MFA Install and Customization

IBM MFA
2.2
IBM Z Multi-Factor Authentication

Installation and Customization
IBM
SC27-8447-41

Note
Before using this information and the product it supports, read the information in “Notices” on page
327.
This edition applies to Version 2 Release 2 of IBM Z Multi-Factor Authentication (product number 5655-MA1) and to all
subsequent releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2016, 2022.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
© Rocket Software, Inc. 2016, 2022.
Contents
Tables.................................................................................................................. ix
About this information........................................................................................ xiii
How to send your comments to IBM......................................................................xv

If you have a technical problem.................................................................................................................xv
Summary of changes.......................................................................................... xvii

Summary of changes................................................................................................................................ xvii
Chapter 1. Preparing for IBM MFA.......................................................................... 1
Chapter 2. IBM MFA examples................................................................................3
Chapter 3. Customizing IBM MFA........................................................................... 5

Customization overview .............................................................................................................................. 5
Chapter 4. System programming steps................................................................... 7

Copy SAZFEXEC(AZFEXEC) .........................................................................................................................7
Customize AZFEXEC.....................................................................................................................................7
Copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01)........................................................................ 7
Authorize the Load Library...........................................................................................................................7
Add SAZFLOAD to the link list......................................................................................................................8
Update SCHEDxx PARMLIB program properties.........................................................................................8
Set the WLM service class........................................................................................................................... 8
Chapter 5. RACF administration steps.................................................................... 9

Define a user for AZF services AZF#IN00 started task.............................................................................. 9
Define a profile for AZFSTC in the STARTED Class....................................................................................10
Define a resource profile in MFADEF class for the started task............................................................... 10
RACLIST and activate MFADEF class........................................................................................................ 11
Define a resource profile in FACILITY class.............................................................................................. 11
Authorize access to IRR.RFACTOR.MFADEF.AZFSTC profile....................................................................11
Configure RACF for mixed case................................................................................................................. 12
Chapter 6. IBM MFA configuration roadmap..........................................................13
Chapter 7. Configuring IBM MFA STC configuration attributes............................... 21

Configure IBM MFA STC configuration attributes..................................................................................... 21
Configuring IBM MFA cache token sharing..........................................................................................25
Changing the caching mode C entries................................................................................................. 26
Enabling strict PCI compliance mode....................................................................................................... 27
Chapter 8. Configuring CSFSERV Resource Profiles...............................................29
Chapter 9. Configuring a PKCS#11 token.............................................................. 31
Chapter 10. Configuring IBM MFA web services configuration attributes................35
iii
Define a user for AZF web services AZF#IN01 started task.................................................................... 35
Define a profile for AZFWEB in the STARTED Class.................................................................................. 36
Configure an AT-TLS profile....................................................................................................................... 36
Authorize access to IRR.RFACTOR.USER profile...................................................................................... 41
Authorize access to IRR.DIGTCERT.LISTRING profile..............................................................................41
Configure IBM MFA web services started task......................................................................................... 41
Start the IBM MFA web services started task........................................................................................... 44
Chapter 11. Configuring IBM MFA Out-of-Band authentication.............................. 45

Configure IBM MFA web service started task for IBM MFA Out-of-Band................................................ 47
Create and manage multi-factor authentication policies......................................................................... 47
Authorize access to IRR.RFACTOR.POLICY.POLICY-NAME profile...........................................................50
Activate and deactivate users for IBM MFA Out-of-Band authentication................................................50
Chapter 12. Configuring IBM MFA for RSA SecurID............................................... 51

Additional RACF administration steps for SecurID...................................................................................51
Define a resource profile in MFADEF class.......................................................................................... 51
Define a resource profile in FACILITY class........................................................................................ 51
Authorize access to IRR.RFACTOR.MFADEF.AZFSIDP1 profile.......................................................... 52
Additional system programming steps for SecurID..................................................................................52
Allocate SDCONF.REC data set............................................................................................................ 52
Allocate node secret data set.............................................................................................................. 53
Copy sdconf.rec to SDCONF.REC data set........................................................................................... 53
Optionally, create SDOPTS.REC file..................................................................................................... 53
Configure SecurID parameters............................................................................................................ 54
Start the IBM MFA services started task............................................................................................. 55
Configure IBM MFA Compound In-Band............................................................................................. 56
Administration and operation steps for SecurID...................................................................................... 58
Activate and deactivate users for IBM MFA SecurID.......................................................................... 58
Clear the node secret........................................................................................................................... 59
Print IBM MFA statistics....................................................................................................................... 59
Disaster recovery for IBM MFA with SecurID............................................................................................59
Chapter 13. Configuring IBM MFA for RSA SecurID Authentication API..................61

Additional RACF administration steps for RSA SecurID Authentication API........................................... 61
Authorize access to IRR.RFACTOR.MFADEF.AZFSIDP3 profile.......................................................... 62
Additional system programming steps for RSA SecurID Authentication API.......................................... 62
Configure RSA SecurID Authentication API........................................................................................ 62
Configure SecurID Authentication API parameters............................................................................ 63
Administration and operation steps for SecurID Authentication API...................................................... 67
Activate and deactivate users for IBM MFA SecurID Authentication API.......................................... 67
Chapter 14. Configuring IBM MFA for TOTP........................................................... 69

Additional RACF administration steps for TOTP....................................................................................... 69
Define resource profiles in FACILITY class..........................................................................................69
Authorize access to IRR.RFACTOR.MFADEF.AZFTOTP1 profile..........................................................70
Additional system programming steps for TOTP...................................................................................... 70
Configure AZFTOTP1............................................................................................................................ 70
Next Steps: Configure IBM MFA Compound In-Band......................................................................... 75
iv
Administration and operation steps for TOTP...........................................................................................76
Configure a TOTP profile for users....................................................................................................... 76
Configure TOTP for users..................................................................................................................... 78
Activating a user when SUSPENDED is YES.........................................................................................79
Re-registering a user for TOTP.............................................................................................................79
Chapter 15. Configuring IBM MFA certificate authentication..................................81

Additional RACF administration steps for certificate authentication.......................................................81
Authorize access to IRR.RFACTOR.MFADEF.AZFCERT1 profile..........................................................82
Additional system programming steps for certificate authentication......................................................82
Import root CA certificate of client certificate chain...........................................................................82
Configure client (mutual) authentication.............................................................................................83
Configure IBM MFA web service started task for Certificate Authentication..................................... 85
Configure Certificate Authentication................................................................................................... 85
Administration and operation steps for Certificate Authentication......................................................... 88
Activate and deactivate users for Certificate Authentication............................................................. 88
Approve user certificates..................................................................................................................... 89
Chapter 16. Configuring IBM MFA for generic RADIUS...........................................91

