JWT-Based Authentication with SAP ASE: A Comprehensive Guide

[[{“value”:”

Implementing modern authentication methods like JSON Web Tokens (JWT) for database connections enhances security by moving away from traditional static passwords to a token-based architecture. This guide outlines the architecture and technical steps to configure JWT-based authentication in SAP Adaptive Server Enterprise (ASE) 16.1 SP00 PL01. JWT is an open standard and consists of three parts (in Base64 URL encoding) separated by ‘.’.

<header>.<payload>.<signature>

Understanding the Architecture:

The JWT authentication flow involves three primary entities: the Trusted Identity Provider (IdP), the Client Application, and SAP ASE.

Architecture diagram illustrates 4-step user authentication process between IdP, Client, and SAP ASE.

1. Token Request: The client or user requests a JWT token from a trusted identity provider (IdP).
2. Token Issuance: The IdP verifies the identity of the client and if authenticated, it issues a JWT token string signed with its private key.
3. Transmission: The client sends the provided JWT token to SAP ASE in the same way as it does a regular password.
4. Verification: SAP ASE receives the token, validates it and handles the new connection request in the login process.

Validation and Mapping Logic:

When SAP ASE receives a JWT token during login process, it performs a series of checks to validate the JWT token.

1. SAP ASE validates the JWT token for its valid format, expiry, and signature.
2. If the JWT token is valid, SAP ASE checks whether a login name same as the external user name (user_name) exists in system catalog or whether a login mapping exists for the provider and the user_name. If it does, SAP ASE uses that login name.
3. If a user with a valid JWT token logs into SAP ASE, but the user_name is unknown to the server (there is no login defined in system catalog or no mapping defined), the login is accepted only if a ‘secure default login‘ is configured with sp_configure. In this case, SAP ASE uses the ‘secure default login‘ configured login name for the external JWT user.

SAP ASE supports tokens signed with RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512).

Configuration Steps:

Step 1: Prepare the Identity Provider and Token

Obtain a JWT token from trusted IdP with claims such as “iss” (issuer), mapping an external user name (e.g. ase_admin) to an SAP ASE internal login (e.g. ase_admin_internal) as “user_name”, expiration time (epoch timestamp) for the token as “exp” (optional) and time (epoch timestamp) before which the token must not be accepted as “nbf” (optional).  Refer the section towards the end of this article to generate JWT token for testing purpose. 

Step 2: Create an SAP ASE internal login account and set the authentication method to JWT for this login account.

CREATE LOGIN ase_admin_internal
WITH PASSWORD itsA8ecret
AUTHENTICATE WITH jwt

Step 3: Define the JWT Provider

Create a JWT provider in SAP ASE that corresponds to your IdP’s issuer URL. This provider uses the “user_name” claim from the JWT payload to map external user name to SAP ASE login.

CREATE JWT PROVIDER my_jwt_provider
WITH ISSUER ‘http://myidp_provider:8080/uaa/oauth/token’
CLAIM ‘user_name’
AS EXTERNAL IDENTITY

Step 4: Map External Users

For each external user that will connect to SAP ASE, create a mapping between the external user name and internal SAP ASE login.

sp_maplogin “JWT”, “ase_admin”, “ase_admin_internal”, “my_jwt_provider”

Step 5: Add the Public Certificate of IdP

To validate the tokens, add the certificate and set its purpose to JWT for your provider.

CREATE CERTIFICATE jwt_ca_cert
PURPOSE JWT
FOR PROVIDER my_jwt_provider
FROM “—–BEGIN CERTIFICATE—–…—–END CERTIFICATE—–“

Testing the Connection:

Verify the configuration using isql utility by passing the JWT token in the password field.

# $SYBASE/$SYBASE_OCS/bin/isql -P <JWT-Token> -I interfaces -w 2000 -S <ase_server_name>

Post-Login Verification:

Once connected, you can confirm the authentication mechanism and the effective login name:

• select @@authmech — Should return “jwt”.
• select suser_name() — Should return the mapped internal SAP ASE login (e.g., “ase_admin_internal”).

1> select @@authmech
2> go
————————————————————
jwt
(1 row affected)
1> select suser_name()
2> go
————————————————————
ase_admin_internal
(1 row affected)

Generating a JWT Token (For Testing Purposes):

Step 1: Generate RSA Keys

Use OpenSSL to generate an RSA private key (used for signing the token) and a self-signed public certificate (used as Certifying Authority (CA) certificate). Below command will generate RSA private key in private_key.pem file and self-signed public certificate in certificate.pem file.

