 |
| Db2 login utilizing a JWT |
Db2 and JWT
A JSON Web Token (JWT), in short, is a data structure which in its JSON payload holds (identity) claims. The structure consists of a header indicating the algorithm, the actual payload and a (digital) signature to verify the authenticity of the JWT. Optionally, JWTs can be encrypted. Db2 supports several symmetric and asymmetric signing algorithms, but only unencrypted JWTs.
To accept JWTs in Db2, a special token configuration file, db2token.cfg, needs to be created. It holds information about where to find the keystore with secret keys or certificates for the JWT verification. Other sections include metadata on the accepted identity issuers and algorithms along required other information. As usual, I had to use the IBM Global Security Kit (GSKit) to create the keystore and to manage keys and certificates.
 |
| My securely managed secrets with IBM GSKit |
In addition, you need to configure the Db2 server authentication type to include token support. In my case, I changed SERVER_ENRCYPT to SERVER_ENCRYPT_TOKEN.
Step-by-step guide
Because I couldn't find a concise guide to get started with JWTs in Db2 and it required some documentation, I created the GitHub repository JWTutil. It has a step-by-step guide for setting up and testing Db2 and JWT and all the necessary files. The guide ends by generating a token, setting it as environment variable and then connecting to Db2 using the new accesstoken syntax:
db2 connect to testdb accesstoken ${TOKEN} accesstokentype jwt |
| Connect to Db2 using an access token (JWT) |
Interested? Head over to the GitHub repository with the step-by-step guide.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.