IBM Support

jti time not honored once JWT is used in z/OS Connect EE when communicating to CICS TS



You are using a JSON Web Token (JWT) in z/OS Connect Enterprise Edition (EE) to communicate to CICS Transaction Server for z/OS (CICS TS). Your token has a JSON Token ID (jti) that is time dependent so it should last for a little while and be available for reuse. However, the jti time is NOT honored once a token is used in z/OS Connect EE. So, you would like to know if there a way to override z/OS Connect EE to allow the jti time to be honored.

Resolving The Problem

In topic How to configure JWT authentication in the z/OS Connect EE documentation, there is a statement that says "If a JWT contains a jti (JWT ID) that is identical to a JWT previously used for authentication with a z/OS Connect EE server, the request is considered to be a replay attack. A jti is an optional claim."
The JWT jti (JWT ID) claim is usually used to prevent replay attacks by preventing the same JWT from being replayed. And the “exp” (Expiration Time) Claim is used to determine how long a JWT is valid.
If you are sure you that you want to allow JWT's with the same jti claim value to be allowed to be reused on requests to your z/OS Connect EE server, it is possible to configure the attribute tokenReuse=“true” on the openidConnectClient element in server.xml. Be aware that this will allow a JWT containing the same “jti” claim value to be reused multiple times until the “exp” claim value, if specified, expires.
Topic OpenID Connect Client (openidConnectClient) in the WebSphere Application Server for z/OS Liberty documentation provides the following Description of the tokenReuse parameter:
Specifies whether JSON web tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier that is used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token.
The default value for tokenReuse is "false".  When tokenReuse is set to "false" (or not set), the 2nd and subsequent request sending JWT with same jti will be rejected with HTTP response code 401 and messages.log message “CWWKS1743E: The token validation failed. Another JSON Web Token (JWT) with the same ‘iss’:<> and ‘jti’:<>has already been received."
When you specify tokenReuse=“true” in the openidConnectClient element, you can successfully send a JWT containing the same jti token value multiple times.

Document Location


[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNPJM","label":"IBM z\/OS Connect"},"ARM Category":[{"code":"a8m0z0000000AiZAAU","label":"Security"}],"ARM Case Number":"TS003611933","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.0","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"ARM Category":[{"code":"a8m0z00000007YsAAI","label":"CICS Transaction Server-\u003ESecurity"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym


Document Information

Modified date:
14 February 2023