I have a curious question about MFA on z/OS. Does each login require a different token? Meaning, if I log on to TSO and to CICS, can I use the same token? I ask because I log on and off to various CICS regions throughout the day, and I'd hate to have to get a new token for each login. (We don't use MFA right now, except for our mainframe "outsourcer" teams (Kyndryl).
I wish that you could just "logon to VTAM," as it were, and it would log you in to each VTAM application you use. I don't think this is available right now, correct me if I'm wrong! Frank ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Timothy Sipples <sipp...@sg.ibm.com> Sent: Thursday, February 29, 2024 11:24 PM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: RACF, external password management Linda Hagedorn wrote: >This is very promising. Do you know where I can read more about ZMFA? The documentation landing page is here: https://www.ibm.com/docs/en/zma >I'm interested in knowing how to configure the external source, and how >the token is passed back to RACF, and how long the token lasts. >For example, if systems programmers are working a problem, we >wouldn't want the token to expire in 3 hrs. >Or does the token last for the duration of the session? >If tso/ispf times out (sysprog is doing research or answering >mgmt questions), will they have to generate a new token? If for example you’re configuring ZMFA to use a LDAP server as an “external” factor then this landing page has further details: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap I put the word external in quotation marks because the LDAP server could be z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. And LDAP is just one example. Many “external” and external factors’ interfaces are supported. You can configure ZMFA for “out-of-band” authentication so that users obtain what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for example). You can choose whether the CTC is reusable and how quickly it expires. https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
