Hi Frank:
2FA, where it calls you to get a code, or prompts you for a code
off some security device (RSA?) will be per logon attempt. Now,
if you have a session manager (of some kind), that may only
require one response with the "token" they want, and the session
manager may then not trigger 2FA for each logon under its control.
In the remote logons I've done, Cisco was effectively the session
manager and handled the initial connection to customer site
(using VPN). Once authenticated, it was basically a single
sign-on -- with the exception of TSO and other Mainframe specific
access/logons, but 2FA was not activated in that case.
YMMV as usual.
Steve Thompson
On 3/1/2024 5:49 PM, Frank Swarbrick wrote:
I have a curious question about MFA on z/OS. Does each login require a different token?
Meaning, if I log on to TSO and to CICS, can I use the same token? I ask because I log
on and off to various CICS regions throughout the day, and I'd hate to have to get a new
token for each login. (We don't use MFA right now, except for our mainframe
"outsourcer" teams (Kyndryl).
I wish that you could just "logon to VTAM," as it were, and it would log you in
to each VTAM application you use. I don't think this is available right now, correct me
if I'm wrong!
Frank
________________________________
From: IBM Mainframe Discussion List <[email protected]> on behalf of Timothy
Sipples <[email protected]>
Sent: Thursday, February 29, 2024 11:24 PM
To: [email protected] <[email protected]>
Subject: Re: RACF, external password management
Linda Hagedorn wrote:
This is very promising. Do you know where I can read more about ZMFA?
The documentation landing page is here:
https://www.ibm.com/docs/en/zma
I'm interested in knowing how to configure the external source, and how
the token is passed back to RACF, and how long the token lasts.
For example, if systems programmers are working a problem, we
wouldn't want the token to expire in 3 hrs.
Or does the token last for the duration of the session?
If tso/ispf times out (sysprog is doing research or answering
mgmt questions), will they have to generate a new token?
If for example you’re configuring ZMFA to use a LDAP server as an “external”
factor then this landing page has further details:
https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap
I put the word external in quotation marks because the LDAP server could be
z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine.
And LDAP is just one example. Many “external” and external factors’ interfaces
are supported.
You can configure ZMFA for “out-of-band” authentication so that users obtain
what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for
example). You can choose whether the CTC is reusable and how quickly it expires.
https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout
https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable
—————
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