Note:

• This will prompt you for information such as Country Name (IN), Organization (SAP), and Common Name (private_ca).

openssl req -x509 -newkey rsa:2048 -nodes -keyout private_key.pem -out certificate.pem -days 365

Step 2: Create the Header (<header>)

Create a JSON header for JWT to be signed with RS256, encoded as Base64 URL and replace characters like ‘+’ with ‘-‘,  ‘/’ with ‘_’ and remove trailing ‘=’ characters.

echo -n ‘{“alg”:”RS256″,”typ”:”JWT”}’ | base64 | sed -E ‘s/+/-/g; s///_/g; s/=+$//’

Sample Output:

eyAgImFsZyI6ICJSUzI1NiIsICAidHlwIjogIkpXVCJ9

Step 3: Create the Payload (<payload>)

Create a JSON payload with required claims like iss and user_name, then encode it as Base64 URL.

Note:

• nbf: 1776432348 (Friday, 17 April 2026 at 18:55:48 GMT+05:30)
• exp: 1830277799 (Friday, 31 December 2027 at 23:59:59 GMT+05:30)

echo -n ‘{“iss”: “http://myidp_provider:8080/uaa/oauth/token”,”user_name”: “ase_admin”,”nbf”: 1776432348,”exp”: 1830277799}’ | base64 | sed -E ‘s/+/-/g; s///_/g; s/=+$//’

Sample Output:

eyAgICJpc3MiOiAiaHR0cDovL215aWRwX3Byb3ZpZGVyOjgwODAvdWFhL29hdXRoL3Rva2VuIiwgICAidXNlcl9uYW1lIjogImFzZV9hZG1pbiIsICAgIm5iZiI6IDE3NzY0MzIzNDgsICAiZXhwIjogMTgzMDI3Nzc5OSB9

Step 4: Generate the Signature (<signature>)

The signature is the RSA private key signed output of <header>.<payload>, encoded as Base64 URL.

Note:

• To prevent line breaks in signature ‘-w 0’ flag is used.

echo -n “<header>.<payload>” | openssl dgst -sha256 -binary -sign private_key.pem | base64 -w 0 | sed -E ‘s/+/-/g; s///_/g; s/=+$//’

Sample Output:

UePn-E2y8SzqBtnRjTSggyrEIzpuLEZZAWJTUAoVJBVvg46OPvnKk68ZGSSckm4dcdJhWf87s2vh8Ys-vfLzYOJtiQfjXrJN2ngHSWJKGA4LVdi8cAsmKsMQGFHLsUp-NJJqk1ReFtiRGQuRyjIZtBb8ExsT4prX2hoRzYndaD5M-S4FfBHK9ebC3kA_u7l9NpDJWW-AoD6jqGu-8SM54ONGBI6xDvclCOp1Cz5XiHww-zRAvsDHUnfDJO2jVH3gtOu9jz_VB7GwzHV82T_hjhtXYqLx7xF5EXWgwh99usinsbe1C39uUMbHuFbkV_nqeUq5hGodSXBKlgP_U323KQ

Step 5: Assemble the JWT

Concatenate the three components separated by dots: <header>.<payload>.<signature>.

Sample Output:

eyAgImFsZyI6ICJSUzI1NiIsICAidHlwIjogIkpXVCJ9.eyAgICJpc3MiOiAiaHR0cDovL215aWRwX3Byb3ZpZGVyOjgwODAvdWFhL29hdXRoL3Rva2VuIiwgICAidXNlcl9uYW1lIjogImFzZV9hZG1pbiIsICAgIm5iZiI6IDE3NzY0MzIzNDgsICAiZXhwIjogMTgzMDI3Nzc5OSB9.UePn-E2y8SzqBtnRjTSggyrEIzpuLEZZAWJTUAoVJBVvg46OPvnKk68ZGSSckm4dcdJhWf87s2vh8Ys-vfLzYOJtiQfjXrJN2ngHSWJKGA4LVdi8cAsmKsMQGFHLsUp-NJJqk1ReFtiRGQuRyjIZtBb8ExsT4prX2hoRzYndaD5M-S4FfBHK9ebC3kA_u7l9NpDJWW-AoD6jqGu-8SM54ONGBI6xDvclCOp1Cz5XiHww-zRAvsDHUnfDJO2jVH3gtOu9jz_VB7GwzHV82T_hjhtXYqLx7xF5EXWgwh99usinsbe1C39uUMbHuFbkV_nqeUq5hGodSXBKlgP_U323KQ

