Hi all, I’m an architect/implementor on the IBM Z MFA team since the prehistory / notional phase of the product.
If folks would be interested in one or more “office hours” style Q+A sessions about the product and its (many, sometimes exotic) features, feel free to reach out to me at this address. No sales touch implied, just a question-driven tour of the tech and design philosophy. -Jared Jared Hunter Strategic Architect, Security Rocket Software, USA E: jhun...@rocketsoftware.com<mailto:jhun...@rocketsoftware.com> Date: Fri, 1 Mar 2024 06:24:45 +0000 From: Timothy Sipples <sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com>> Subject: Re: RACF, external password management Linda Hagedorn wrote: >This is very promising. Do you know where I can read more about ZMFA? The documentation landing page is here: https://www.ibm.com/docs/en/zma<https://www.ibm.com/docs/en/zma> >I'm interested in knowing how to configure the external source, and how >the token is passed back to RACF, and how long the token lasts. >For example, if systems programmers are working a problem, we >wouldn't want the token to expire in 3 hrs. >Or does the token last for the duration of the session? >If tso/ispf times out (sysprog is doing research or answering >mgmt questions), will they have to generate a new token? If for example you’re configuring ZMFA to use a LDAP server as an “external” factor then this landing page has further details: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap<https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap> I put the word external in quotation marks because the LDAP server could be z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. And LDAP is just one example. Many “external” and external factors’ interfaces are supported. You can configure ZMFA for “out-of-band” authentication so that users obtain what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for example). You can choose whether the CTC is reusable and how quickly it expires. https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout<https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout> https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable<https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable> ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com> ================================ Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA 02451 ¦ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
