IBM Z Hardware and Operating Systems Ideas Portal
Hide about this portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Under review
Workspace z/OS
Categories RACF
Created by Guest
Created on Feb 13, 2025

RELATED IDEAS

RACF validation of external generated JWTs with fully OIDC support

Currently, RACF can only validate JWTs based on the IDTDATA definitions within RACF itself. In times of multi-platform solutions and higher security demands this is no longer adequate. Modern architectures consinsts of at least front ends and maybe different middleware solutions. To logon to z/OS, currently there are only some solutions:

  • Kerberos
  • Basic Authentication
  • JWTs generated within RACF
  • Passtickets
  • Client Certificates
  • ...

For SSO, there is only Kerberos a real solution at the moment. But Kerberos has trouble regarding e.g. Replay Detection if there is a high demand on requests from technical users, overheads regarding CPU and other stuff. JWTs are the preferred authentication method for all paltforms and every platform supports them.

There is already a possibility to map external users (like from LDAP) to z/OS users with RACMAP.  RACF has to be enhanced to support authentification with JWTs generated on external systems (like ForgeRock) and to map them to z/OS users after the JWT authentication. Furthermore, RACF has to have the possibility to validate the signature with the publickey from the foreign system and it has to ensure that it could do that even if the public key would change. For this reason, RACF has to also be enhanced to make it possible to configure the JWKS Uri from the foreign system to request new public keys if the validation would fail with the "old" public key. One possibility that I would have to implement these JWKS stuff within RRSF in local mode.

This is an absolutely urgent request, as there is a security demand from our application development department and from our IT-Security team. Otherwise we would not be able to fully integrate z/OS into our business solutions. Unfortunately, z/OS is currently the only system that doesn't support the JWT authentication in our enterprise

Once this support is implemented, the subsystems like CICS have to support that. For this reason, a colleague of mine opened an IDEA against CICS: CICSTS-I-2220

 

 

Idea priority Urgent

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.