“}]] 

 [[{“value”:”Implementing modern authentication methods like JSON Web Tokens (JWT) for database connections enhances security by moving away from traditional static passwords to a token-based architecture. This guide outlines the architecture and technical steps to configure JWT-based authentication in SAP Adaptive Server Enterprise (ASE) 16.1 SP00 PL01. JWT is an open standard and consists of three parts (in Base64 URL encoding) separated by ‘.’.<header>.<payload>.<signature>Understanding the Architecture:The JWT authentication flow involves three primary entities: the Trusted Identity Provider (IdP), the Client Application, and SAP ASE.Architecture diagram illustrates 4-step user authentication process between IdP, Client, and SAP ASE.Token Request: The client or user requests a JWT token from a trusted identity provider (IdP).Token Issuance: The IdP verifies the identity of the client and if authenticated, it issues a JWT token string signed with its private key.Transmission: The client sends the provided JWT token to SAP ASE in the same way as it does a regular password.Verification: SAP ASE receives the token, validates it and handles the new connection request in the login process.Validation and Mapping Logic:When SAP ASE receives a JWT token during login process, it performs a series of checks to validate the JWT token. SAP ASE validates the JWT token for its valid format, expiry, and signature.If the JWT token is valid, SAP ASE checks whether a login name same as the external user name (user_name) exists in system catalog or whether a login mapping exists for the provider and the user_name. If it does, SAP ASE uses that login name.If a user with a valid JWT token logs into SAP ASE, but the user_name is unknown to the server (there is no login defined in system catalog or no mapping defined), the login is accepted only if a ‘secure default login’ is configured with sp_configure. In this case, SAP ASE uses the ‘secure default login’ configured login name for the external JWT user.SAP ASE supports tokens signed with RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512).Configuration Steps:Step 1: Prepare the Identity Provider and TokenObtain a JWT token from trusted IdP with claims such as “iss” (issuer), mapping an external user name (e.g. ase_admin) to an SAP ASE internal login (e.g. ase_admin_internal) as “user_name”, expiration time (epoch timestamp) for the token as “exp” (optional) and time (epoch timestamp) before which the token must not be accepted as “nbf” (optional).  Refer the section towards the end of this article to generate JWT token for testing purpose. Step 2: Create an SAP ASE internal login account and set the authentication method to JWT for this login account.CREATE LOGIN ase_admin_internal
WITH PASSWORD itsA8ecret
AUTHENTICATE WITH jwtStep 3: Define the JWT ProviderCreate a JWT provider in SAP ASE that corresponds to your IdP’s issuer URL. This provider uses the “user_name” claim from the JWT payload to map external user name to SAP ASE login.CREATE JWT PROVIDER my_jwt_provider
WITH ISSUER ‘http://myidp_provider:8080/uaa/oauth/token’
CLAIM ‘user_name’
AS EXTERNAL IDENTITYStep 4: Map External UsersFor each external user that will connect to SAP ASE, create a mapping between the external user name and internal SAP ASE login.sp_maplogin “JWT”, “ase_admin”, “ase_admin_internal”, “my_jwt_provider”Step 5: Add the Public Certificate of IdPTo validate the tokens, add the certificate and set its purpose to JWT for your provider.CREATE CERTIFICATE jwt_ca_cert
PURPOSE JWT
FOR PROVIDER my_jwt_provider
