Monday, August 17, 2020

New JWT-based SSO in Db2 11.5


Another security lock for Db2
In my last blog I quickly pointed out the new Db2 11.5 Mod Pack 4. I mentioned that one of the new features is support for JSON Web Tokens (JWT). Today, I want to take a deeper look at this new security feature in Db2. Probably all of you have used JWTs before, maybe not knowingly - but this is going to change...

What is JSON Web Token (JWT)?

When authenticating, usually a username, some form of identifcation (password, valid certificate and issuer information, security key, biometric data, ...), and other metadata like expiration time, the scope and more are needed for the processing. A JSON Web Token packs all this information into a JSON object which is signed by its issuer and may be even encrypted. Simplified, a JWT is made up of three sections, the header indicating its type and the used signing algorithm, the payload with all the authentication data, and the digital signature to make it tamper-proof.

JWTs are in use for passing on login (authentication) data between Identity Providers (IDP) and consuming services like web apps or database systems. An Identity Provider could be your enterprise directory (active directory, LDAP) which is used for single sign-on (SSO).

JWT is one way of representing authentication information. SAML (Security Assertion Markup Language) is another popular (and older) standard and XML-based.

Db2 Token Authentication

Because JWT is only one of multiple standards, Db2 officially introduced Token Authentication as new feature. Right now, JWT is the only supported format. Token Authentication can be enabled by creating a token configuration file and then adapting the SRVCON_AUTH setting. 

The configuration file consists of some general metadata and JWT IDP Groups, a set of configuration settings for an Identity Provider. You can have multiple identity providers, but I would assume that typically only one is present. Because JWTs are signed, you are going to need a keystore (JWT_KEYDB) to hold private and public keys.

The database manager configuration SRVCON_AUTH determines where (client / server) and how authentication is performed. In order to use Token Authentication, one of the new values containing _TOKEN needs to be specified, e.g., SERVER_ENCRYPT_TOKEN or GSSPLUGIN_TOKEN.

Once everything is configured, you can CONNECT to Db2 and pass in a JWT instead of a username and password. See my blog on using an API Key or access token to connect to Db2 on Cloud for details. The IBM Cloud IAM access token is a JWT with IBM Cloud IAM / IBMid being the Identity Provider.

Summary

The recent Db2 11.5 Mod Pack 4 includes a new way to authenticate. It is based on open standards (JSON Web Token) and could help you to integrate Db2 into SSO (single sign-on) flows.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.