Linda Hagedorn wrote: >This is very promising. Do you know where I can read more about ZMFA?
The documentation landing page is here: https://www.ibm.com/docs/en/zma >I'm interested in knowing how to configure the external source, and how >the token is passed back to RACF, and how long the token lasts. >For example, if systems programmers are working a problem, we >wouldn't want the token to expire in 3 hrs. >Or does the token last for the duration of the session? >If tso/ispf times out (sysprog is doing research or answering >mgmt questions), will they have to generate a new token? If for example you’re configuring ZMFA to use a LDAP server as an “external” factor then this landing page has further details: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap I put the word external in quotation marks because the LDAP server could be z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. And LDAP is just one example. Many “external” and external factors’ interfaces are supported. You can configure ZMFA for “out-of-band” authentication so that users obtain what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for example). You can choose whether the CTC is reusable and how quickly it expires. https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
