTDATA class profile. See z/OS Security Server RACF Command Language Reference for information on IDTPARMS.