Additional RACF administration steps for generic RADIUS......................................................................91
Authorize access to IRR.RFACTOR.MFADEF.AZFRADP1 profile......................................................... 92
Authorize access to resource profiles for shared secret.....................................................................92
Additional system programming steps for generic RADIUS.....................................................................93
Configure generic RADIUS................................................................................................................... 93
Administration and operation steps for generic RADIUS......................................................................... 98
Activate and deactivate users for generic RADIUS............................................................................. 98
Clear the shared secret........................................................................................................................ 99
Chapter 17. Configuring IBM MFA for SafeNet RADIUS........................................ 101

Additional RACF administration steps for SafeNet RADIUS...................................................................102
Define a resource profile in MFADEF class........................................................................................ 102
Define a resource profile in FACILITY class...................................................................................... 102
Authorize access to IRR.RFACTOR.MFADEF.AZFSFNP1 profile....................................................... 103
Authorize access to resource profiles for shared secret...................................................................103
Additional system programming steps for SafeNet RADIUS..................................................................104
Configure SafeNet RADIUS................................................................................................................ 104
Start the IBM MFA services started task........................................................................................... 106
Configure IBM MFA Compound In-Band........................................................................................... 107
Administration and operation steps for SafeNet RADIUS...................................................................... 109
Activate and deactivate users for SafeNet RADIUS.......................................................................... 109
Clear the shared secret...................................................................................................................... 110
Chapter 18. Configuring IBM MFA for RSA SecurID RADIUS.................................111

Additional RACF administration steps for RSA SecurID RADIUS...........................................................111
Authorize access to IRR.RFACTOR.MFADEF.AZFSIDR1 profile........................................................112
Authorize access to resource profiles for shared secret...................................................................112
Additional system programming steps for RSA SecurID RADIUS..........................................................113
Configure RSA SecurID RADIUS........................................................................................................ 113
v
Administration and operation steps for RSA SecurID RADIUS.............................................................. 118
Activate and deactivate users for RSA SecurID RADIUS.................................................................. 118
Clear the shared secret...................................................................................................................... 119
Chapter 19. Configuring IBM MFA for IBM Security Verify Access.........................121

Additional RACF administration steps for IBM Security Verify Access.................................................. 121
Authorize access to IRR.RFACTOR.MFADEF.AZFISAM1 profile....................................................... 122
Additional system programming steps for IBM Security Verify Access................................................. 122
Configure IBM MFA for IBM Security Verify Access.......................................................................... 122
Administration and operation steps for IBM Security Verify Access..................................................... 128
Activate and deactivate users for IBM Security Verify Access......................................................... 128
Activating a user when SUSPENDED is YES...................................................................................... 130
Chapter 20. Configuring LDAP............................................................................ 131

Additional RACF administration steps for LDAP..................................................................................... 131
Authorize access to IRR.RFACTOR.MFADEF.AZFLDAP1 profile....................................................... 132
Additional system programming steps for LDAP.................................................................................... 132
Configure LDAP...................................................................................................................................132
Administration and operation steps for LDAP........................................................................................ 137
Activate and deactivate users for LDAP............................................................................................ 137
Chapter 21. Configuring Yubico OTP................................................................... 139

Additional RACF administration steps for Yubico OTP........................................................................... 139
Authorize access to IRR.RFACTOR.MFADEF.AZFYUBI1 profile........................................................140
Additional system programming steps for Yubico OTP.......................................................................... 140
Configure Yubico OTP.........................................................................................................................140
Administration and operation steps for Yubico OTP...............................................................................144
Creating a .csv configuration file..................................................................................................... 144
Allowing users to self-enroll their tokens..........................................................................................145
Enrolling tokens for users.................................................................................................................. 148
Chapter 22. Configuring IBM MFA generic RADIUS to authenticate with IBM

Security Verify............................................................................................... 151
Starting a trial of IBM Security Verify...................................................................................................... 151
Configuring an IBM Security Verify API client.........................................................................................152
Configuring IBM Security Verify Users.................................................................................................... 152
Configuring IBM Security Verify authentication factors......................................................................... 153
Configuring IBM Verify Gateway for RADIUS.......................................................................................... 153
Configuring IBM Verify Gateway for RADIUS for password authentication..................................... 155
Configuring IBM Verify Gateway for RADIUS for IBM Verify.............................................................155
Configuring IBM Verify Gateway for RADIUS for SMS message with an OTP...................................157
Starting the IBM Verify Gateway for RADIUS service.............................................................................158
Configuring generic RADIUS for IBM Security Verify..............................................................................158
vi
Chapter 23. Configuring check CTC.....................................................................159
Additional RACF administration steps for check CTC.............................................................................160
Authorize access to IRR.RFACTOR.MFADEF.AZFCKCTC profile....................................................... 160
Additional system programming steps for check CTC............................................................................161
Configure check CTC.......................................................................................................................... 161
Administration and operation steps for check CTC................................................................................ 165
Activate and deactivate users check CTC..........................................................................................165
Chapter 24. Configuring IBM MFA for ELF............................................................167

Configure IBM MFA for ELF......................................................................................................................167
Chapter 25. Configuring IBM MFA Password Authentication................................ 169

Additional RACF administration steps for IBM MFA Password Authentication..................................... 169
Authorize access to IRR.RFACTOR.MFADEF.AZFPASS1 profile........................................................170
Administration and operation steps for IBM MFA Password Authentication........................................ 170
Configure IBM MFA Password Authentication.................................................................................. 170
Activate and deactivate users for IBM MFA Password Authentication............................................ 171
Chapter 26. Configuring Password Fallback........................................................173
Chapter 27. Configuring multiple instances of a factor........................................ 175

Additional RACF administration steps for multiple instances................................................................175
Authorize access to IRR.RFACTOR.MFADEF.FACTOR-NAMEsuffix profile........................................ 176
Additional system programming steps for multiple instances...............................................................177
Configure the instance of a factor......................................................................................................177
Administration and operation steps for multiple instances................................................................... 179
Activate and deactivate users for multiple instance factors.............................................................179
Create and manage policies for multiple instance factors............................................................... 180
Chapter 28. Configuring bulk provisioning users for IBM MFA.............................. 183
Chapter 29. Changing a user password with an identity token............................. 187
Chapter 30. Changing a user password with web interface..................................189
Chapter 31. Resetting a user password...............................................................191
Chapter 32. Configure TOTP for users................................................................. 193
Chapter 33. Configuring IBM HTTP Server - Powered by Apache for IBM MFA...... 195
Configure a PKCS#11 token.................................................................................................................... 195
Special considerations for sub-requests...........................................................................................198
Configure IBM HTTP Server - Powered by Apache.................................................................................198
Chapter 34. IBM CL/SuperSession for z/OS........................................................ 201
vii
Chapter 35. Using IBM MFA with PassTickets......................................................203
Chapter 36. Bypassing IBM MFA......................................................................... 207