FROM “—–BEGIN CERTIFICATE—–…—–END CERTIFICATE—–“Testing the Connection:Verify the configuration using isql utility by passing the JWT token in the password field.# $SYBASE/$SYBASE_OCS/bin/isql -P <JWT-Token> -I interfaces -w 2000 -S <ase_server_name>Post-Login Verification:Once connected, you can confirm the authentication mechanism and the effective login name:select @@authmech — Should return “jwt”.select suser_name() — Should return the mapped internal SAP ASE login (e.g., “ase_admin_internal”).1> select @@authmech
2> go
————————————————————
jwt
(1 row affected)
1> select suser_name()
2> go
————————————————————
ase_admin_internal
(1 row affected)Generating a JWT Token (For Testing Purposes):Step 1: Generate RSA KeysUse OpenSSL to generate an RSA private key (used for signing the token) and a self-signed public certificate (used as Certifying Authority (CA) certificate). Below command will generate RSA private key in private_key.pem file and self-signed public certificate in certificate.pem file.Note: This will prompt you for information such as Country Name (IN), Organization (SAP), and Common Name (private_ca).openssl req -x509 -newkey rsa:2048 -nodes -keyout private_key.pem -out certificate.pem -days 365Step 2: Create the Header (<header>)Create a JSON header for JWT to be signed with RS256, encoded as Base64 URL and replace characters like ‘+’ with ‘-‘,  ‘/’ with ‘_’ and remove trailing ‘=’ characters.echo -n ‘{“alg”:”RS256″,”typ”:”JWT”}’ | base64 | sed -E ‘s/+/-/g; s///_/g; s/=+$//’Sample Output:eyAgImFsZyI6ICJSUzI1NiIsICAidHlwIjogIkpXVCJ9Step 3: Create the Payload (<payload>)Create a JSON payload with required claims like iss and user_name, then encode it as Base64 URL.Note:nbf: 1776432348 (Friday, 17 April 2026 at 18:55:48 GMT+05:30) exp: 1830277799 (Friday, 31 December 2027 at 23:59:59 GMT+05:30)echo -n ‘{“iss”: “http://myidp_provider:8080/uaa/oauth/token”,”user_name”: “ase_admin”,”nbf”: 1776432348,”exp”: 1830277799}’ | base64 | sed -E ‘s/+/-/g; s///_/g; s/=+$//’Sample Output:eyAgICJpc3MiOiAiaHR0cDovL215aWRwX3Byb3ZpZGVyOjgwODAvdWFhL29hdXRoL3Rva2VuIiwgICAidXNlcl9uYW1lIjogImFzZV9hZG1pbiIsICAgIm5iZiI6IDE3NzY0MzIzNDgsICAiZXhwIjogMTgzMDI3Nzc5OSB9Step 4: Generate the Signature (<signature>)The signature is the RSA private key signed output of <header>.<payload>, encoded as Base64 URL.Note: To prevent line breaks in signature ‘-w 0’ flag is used.echo -n “<header>.<payload>” | openssl dgst -sha256 -binary -sign private_key.pem | base64 -w 0 | sed -E ‘s/+/-/g; s///_/g; s/=+$//’Sample Output:UePn-E2y8SzqBtnRjTSggyrEIzpuLEZZAWJTUAoVJBVvg46OPvnKk68ZGSSckm4dcdJhWf87s2vh8Ys-vfLzYOJtiQfjXrJN2ngHSWJKGA4LVdi8cAsmKsMQGFHLsUp-NJJqk1ReFtiRGQuRyjIZtBb8ExsT4prX2hoRzYndaD5M-S4FfBHK9ebC3kA_u7l9NpDJWW-AoD6jqGu-8SM54ONGBI6xDvclCOp1Cz5XiHww-zRAvsDHUnfDJO2jVH3gtOu9jz_VB7GwzHV82T_hjhtXYqLx7xF5EXWgwh99usinsbe1C39uUMbHuFbkV_nqeUq5hGodSXBKlgP_U323KQStep 5: Assemble the JWTConcatenate the three components separated by dots: <header>.<payload>.<signature>.Sample Output:eyAgImFsZyI6ICJSUzI1NiIsICAidHlwIjogIkpXVCJ9.eyAgICJpc3MiOiAiaHR0cDovL215aWRwX3Byb3ZpZGVyOjgwODAvdWFhL29hdXRoL3Rva2VuIiwgICAidXNlcl9uYW1lIjogImFzZV9hZG1pbiIsICAgIm5iZiI6IDE3NzY0MzIzNDgsICAiZXhwIjogMTgzMDI3Nzc5OSB9.UePn-E2y8SzqBtnRjTSggyrEIzpuLEZZAWJTUAoVJBVvg46OPvnKk68ZGSSckm4dcdJhWf87s2vh8Ys-vfLzYOJtiQfjXrJN2ngHSWJKGA4LVdi8cAsmKsMQGFHLsUp-NJJqk1ReFtiRGQuRyjIZtBb8ExsT4prX2hoRzYndaD5M-S4FfBHK9ebC3kA_u7l9NpDJWW-AoD6jqGu-8SM54ONGBI6xDvclCOp1Cz5XiHww-zRAvsDHUnfDJO2jVH3gtOu9jz_VB7GwzHV82T_hjhtXYqLx7xF5EXWgwh99usinsbe1C39uUMbHuFbkV_nqeUq5hGodSXBKlgP_U323KQ “}]] Read More Technology Blog Posts by SAP articles 

#SAPCHANNEL