IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Not under consideration
Workspace z/OS
Categories RACF
Created by Guest
Created on Feb 13, 2025

RELATED IDEAS

RACF validation of external generated JWTs with fully OIDC support

Currently, RACF can only validate JWTs based on the IDTDATA definitions within RACF itself. In times of multi-platform solutions and higher security demands this is no longer adequate. Modern architectures consinsts of at least front ends and maybe different middleware solutions. To logon to z/OS, currently there are only some solutions:

  • Kerberos
  • Basic Authentication
  • JWTs generated within RACF
  • Passtickets
  • Client Certificates
  • ...

For SSO, there is only Kerberos a real solution at the moment. But Kerberos has trouble regarding e.g. Replay Detection if there is a high demand on requests from technical users, overheads regarding CPU and other stuff. JWTs are the preferred authentication method for all paltforms and every platform supports them.

There is already a possibility to map external users (like from LDAP) to z/OS users with RACMAP.  RACF has to be enhanced to support authentification with JWTs generated on external systems (like ForgeRock) and to map them to z/OS users after the JWT authentication. Furthermore, RACF has to have the possibility to validate the signature with the publickey from the foreign system and it has to ensure that it could do that even if the public key would change. For this reason, RACF has to also be enhanced to make it possible to configure the JWKS Uri from the foreign system to request new public keys if the validation would fail with the "old" public key. One possibility that I would have to implement these JWKS stuff within RRSF in local mode.

This is an absolutely urgent request, as there is a security demand from our application development department and from our IT-Security team. Otherwise we would not be able to fully integrate z/OS into our business solutions. Unfortunately, z/OS is currently the only system that doesn't support the JWT authentication in our enterprise

Once this support is implemented, the subsystems like CICS have to support that. For this reason, a colleague of mine opened an IDEA against CICS: CICSTS-I-2220

 

 

Idea priority Urgent
  • Guest
    May 7, 2025

    Hello RACF Support,


    the use of zMFA OIDC was the first suggestion for our application development department, was we've zMFA licensed. But they made clear that this will not work. From our point of view, this are two very different use cases. zMFA uses the JWT to generate CTCs that then can be used for authentication with the CTC to login.


    We would require that functionallity to login directly to CICS, Db2 and other applications without the intermediate step of a generated CTC/passticket/what ever. Furthermore, there would be an API needed to extract the values out of the JWT, as described in another IDEA from us: ZOS-I-4463


    Very sad, that we here have an extra role of z/OS in the IT infrastructure. I hope that this decission will not result in taking the workload off of the mainframe, as the JWT authentication is definitly required for our application development department (together with the extract functionallity).

    Reply
  • Guest
    May 6, 2025
    This item is unlikely to be placed into the RACF product plan as support for validation of external JWTs on z/OS can be achieved using either IBM Z Multi-Factor Authentication or z/OS Connect.
    Link to MFA Overview: https://www.ibm.com/products/ibm-multifactor-authentication-for-zos
    Link to MFA OIDC Configuration: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-oidc
    Link to z/OS Connect: https://www.ibm.com/products/zos-connect
    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.