Bypassing IBM MFA for applications.......................................................................................................207
Determining relevant authentication information.............................................................................208
Additional specificity through ACL and UACC................................................................................... 208
Bypassing IBM MFA for applications by application name............................................................... 208
Bypassing IBM MFA for applications by ID....................................................................................... 209
Chapter 37. Translating IBM MFA messages and HTML........................................ 211
Chapter 38. Resource profile authorization reference......................................... 213
Chapter 39. Configuring IBM MFA for high availability......................................... 217
Chapter 40. Removing all IBM MFA factors for a user.......................................... 219
Chapter 41. Invalidating a user's CTCs............................................................... 221
Chapter 42. Modifying component trace levels....................................................223
Chapter 43. Troubleshooting IBM MFA ............................................................... 225
Chapter 44. Using a specific TCP/IP stack...........................................................229
Chapter 45. Migrating from Version 1 Release 3 to Version 2 Release 0................ 231
Chapter 46. Migrating from Version 1 Release 2 to Version 1 Release 3................ 233
Chapter 47. Multi-Factor Authentication messages............................................. 235

Messages with AZF message numbers................................................................................................... 235
Appendix A. AT-TLS policy example....................................................................297
Appendix B. IBM MFA SMF Record type 83 subtype 7 records..............................301
Appendix C. IBM MFA web API request/response formats.................................. 307

apiInfo – API information service........................................................................................................... 308
policyPrompt – Policy information prompt service................................................................................ 309
policyAuth – Policy authentication service............................................................................................. 315
checkCTC – Check cached token validity service................................................................................... 321
Appendix D. Accessibility...................................................................................323
Accessibility features.............................................................................................................................. 323
Consult assistive technologies................................................................................................................ 323
Keyboard navigation of the user interface.............................................................................................. 323
Dotted decimal syntax diagrams.............................................................................................................323
Notices..............................................................................................................327
Trademarks.............................................................................................................................................. 328
Index................................................................................................................ 329
viii
Tables
1. Required Ports............................................................................................................................................... 1
2. Overview of steps for customizing IBM MFA................................................................................................ 5
3. Required levels of permission.....................................................................................................................11
4. IBM MFA Configuration Roadmap...............................................................................................................13
5. Required Configuration Steps..................................................................................................................... 15
6. MFA Services Started Task ......................................................................................................................... 21
7. CSFSERV Resource Profiles........................................................................................................................ 29
8. CSFSERV Resource Profiles When CHECKAUTH is YES............................................................................. 29
9. Web Services Started Task .........................................................................................................................41
10. Types of Factors........................................................................................................................................ 46
11. Required levels of permission.................................................................................................................. 52
12. AZFSIDP1 Factor Attributes..................................................................................................................... 54
13. Valid Separator Characters....................................................................................................................... 57
15. AZFSIDP3 Factor Attributes..................................................................................................................... 63
18. AZFTOTP1 Factor Attributes.....................................................................................................................71
20. Available TOTP Tags..................................................................................................................................77
22. AZFCERT1 Factor Attributes..................................................................................................................... 85
ix
24. Required User Authorization.....................................................................................................................92
25. AZFRADP1 Factor Attributes ................................................................................................................... 93
27. TSO/E Logon Options for SafeNet Quick Log..........................................................................................101
28. TSO/E Logon Options for SafeNet Challenge-Response........................................................................101
29. Required levels of permission................................................................................................................ 103
30. Required User Authorization.................................................................................................................. 103
31. AZFSFNP1 Factor Attributes ..................................................................................................................104
32. Valid Separator Characters.....................................................................................................................108
35. AZFSIDR1 Factor Attributes .................................................................................................................. 113
38. AZFISAM1 Factor Attributes ..................................................................................................................124
41. AZFLDAP1 Factor Attributes ..................................................................................................................133
44. AZFYUBI1 Factor Attributes .................................................................................................................. 140
46. azfyubi1_ingest Parameters...................................................................................................................145
48. AZFCKCTC Factor Attributes ..................................................................................................................161
x
51. AZFPASS1 Factor Attributes...................................................................................................................171
53. azfbulk Parameters.................................................................................................................................184
54. Input File Authentication-Method-Specific Parameters....................................................................... 184
55. Resource Profiles.................................................................................................................................... 195
56. Required profile access for sub-requests.............................................................................................. 198
58. Bypass Scenarios.................................................................................................................................... 207
60. CSFSERV Resource Profiles When CHECKAUTH is YES.........................................................................215
61. Resource Profiles.................................................................................................................................... 215
62. IBM MFA Trace Levels.............................................................................................................................223
63. Record type 83 subtype 7 security section............................................................................................301
64. Table 2. RACF SMF record relocate section format............................................................................... 304
65. Table 3. RACF SMF type 83 subtype 2 and above relocates................................................................. 304
66. MFADEF AUDIT profiles.......................................................................................................................... 306
67. Type and Attribute Values...................................................................................................................... 307
68. apiInfo request........................................................................................................................................308
69. apiInfo successful response...................................................................................................................308
70. apiInfo JSON response objects.............................................................................................................. 308
71. policyPrompt request............................................................................................................................. 309
72. policyPrompt successful response.........................................................................................................309
73. policyPrompt JSON response objects....................................................................................................310
xi
74. Shared policyPrompt and policyAuth JSON response objects..............................................................311
75. policyPromptResponse return/reason codes........................................................................................ 312
76. policyAuth request..................................................................................................................................315
77. policyAuth successful response............................................................................................................. 315
78. policyAuth JSON request objects...........................................................................................................315
79. policyAuth JSON response objects........................................................................................................ 316
80. policyAuthResponse return/reason codes.............................................................................................318
81. policyAuthFactorResponse return/reason codes.................................................................................. 318
82. checkCTC request................................................................................................................................... 321
83. checkCTC successful response.............................................................................................................. 321
84. checkCTC JSON request objects............................................................................................................ 321
85. checkCTC JSON response objects......................................................................................................... 322
86. checkCTC request return/reason codes.................................................................................................322
xii
About this information
This book provides instructions for customizing and using IBM® Z Multi-Factor Authentication, which is
referred to in this document as IBM MFA. The book is designed to help system administrators, security
administrators, and operators customize the product following installation.
This book assumes that readers have a working knowledge of:
• The z/OS operating system
• RACF
• ISPF
• Authentication mechanisms
• PKCS#11 tokens
• z/OS Communications Server Application Transparent Transport Layer Security (AT- TLS)
• TSO/E, z/OS Management Facility, and all other applications you use together with IBM MFA.
For installation information, refer to IBM Z Multi-Factor Authentication Program Directory, which is
included in the product package.
To find the complete z/OS library, go to https://www.ibm.com/docs/en/zos .
© Copyright IBM Corp. 2016, 2022 xiii

xiv IBM MFA: IBM Z Multi-Factor Authentication Installation and Customization
How to send your comments to IBM
We appreciate your input on this publication. Feel free to comment on the clarity, accuracy, and
completeness of the information or provide any other feedback that you have.
Use one of the following methods to send your comments:
1. Send an email to mhvrcfs@us.ibm.com.
2. Send an email from the Contact z/OS web page at https://www.ibm.com/it-infrastructure/z/zos.
Include the following information:
• Your name and address.
• Your email address.
• Your telephone or fax number.
• The publication title and order number:
IBM Z® Multi-Factor Authentication Installation and Customization
SC27-8447-41
• The topic and page number that is related to your comment.
• The text of your comment.
When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute the comments
in any way appropriate without incurring any obligation to you.
IBM or any other organizations use the personal information that you supply to contact you only about the
issues that you submit.
If you have a technical problem

Do not use the feedback methods that are listed for sending comments. Instead, take one of the following
actions:
• Contact your IBM service representative.
• Call IBM technical support.
• Visit the IBM Support Portal at https://www.ibm.com/mysupport/s/?language=en_US.
© Copyright IBM Corp. 2016, 2022 xv

xvi IBM MFA: IBM Z Multi-Factor Authentication Installation and Customization
Summary of changes
This information includes terminology, maintenance, and editorial changes. Technical changes or
additions to the text and illustrations for the current edition are indicated by a vertical line to the left
of the change.
Summary of changes
Changes made to IBM MFA for Version 2 Release 2.
New
The following information is new.
Version 2.2 September 2022 refresh
• When configuring bulk provisioning for users, the azfprov1.sh script invokes azfbulkcmd.sh,
which allows you to make any needed customizations if you are using an ESM other than RACF. No
changes to azfbulkcmd.sh are required if you are using RACF. This change is described in Chapter
28, “Configuring bulk provisioning users for IBM MFA,” on page 183.
• Chapter 28, “Configuring bulk provisioning users for IBM MFA,” on page 183 also makes clear
that you need to have UPDATE access to the system security manager FACILITY class profile
IRR.RFACTOR.USER to update the user factor data.
• Chapter 35, “Using IBM MFA with PassTickets,” on page 203 is updated with additional information
about how the application performs a SAF RACROUTE REQUEST=VERIFY request.
Version 2.2
• Chapter 27, “Configuring multiple instances of a factor,” on page 175 is added in this release.
• The RSA SecurID Authentication API authentication factor is added in this release, as described in
Chapter 13, “Configuring IBM MFA for RSA SecurID Authentication API,” on page 61.
• Auto approval of user's enrolled certificates is added in this release, as described in “Configure
Certificate Authentication” on page 85 and “Approve user certificates” on page 89.
• The ability to reset a user's password is added in this release, as described in Chapter 31,
“Resetting a user password,” on page 191.
• The ability to invalidate CTCs associated with a user is added in this release, as described in Chapter
41, “Invalidating a user's CTCs,” on page 221.
• Enable Client Token Display is added to the IBM MFA web services started settings, as
described in “Configure IBM MFA web services started task” on page 41.
• Enable Dynamic Instance Names is added in this release, as described in “Configure IBM MFA STC
configuration attributes” on page 21.
Version 2.1 April 2021 refresh
• The description of Use Single-key Encryption in “Configure AZFTOTP1” on page 70 is
updated to clarify that if disabled, a new TKDS object is created to hold the TOTP secret for each
new enrolling user.
Version 2.1 March 2021 refresh
• Chapter 33, “Configuring IBM HTTP Server - Powered by Apache for IBM MFA,” on page 195 is
updated to clarify that only one PKCS#11 token is required and what access is needed.
• “Special considerations for sub-requests” on page 198 is added.
© Copyright IBM Corp. 2016, 2022 xvii

• Chapter 8, “Configuring CSFSERV Resource Profiles,” on page 29 is updated to say that adding
specific profiles over generic profiles could effectively remove access required by an existing user or
application, and to review the profiles that are already in place in your environment.
• “Configure an AT-TLS profile” on page 36 is updated with additional context in the certificate steps.
• “Changing the caching mode C entries” on page 26 is added.
Version 2.1 January 2021 refresh
• Chapter 6, “IBM MFA configuration roadmap,” on page 13 is updated with Table 5 on page 15 to
assist with configuration planning.
• “Set the WLM service class” on page 8 is added to describe setting the MVS workload
management (WLM) service class.
• “AZF6025E” on page 269 is added.
xviii IBM MFA: IBM Z Multi-Factor Authentication Installation and Customization

Chapter 1. Preparing for IBM MFA
Before you begin to customize IBM MFA, take note of the following prerequisites. The prerequisites are
described in detail in the relevant sections of this guide, and are summarized here for your convenience.
You might need to coordinate with other systems-level and network support staff to satisfy these
prerequisites.
Maintenance
Apply all maintenance that is available for IBM MFA and for RACF from the IBM website at http://
www.ibm.com/support/mysupport.
Be sure to apply the relevant PTFs for APAR OA54460. (See http://www-01.ibm.com/support/
docview.wss?uid=isg1OA54460.) Without this APAR, IBM MFA Compound In-Band authentication fails
if the password is entered in lowercase.
Required ports
Determine whether you need to allocate the ports shown in Table 1 on page 1. The three ports must be
different.
Table 1. Required Ports

Port Name Description When Needed
Server Port Number This is a listener port This port is always needed.
that facilitates internal
communication between internal
services.
Important: You do not configure
this port in AT-TLS.
Server Authentication Port This is the port number on which You must allocate this port
the IBM MFA web server listens. before you can use IBM MFA web
The port must match the one services.
configured in AT-TLS.
This port must be configured
with server authentication
(HandshakeRole is Server) in the
AT-TLS configuration.
Mutual Authentication Port. Certificate Authentication You must allocate this port
requires that AT-TLS be before you can use Certificate
configured for client (mutual) Authentication.
authentication on a dedicated
Certificate Authentication itself
port. The port must match the
requires IBM MFA Out-of-Band.
one configured in AT-TLS.
This port must be
configured with client
authentication (HandshakeRole
is ServerWithClientAuth,
ClientAuthType is Required) in
the AT-TLS configuration.
© Copyright IBM Corp. 2016, 2022 1

General configuration prerequisites
• All data you enter in IBM MFA panels must be in host code page IBM-1047. All IBM MFA tag values set
with the ALU command must also be in host code page IBM-1047. When translating EBCDIC into ASCII
to send to an external server the translation is performed using host code page IBM-1047 and server
code page ISO-8859-1. This may have implications if you are using other code pages when specifying
the host data.
• If you are using Internet Explorer to access IBM MFA HTML pages, Internet Explorer version 11.x or
later (or a related compatibility mode) is required.
2 IBM MFA: IBM Z Multi-Factor Authentication Installation and Customization

Chapter 2. IBM MFA examples
IBM MFA includes comprehensive examples that you can use to configure IBM MFA.
Follow the instructions in the examples to specify your installation-specific settings. The following
examples are provided:
• SYS1.SAZFSAMP(AZFRACFX)
– Preparing to manage STC and factor settings using the MFADEF and FACILITY classes.
– Preparing IBM MFA to use PKCS#11 for cryptography, using the CRYPTOZ and CSFSERV classes.
– MFADEF policy configuration examples.
– Creating an example Public Key Infrastructure using RACF, consisting of
- A new CA certificate, the root of trust for IBM MFA services and users.
- A new end-entity certificate for IBM MFA web services.
• SYS1.SAZFSAMP(AZFTTLSX)
– Sample AT-TLS rule definitions for IBM MFA. This example includes a sample AZFClientRule rule that
you can use with the following authentication factors:
- AZFCKCTC
- AZFISAM1
- AZFLDAP1 (when connecting to a secure LDAP port)
- AZFRADP1 (when using RADIUS over TCP)

Chapter 3. Customizing IBM MFA
After you complete the installation instructions in the Program Directory for IBM Multi-Factor
Authentication for z/OS, you should apply all maintenance that is available for the product from the IBM
website at http://www.ibm.com/support/mysupport. Then you must customize the core product. For more
information about customization, refer to the following topics:
• “Customization overview ” on page 5
• Chapter 4, “System programming steps,” on page 7
• Chapter 5, “RACF administration steps,” on page 9
• Chapter 6, “IBM MFA configuration roadmap,” on page 13
Customization overview
Complete the customization steps to tailor IBM MFA for your environment.
The following table provides a summary of the steps involved with customization.
Table 2. Overview of steps for customizing IBM MFA

Step Description
1 “Copy SAZFEXEC(AZFEXEC) ” on page 7
2 “Customize AZFEXEC” on page 7
3 “Copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01)” on page 7
4 “Authorize the Load Library” on page 7
5 “Add SAZFLOAD to the link list” on page 8
6 “Update SCHEDxx PARMLIB program properties” on page 8
7 “Define a user for AZF services AZF#IN00 started task” on page 9
8 “Define a profile for AZFSTC in the STARTED Class” on page 10
9 “Define a resource profile in MFADEF class for the started task” on page 10
10 “RACLIST and activate MFADEF class” on page 11
11 “Define a resource profile in FACILITY class” on page 11
12 “Authorize access to IRR.RFACTOR.MFADEF.AZFSTC profile” on page 11

Chapter 4. System programming steps
After you install IBM MFA, you must complete several steps to customize the product for your
environment.
These customization steps must be completed before you run IBM MFA for the first time.
Copy SAZFEXEC(AZFEXEC)
Copy the SAZFEXEC (AZFEXEC) member to a data set in your SYSEXEC concatenation.
Procedure
1. Browse the SAZFEXEC data set in the target library.
2. Copy the member AZFEXEC to a data set in your SYSEXEC concatenation. You can use the TSO
ISRDDN command from ISPF to view the current data set allocations, including the SYSEXEC
concatenation.
3. Verify the change.
Customize AZFEXEC
Customize the azfhlq parameter of the AZFEXEC member of the data set.
Procedure
1. Edit the AZFEXEC member of the data set in your SYSEXEC concatenation.
2. Change the azfhlq parameter to the high-level qualifier (HLQ) used where you installed IBM MFA.
3. Save the change.
Copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01)

Copy AZF#IN00 and AZF#IN01 to the PROCLIB from which you run started tasks. AZF#IN00 is for the
IBM MFA services started task, which provides the IBM MFA main logic. AZF#IN01 is for the web services
started task, which provides the TOTP registration function, certificate authentication, and out-of-band
authentication.
Procedure
1. Copy the AZF#IN00 and AZF#IN01 members of the SAZFSAMP data set in the target library to the
PROCLIB from which you run started tasks.
2. Browse the PROCLIB to ensure the AZF#IN00 and AZF#IN01 members are there.
Authorize the Load Library

Make sure the load library containing the IBM MFA load modules is APF authorized. The PROGxx parmlib
member contains the names of program libraries that you want the system to define as authorized with
the Authorized Program Facility (APF). The APF statement defines the format and contents of the APF list.
Procedure
1. Add the following line to the APF section of your PROGxx parmlib member:
APF ADD DSNAME(HLQ.SAZFLOAD) SMS
where HLQ is the high-level qualifier (HLQ) used where you installed IBM MFA.

2. Verify the change. The IBM MFA started tasks check for APF authorization on startup.
Add SAZFLOAD to the link list

Add SAZFLOAD to your system link list.
Procedure
1. Add the following line to your SYS1.PARMLIB(PROGxx) member:
HLQ.SAZFLOAD,
2. Update your system link list dynamically.
Update SCHEDxx PARMLIB program properties

Update the SCHEDxx parmlib properties to identify the program, AZFSTCMN, that requires special
attributes. The PPT statement specifies a list of programs that require special attributes.
Procedure
1. Edit the SYS1.PARMLIB(SCHEDxx) member that defines program properties.
2. Add the following entry:
PPT PGMNAME(AZFSTCMN) /* MULTI-FACTOR AUTH */

KEY(2) /* PROTECTION KEY */
NOSWAP /* NON-SWAPABLE */
CANCEL /* CANCELABLE */
3. Save the changes.

4. Activate the change.
SET SCH=xx
where xx are the last two characters of the SCHEDxx PARMLIB member.
5. Display the PPT changes and verify them:
D PPT
Set the WLM service class

Create a MVS workload management (WLM) classification rule for the IBM MFA started tasks.
About this task

IBM recommends that you use the following classifications:
• Explicitly classify AZF#IN00 to service class SYSSTC.
• Explicitly classify AZF#IN01 to either an installation-defined high-importance service class, or to
service class SYSSTC.
As described in z/OS MVS Planning: Workload Management , if a started task is not explicitly assigned to a
service class WLM manages the started task using either an installation-defined default STC classification
rule, if one exists, or it is assigned to the SYSSTC service class if no default STC classification rule exists.
The IBM MFA started tasks must have a high dispatching priority to provide authentication services for the
system.

Chapter 5. RACF administration steps
After you complete the initial system programming steps, you must perform RACF administration steps.
Define a user for AZF services AZF#IN00 started task

Define a user for the AZF services AZF#IN00 started task. In this document, AZFSTC is the user.
Procedure
1. Define a user for the AZF services started task with the following properties:
• No passphrase or password
• Owned by a suitable started task group
• PROTECTED
• No TSO segment
• An OMVS segment with a unique user ID
For example:
USER=AZFSTC NAME=STCFORMFA OWNER=STCGROUPCREATED=15.257

DEFAULT-GROUP=STCGROUP PASSDATE=N/A PASS-INTERVAL=N/A
PHRASEDATE=N/A
ATTRIBUTES=PROTECTED
REVOKEDATE=NONE RESUMEDATE=NONE
LAST-ACCESS=15.282/13:36:54
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=STCGROUP AUTH=USE CONNECT-OWNER=STCGROUP CONNECT-DATE=15.257
CONNECTS=123 UACC=NONE LAST-CONNECT=15.282/13:36:54
CONNECT ATTRIBUTES=GRPACC
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
NO TSO INFORMATION
OMVS INFORMATION
----------------
UID= 0000015100
CPUTIMEMAX= NONE
ASSIZEMAX= NONE
FILEPROCMAX= NONE
PROCUSERMAX= NONE
THREADSMAX= NONE
MMAPAREAMAX= NONE
2. Save the change.

3. To verify the user information, you can use a command such as the following:
LU AZFSTC OMVS
4. If you want to audit successful authentications by SMF record type 83 subtype 7 records, you must
specify UAUDIT attributes for the started task user ID. See Appendix B, “IBM MFA SMF Record type 83
subtype 7 records,” on page 301 for information on SMF record type 83 subtype 7 records. See z/OS
Security Server RACF Macros and Interfaces for information on SMF records.
Note: Authentication failures always result in the generation of SMF type 83 subtype 7 records.

Define a profile for AZFSTC in the STARTED Class
Define a profile in the RACF STARTED class to ensure that the IBM MFA address space has the proper
level of authority.
Procedure
1. Define a profile in the STARTED class. For example:
CLASS NAME
----- ----
STARTED AZFSTC.** (G)
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING

----- -------- ---------------- ----------- -------
00 STCGROUP NONE NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
STDATA INFORMATION
------------------
USER= AZFSTC
GROUP= STCGROUP
TRUSTED= NO
PRIVILEGED= NO
TRACE= NO
Define a resource profile in MFADEF class for the started task

You define IBM MFA factors by creating a general resource profile for the factor name in the MFADEF
class. To define a factor for the IBM MFA services started task, use RDEFINE to create a resource profile
named FACTOR.AZFSTC in the MFADEF class.
About this task
Procedure
1. Activate generic profile checking and command processing for the MFADEF class.
SETROPTS GENERIC(MFADEF) GENCMD(MFADEF)
2. Define the factors in the MFADEF class:
RDEF MFADEF FACTOR.AZFSTC OWNER(userid or group-name)

RACLIST and activate MFADEF class
RACLIST and activate the MFADEF class. The MFADEF class must be active before a user can log on with
IBM MFA.
Procedure
1. RACLIST and activate the MFADEF class:
SETROPTS RACLIST(MFADEF) CLASSACT(MFADEF)
Define a resource profile in FACILITY class

To define authorization to execute the panels for IBM MFA services administration, use RDEFINE to create
a resource profile named IRR.RFACTOR.MFADEF.AZFSTC in the FACILITY class.
Procedure
1. Define the factors in the FACILITY class for AZFSTC:
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFSTC OWNER(userid or group-name)
2. Refresh the FACILITY class:
SETROPTS RACLIST(FACILITY) REFRESH
3. Verify the changes. For example:
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFSTC
Authorize access to IRR.RFACTOR.MFADEF.AZFSTC profile

Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFSTC profile. The
user ID of the IBM MFA web services started task requires READ access to this profile.
Procedure
1. Allow the access shown in Table 3 on page 11:
Table 3. Required levels of permission

Permission Access
READ Able to view configuration options, but may not
update, create, or delete parameters.
UPDATE, CONTROL, ALTER Able to create, update, delete, and view
configuration options.
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFSTC ACCESS(UPDATE) CLASS(FACILITY) ID(user)

PERMIT IRR.RFACTOR.MFADEF.AZFSTC ACCESS(READ) CLASS(FACILITY) ID(AZFWEB)
Chapter 5. RACF administration steps 11

Configure RACF for mixed case
IBM generally recommends that you enable mixed-case passwords if you use IBM MFA in-band
authentication. If mixed-case passwords are not enabled, you may encounter problems successfully
authenticating in-band if the factor credential values contain lowercase characters. This section describes
important considerations for mixed-case passwords.
About this task

Mixed-case credentials are often expected when using many authentication servers, such as RSA SecurID
or RADIUS. When authenticating with in-band authentication, IBM MFA passes authentication requests
made using RACF through to these servers, which means that a mixed-case credential value must be
accepted by RACF and passed on to IBM MFA.
If the mixed-case credential is a passphrase (it has 9 or more characters) it will always be accepted
and passed through. However, if the mixed-case credential is a password (it has 8 or fewer characters)
SETROPTS PASSWORD(MIXEDCASE) must be enabled to allow it to be accepted and passed through.
The SETROPTS PASSWORD(MIXEDCASE) option allows mixed-case passwords for all users on all
applications on this system and on all systems that share the RACF database.
Important considerations for mixed-case passwords
Mixed-case passwords may be undesirable in the following situations:
• Not all applications support mixed-case passwords. These applications may expect lower case
passwords to be converted to uppercase character in RACF. If your applications do not support mixed-
case passwords, do not activate the SETROPTS PASSWORD(MIXEDCASE) option.
• If mixed-case passwords are not feasible in your environment, consider using IBM MFA Out-of-Band
authentication request to obtain a cache token credential (CTC), which is not dependent on the
SETROPTS PASSWORD(MIXEDCASE) option, and use the token to perform the authentication request.
• You do not need mixed-case passwords if the authentication server to which IBM MFA passes an
authentication request generates only uppercase credentials that contain 8 or fewer characters.
• You do not need mixed-case passwords if the authentication server to which IBM MFA passes an
authentication request generates only mixed-case credentials that contain 9 or more characters.
Note: Carefully plan your application updates and password rule changes before activating MIXEDCASE.
Once MIXEDCASE is activated, subsequently issuing the SETROPTS PASSWORD(NOMIXEDCASE)
command might cause unintended results. When you reset to NOMIXEDCASE, users who have mixed-
case or lowercase passwords will be unable to enter the system until you reset their passwords. See z/OS
Security Server RACF Security Administrator's Guide
Procedure
1. Enter the following command to enable mixed-case password in RACF:
SETROPTS PASSWORD(MIXEDCASE)
2. Verify the changes.

Chapter 6. IBM MFA configuration roadmap
Before you begin to configure IBM MFA, take note of the configuration roadmap.
What you must always configure

You must always perform the following configuration:
• Follow the steps in Chapter 7, “Configuring IBM MFA STC configuration attributes,” on page 21 to
configure the attributes for the AZF#IN00 started task. At a minimum, you must specify the cache name
and the number of cache entries.
• Configure the CSFSERV resource profiles, as described in Chapter 8, “Configuring CSFSERV Resource
Profiles,” on page 29. At a minimum, you must allow access for the administrator who executes the
panels.
What you might have to configure

Important: IBM MFA features both in-band authentication, in which the user presents the credentials
directly into the application, and IBM MFA Out-of-Band authentication, which allows a user to
authenticate outside of the z/OS authentication process through a web browser. Important differences
between in-band and IBM MFA Out-of-Band authentication are discussed in Chapter 11, “Configuring IBM
MFA Out-of-Band authentication,” on page 45.
Depending on what authentication factors you use, and whether you use IBM MFA Out-of-Band
authentication, you might have to configure the following items:
• A PKCS#11 token and ICSF, as described in Chapter 9, “Configuring a PKCS#11 token,” on page 31.
• Access to the CSFSERV resource profiles for the AZF#IN01 web services started task user ID, as
described in Chapter 8, “Configuring CSFSERV Resource Profiles,” on page 29.
• IBM MFA web services configuration attributes, as described in Chapter 10, “Configuring IBM MFA web
services configuration attributes,” on page 35.
• AT-TLS, as described in “Configure an AT-TLS profile” on page 36.
Configuration roadmap
The configuration roadmap is shown in Table 4 on page 13. The configuration steps are described in
Table 5 on page 15.
Table 4. IBM MFA Configuration Roadmap

Authentication STC Configured/ Cache Name Web Services PKCS#11 and AT-TLS Needed?
Method Started and Entries Configured/ ICSF Needed? 1
Needed? Needed? Started
Needed?
Out-of-band Y Y Y Y Y
(any
authentication
method)
SecurID in-band Y Y N N2 N
RSA SecurID Y Y N Y Y
Authentication
API in-band
TOTP in-band Y Y Y3 Y Y

Table 4. IBM MFA Configuration Roadmap (continued)
Authentication STC Configured/ Cache Name Web Services PKCS#11 and AT-TLS Needed?
Method Started and Entries Configured/ ICSF Needed? 1
Needed? Needed? Started
Needed?
SafeNet RADIUS Y Y N Y N
in-band
Generic RADIUS Y Y N Y N
in-band
RSA SecurID Y Y N Y N
RADIUS in-band
Yubico OTP in- Y Y Y4 Y Y4
band
IBM Security Y Y N Y Y5
Verify Access in-
band
LDAP in-band Y Y N N Y5
Certificate Y Y Y Y Y
(requires out-of-
band)
Password Y Y Y Y Y
(requires out-of-
band)
Express® Logon Y Y Y6 Y Y7
Feature
Notes®:
1 CEXnC cryptographic coprocessor hardware is not required.
2 Not generally needed, but required if using the IBM HTTP Server - Powered by Apache plug-in.
3 Needed for TOTP account enrollment.
4 Needed for Yubico OTP self-enrollment. Not needed if the administrator enrolls YubiKey tokens for
users.
5 Requires an outbound AT-TLS rule with the HandshakeRole role of Client.
6 Express Logon Facility (ELF) does not itself require IBM MFA web services. However, if IBM MFA
web services are not available and configured for mutual authentication within the scope of the RACF
database, provision user certificates with the bulk provisioning utilities.
7 Requires ELF TN3270 AT-TLS configuration.
Table 5 on page 15 summarizes the configuration steps you must perform for each authentication type,
and provides links to the relevant sections.

Table 5. Required Configuration Steps
Authentication Method Configuration Steps
Out-of-band (any authentication method) 1. Chapter 7, “Configuring IBM MFA STC
configuration attributes,” on page 21.
2. Chapter 8, “Configuring CSFSERV Resource
Profiles,” on page 29.
3. Chapter 9, “Configuring a PKCS#11 token,” on
page 31.
4. Access to the CSFSERV resource profiles for the
AZF#IN01 web services started task user ID, as
described in Chapter 8, “Configuring CSFSERV
Resource Profiles,” on page 29.
5. Chapter 10, “Configuring IBM MFA web services
6. “Configure an AT-TLS profile” on page 36.
7. Chapter 11, “Configuring IBM MFA Out-of-Band
authentication,” on page 45
SecurID in-band 1. Chapter 7, “Configuring IBM MFA STC

3. Chapter 12, “Configuring IBM MFA for RSA
SecurID,” on page 51.
RSA SecurID Authentication API in-band 1. Chapter 7, “Configuring IBM MFA STC
page 31.
SecurID Authentication API,” on page 61.
Chapter 6. IBM MFA configuration roadmap 15

Table 5. Required Configuration Steps (continued)
TOTP in-band 1. Chapter 7, “Configuring IBM MFA STC
page 31.
7. Chapter 14, “Configuring IBM MFA for TOTP,” on
page 69.
SafeNet RADIUS in-band 1. Chapter 7, “Configuring IBM MFA STC

page 31.
4. Chapter 17, “Configuring IBM MFA for SafeNet
RADIUS,” on page 101.
Generic RADIUS in-band 1. Chapter 7, “Configuring IBM MFA STC

page 31.
4. Chapter 16, “Configuring IBM MFA for generic
RADIUS,” on page 91.
SecurID RADIUS in-band 1. Chapter 7, “Configuring IBM MFA STC

page 31.
SecurID RADIUS,” on page 111.

Yubico OTP in-band 1. Chapter 7, “Configuring IBM MFA STC
(Administrator enrolls token) configuration attributes,” on page 21.
page 31.
4. Chapter 21, “Configuring Yubico OTP,” on page
139.
Yubico OTP in-band 1. Chapter 7, “Configuring IBM MFA STC

(Users enroll tokens) configuration attributes,” on page 21.
page 31.
7. Chapter 21, “Configuring Yubico OTP,” on page
139.
IBM Security Verify Access in-band 1. Chapter 7, “Configuring IBM MFA STC
page 31.
5. Chapter 19, “Configuring IBM MFA for IBM
Security Verify Access,” on page 121.
LDAP in-band 1. Chapter 7, “Configuring IBM MFA STC

page 31.
5. Chapter 20, “Configuring LDAP,” on page 131.

Certificate (requires out-of-band) 1. Chapter 7, “Configuring IBM MFA STC
page 31.
authentication,” on page 45
8. Chapter 15, “Configuring IBM MFA certificate
authentication,” on page 81.
Password (requires out-of-band) 1. Chapter 7, “Configuring IBM MFA STC

page 31.
authentication,” on page 45.

Express Logon Feature in-band 1. Chapter 7, “Configuring IBM MFA STC
page 31.
7. Chapter 24, “Configuring IBM MFA for ELF,” on
page 167.

Chapter 7. Configuring IBM MFA STC configuration
attributes
You must configure the STC configuration attributes.
The STC configuration attributes panel contains the settings for the IBM MFA services started task. The
IBM MFA services address space:
• Provides IBM MFA main logic.
• Accesses IBM MFA data in the RACF database via SAF/RACF.
• Validates user-provided credentials using RACF IBM MFA data and external IBM MFA sources.
• Validates IBM MFA data using administrator-initiated provisioning.
• Provides an anchor for communications for factors.
• Tracks states for user authentication events.
• Provides a cache of token credentials generated during out-of-band authentication.
IBM MFA STC configuration requirements

Before you configure IBM MFA STC, refer to the configuration roadmap in Chapter 6, “IBM MFA
configuration roadmap,” on page 13.
Configure IBM MFA STC configuration attributes

You must configure the IBM MFA STC Configuration Attributes panel.
Procedure
1. Execute AZFEXEC and enter STC.
2. Provide the following to configure the IBM MFA Services started task:
Table 6. MFA Services Started Task

Setting Allowed Values Description
Initial Trace Level 0 through 3 Choose the initial trace level. Valid
values are 0 through 3, where the
higher number increases the level of
verbosity. The default is 0.
Cache Token Sharing • N (The cache is not shared Enter an allowed value. See
between systems. This is “Configuring IBM MFA cache token
the default.) sharing” on page 25 for additional
• X (The cache is shared information.
using cross system coupling
facility (XCF) server
messaging.)
• C (The cache is shared
using the coupling facility.)
Cache Name A-Z, 0-9, @,#,$ Enter an 8-character (maximum)

name of your choice for the cache.
Must be set. The cache name must be
unique for each RACF database.

