By Jim Pickel, STSM, Db2 for z/OS, and Hugh Smith, Db2 for z/OS DDF Development
Token-based authentication enables a local application to use a generalized token for authentication at a remote server. Starting in function level 505 (V13R1M505), Db2 13 for z/OS (Db2) supports token authentication by leveraging the RACF Identity Token (IDT) capability. You can enable Db2 to send and receive an authentication token, instead of a userid and PassTicket or a password, in a connection request.
A Db2 requester can utilize an authorized RACF callable interface to request for an authentication token. RACF generates the requested token based on the current authentication environment of the Db2 requester or the outbound translated user ID if the same ID exists on both the requesting and receiving systems. A successfully generated token will contain all the authentication information that is required for use by Db2.
The authentication token from RACF references a PKCS#11 token as part of the RACF IDTDATA class profile. The PKCS#11 token is defined with REXX execs in a TSO batch environment. You can customize the sample CSFTRIDT REXX EXEC in SYS1.SAMPLIB with your own source key material and token bit-size, name, and type.
The PKCS#11 token also uses an HMAC key. RACF references the key when generating and validating the signature of the token. Successful token validation requires that both the generating and evaluating systems share the same HMAC key or the same original source key material.
After obtaining the authentication token, the Db2 requester passes the token in a connection request to a remote Db2 server. If the server is also enabled for token authentication, it presents the token to RACF for validation. Upon successful validation of the token, the Db2 server authenticates the connection request.
When compared to other security mechanisms, RACF IDT provides the most secure and efficient way to protect user credentials because the authentication is replayed. Consider taking advantage of the RACF IDT support and enabling Db2 for authentication through a RACF generated token, instead of a PassTicket that is deprecated for use by a RACF protected ID.
See Db2 13 function level 505 (APAR PH59534 - April 2024) and Enabling Db2 for token authentication to learn more.
A special thank-you to Guanjun Cai, Db2 for z/OS Content Design, for his contributions.
#db2z/os#db2security#db213