I wrote One minute MVS: What is IBM Multi Factor Authentication on z/OS? <https://colinpaice.blog/2024/01/07/one-minute-mvs-what-is-ibm-multi-factor-authentication-on-z-os/> and a series of implementation posts starting with Multi Factor Authentication(MFA): Planning. <https://colinpaice.blog/2024/02/03/multi-factor-authenticationmfa-planning/> I found the MFA product easy to set up and use. I had little problems like ordering the wrong YubiKey which did not support MFA!
Colin On Sun, 3 Mar 2024 at 22:22, Jared Hunter <jhun...@rocketsoftware.com> wrote: > Hi all, > > I’m an architect/implementor on the IBM Z MFA team since the prehistory / > notional phase of the product. > > If folks would be interested in one or more “office hours” style Q+A > sessions about the product and its (many, sometimes exotic) features, feel > free to reach out to me at this address. > > No sales touch implied, just a question-driven tour of the tech and design > philosophy. > > -Jared > > Jared Hunter > Strategic Architect, Security > Rocket Software, USA > E: jhun...@rocketsoftware.com<mailto:jhun...@rocketsoftware.com> > > > > Date: Fri, 1 Mar 2024 06:24:45 +0000 > From: Timothy Sipples <sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com>> > Subject: Re: RACF, external password management > > Linda Hagedorn wrote: > >This is very promising. Do you know where I can read more about ZMFA? > > The documentation landing page is here: > https://www.ibm.com/docs/en/zma<https://www.ibm.com/docs/en/zma> > > >I'm interested in knowing how to configure the external source, and how > >the token is passed back to RACF, and how long the token lasts. > >For example, if systems programmers are working a problem, we > >wouldn't want the token to expire in 3 hrs. > >Or does the token last for the duration of the session? > >If tso/ispf times out (sysprog is doing research or answering > >mgmt questions), will they have to generate a new token? > > If for example you’re configuring ZMFA to use a LDAP server as an > “external” factor then this landing page has further details: > https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap > < > https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap > > > > I put the word external in quotation marks because the LDAP server could > be z/OS’s LDAP server or some other LDAP server running on the same IBM Z > machine. And LDAP is just one example. Many “external” and external > factors’ interfaces are supported. > > You can configure ZMFA for “out-of-band” authentication so that users > obtain what’s called a “cache token credential” (CTC) to log into RACF (via > TSO/E for example). You can choose whether the CTC is reusable and how > quickly it expires. > > > https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout > < > https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout > > > > https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable > < > https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable > > > > ————— > Timothy Sipples > Senior Architect > Digital Assets, Industry Solutions, and Cybersecurity > IBM Z/LinuxONE, Asia-Pacific > sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com> > > ================================ > Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA > 02451 ¦ Main Office Toll Free Number: +1 855.577.4323 > Contact Customer Support: > https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport > Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - > http://www.rocketsoftware.com/manage-your-email-preferences > Privacy Policy - > http://www.rocketsoftware.com/company/legal/privacy-policy > ================================ > > This communication and any attachments may contain confidential > information of Rocket Software, Inc. All unauthorized use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > notify Rocket Software immediately and destroy all copies of this > communication. Thank you. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN