IBM Support

zSecure 3.1 supports generation and validation of Identity Tokens (IDT) with RSA-based signatures

News


Abstract

zSecure 3.1 supports generating and validating Identity Tokens (IDT), to facilitate more secure and easier distribution of cryptographic keys by using digital certificates.

Content

The following documentation updates were made for these IDT3 enhancements:
  • zSecure CARLa SELECT/LIST Fields:
    • New and updated RACF field descriptions:
      • IDTKIDP, SIGKIDPRIMARY
        This field shows the primary key identifier (KID) for the generation and validation of Identity Token
        (IDT) signatures that are associated with the profile. It resides in the IDTPARMS segment of a class
        IDTDATA Identity Token profile. The default width is 32. On z/OS 3.1, this field is present only if RACF
        APAR OA65299 is installed.
      • IDTLABP, SIGLABELPRIMARY
        This field shows the name of an ICSF CCA CKDS or PKDS label for the generation and validation of
        Identity Token (IDT) signatures associated with the profile. It resides in the IDTPARMS segment of a
        class IDTDATA Identity Token profile. The default width is 64. On z/OS 3.1, this field is present only if
        RACF APAR OA65299 is installed.
      • IDTSALG
        This field shows the signature algorithm (SIGALG) requested in the IDTPARMS segment of a class
        IDTDATA Identity Token profile. The default width is 6. The allowed values are HS256, HS384, HS512,
        RS256, RS384, and RS512. For example, this is used for JSON Web Token (JWT) support.
    • New SMF field descriptions:
      • IDT_SIGNATURE_EVALUATOR
        This repeated field contains authentication information regarding how the IDT signature is evaluated
        for the specified profile. It is found only in RACF processing records (SMF record type 80, relocate
        section 443) pertaining to a RACINIT event (subtype 1).
        The IDT_SIGNATURE_EVALUATOR field can have following values:
        Value Description
        primary label IDT signature evaluated with primary label
        token IDT signature evaluated with token
      • KEY_IDENTIFIER
        This field contains the key identifier (KID) for the generation and validation of Identity Token (IDT)
        signatures that are associated with the given profile. It is found only in RACF processing records (SMF
        record type 80, relocate section 443) pertaining to a RACINIT event (subtype 1).
      • SIGNATURE_ALGORITHM
        This field contains the signature algorithm for the generation and validation of Identity Token (IDT)
        signatures that are associated with the given profile. It is found only in RACF processing records (SMF
        record type 80, relocate section 443) pertaining to a RACINIT event (subtype 1).
        The SIGNATURE_ALGORITHM can have following values:
        Value Description
        HS256 HMAC with SHA-256
        HS384 HMAC with SHA-384
        HS512 HMAC with SHA-512
        RS256 RSASSA-PKCS1-v1_5 with SHA-256
        RS384 RSASSA-PKCS1-v1_5 with SHA-384
        RS512 RSASSA-PKCS1-v1_5 with SHA-512
  • zSecure Admin and Audit User Reference Manual:

    • Table. IDTPARMS segment (IDTDATA class): new rows

      Overview field Detail field Explanation
      Cat Signing token category The category of the token object in ICSF.
      Primary ID token key identifier Primary ID token key ident. The primary key identifier (KID) for the generation and validation of Identity Token (IDT) signatures.
      Primary ID token signing label Primary ID token signing labl The ICSF CCA CKDS or PKDS label for the generation and validation of Identity Token (IDT) signatures.

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"ARM Category":[{"code":"a8m0z000000GoZlAAK","label":"zSecure Admin-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0;3.1.1"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPN95","label":"IBM Security zSecure Audit"},"ARM Category":[{"code":"a8m0z000000GoYsAAK","label":"zSecure Audit-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPLQS","label":"IBM Security zSecure Alert"},"ARM Category":[{"code":"a8m0z000000GoZHAA0","label":"zSecure Alert-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0"}]

Document Information

Modified date:
01 May 2025

UID

ibm17186436

Page Feedback