Tuesday, January 12, 2021

Db2 Security: Configure JSON Web Token (JWT) authentication

Db2 login using JWT access token
Db2 login utilizing a JWT
Since V11.5.4, Db2 allows to consume JWT (JSON Web Token). The business case is to support SSO (single sign-on). You can configure Db2 to accept access tokens issued by external Identity Provider (IDPs), including the IBM solutions or open source projects like gluu. V11.5.5 brought some JWT improvements, e.g., support for multiple labels. On a recent Friday, I set up my Db2 Docker container to accept JWTs, not those issued by an external identity service, but my own.

Db2 and JWT

A JSON Web Token (JWT), in short, is a data structure which in its JSON payload holds (identity) claims. The structure consists of a header indicating the algorithm, the actual payload and a (digital) signature to verify the authenticity of the JWT. Optionally, JWTs can be encrypted. Db2 supports several symmetric and asymmetric signing algorithms, but only unencrypted JWTs.

To accept JWTs in Db2, a special token configuration file, db2token.cfg, needs to be created. It holds information about where to find the keystore with secret keys or certificates for the JWT verification. Other sections include metadata on the accepted identity issuers and algorithms along required other information. As usual, I had to use the IBM Global Security Kit (GSKit) to create the keystore and to manage keys and certificates.

My securely managed secrets with IBM GSKit

In addition, you need to configure the Db2 server authentication type to include token support. In my case, I changed SERVER_ENRCYPT to SERVER_ENCRYPT_TOKEN.

Step-by-step guide

Because I couldn't find a concise guide to get started with JWTs in Db2 and it required some documentation, I created the GitHub repository JWTutil. It has a step-by-step guide for setting up and testing Db2 and JWT and all the necessary files. The guide ends by generating a token, setting it as environment variable and then connecting to Db2 using the new accesstoken syntax:

db2 connect to testdb accesstoken ${TOKEN}  accesstokentype jwt
Connect to Db2 using an access token (JWT)

Interested? Head over to the GitHub repository with the step-by-step guide.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.