Table 6. MFA Services Started Task (continued)
Number of cache entries Numeric value in the range of Enter the number of allowed cache
1024 - 1048576 entries. The default is 1024. Must be
set.
The number of cache entries
represents the number of distinct
cache entries to store in the coupling
facility when Cache Token Sharing is
set to C.
Every time a user authenticates, a
new cache entry is created. An entry
remains in the cache until one of two
things happens:
• It is found to be expired during the
periodic cache sweep to clean up
expired entries
• It represents a non-reusable Cache
Token Credential (CTC) and is used.
(Reusable CTC entries remain in the
cache until the first sweep after
they have expired.)
If you are using the Cache Token
Sharing option of C, IBM recommends
that the number of cache entries
be large enough to allow for users
obtaining multiple CTCs.
If the Cache Token Sharing option
is N or X, the number of entries is
ignored. The number of entries is
limited only by the region size. Each
LPAR may contain copies of the entire
cache.
As a reference, when stored in main
memory, each cache entry is 256
bytes in size. When stored in the
coupling facility, each entry is 1024
bytes in size.
See the section "Determining the
sizes of the XCF note pad structures"
in z/OS MVS Setting Up a Sysplex for
guidance.

Server Port Number Valid port number This is a listener port that facilitates
internal communication between the
IBM MFA web services task and the
IBM MFA services started task.
Important: You do not configure this
port in AT-TLS.
You must allocate this port before you
can use TOTP and IBM MFA Out-of-
Band.
You can use the NETSTAT PORTLIST
command to see which ports are
currently in use.
Or, from SDSF, you can
use /D TCPIP,tcpip stack
name,NETSTAT,PORTLIST to see
which ports are currently in use.
Note: The Server Port Number is
referred to in related log messages as
"IPC Services Port."
Default Policy Name Valid policy name This optional setting must identify
a valid policy that has only the
AZFCERT1 certificate authentication
factor. Creating policies is described
in “Create and manage multi-factor
authentication policies” on page 47.
The default policy applies only to
IBM MFA for ELF. See Chapter 24,
“Configuring IBM MFA for ELF,” on
page 167 for information.
Enable Strict PCI Compliance Y or N See “Enabling strict PCI compliance
Mode mode” on page 27 for information
about this setting.
Chapter 7. Configuring IBM MFA STC configuration attributes 23

Enable Dynamic Instance Y or N Indicates whether IBM MFA
Names dynamically determines the defined
factor instance name or uses a fixed
list of factor instance names.
When enabled, IBM MFA uses
RACROUTE REQUEST=EXTRACT for
class MFADEF profiles to determine
the defined factor instance names.
The factor instance name is
comprised of the base factor name
with a 0 to 12 character suffix
consisting of the characters A-Z, 0-9,
@, $, and #.
When disabled, IBM MFA uses a
limited list of factor instance names.
The list includes the base factor
name with a null suffix or the suffixes
#2 to #5. For example, the list of
factor instance names for AZFRADP1
includes AZFRADP1, AZFRADP1#2,
AZFRADP1#3, AZFRADP1#4, and
AZFRADP1#5. The factor instance
names do not need to be contiguous.
For example, using AZFRADP1#2,
AZFRADP1#4, and AZFRADP1#5
would be valid.
Dynamic Instance Names must be
disabled when the system security
manager does not support the
RACROUTE request used by IBM
MFA to determine the defined factor
instance names.
The default is Y.
3. Press F3 to save your changes and exit.

4. IBM MFA includes a memory termination resource manager, AZFMFRES. The AZFMFRES module must
be loaded in the z/OS Primary address space (ASID 1) when using caching mode N or X. (AZFMFRES is
not needed when using caching mode C.) You can do this by either of the following methods:
• Add the IBM MFA load library to the IPL system link list.
• Load module AZFMFRES from the IBM MFA load library into dynamic LPA before starting the IBM
MFA services started task.
What to do next
You must configure at least one of the following strong authentication factors before you start the IBM
MFA services started task. How to configure these strong authentication factors is described in the
chapters that follow.
• RSA SecurID ACEv5 UDP
• RSA SecurID Auth API (HTTPS)
• TOTP AZFTOTP1

• Certificate AZFCERT1
• Generic RADIUS AZFRADP1
• Safenet RADIUS AZFSFNP1
• SecurID RADIUS AZFSIDR1
• Yubico OTP AZFYUBI1
• IBM Security Verify Access AZFISAM1
• LDAP AZFLDAP1
• Check CTC AZFCKCTC
Configuring IBM MFA cache token sharing

If you have a coupling facility (CF) configured you can optionally share the IBM MFA cache using the
CF and cross system coupling facility (XCF) Note Pad Services. This section describes the configuration
options.
Choosing a caching mode

IBM MFA provides three caching options for sharing IBM MFA CTC tokens in the sysplex:
Caching mode N
The cache is not shared between systems. This is the default.
Caching mode C
The token cache is shared using the coupling facility. This provides the maximum sharing level:
• Cached tokens persist across failures of an instance of IBM MFA or a sharing system.
• Validation of a token does not require interaction with other sharing systems.
• All systems get the same result when validating a cached token.
• Performance is not affected by the number of cached tokens, the number of sharing systems, or the
responsiveness of sharing systems.
• The token name space (assuming mixed case passwords are enabled) is 62**8.
Caching mode X
The token cache is shared using cross system coupling facility (XCF) server messaging. This meets
basic sharing requirements.
• Cached tokens persist until an instance of IBM MFA or a sharing system fails.
• Validation of a token generated on a remote IBM MFA instance require an exchange of messages
with the remote IBM MFA instance the first time the token is used. A valid remote token is then
cached locally on that IBM MFA instance.
• All systems might not get the same result when validating a cached token after a remote instance of
IBM MFA has failed or if a messaging timeout occurs.
• Performance might be affected by the number of cached tokens, the number of sharing systems,
and the responsiveness of the sharing systems.
• The token name space (assuming mixed case passwords are enabled) is 62**7.
Deciding between caching modes X and C
Consider the following typical use cases when deciding which caching mode to employ:
• In a basic sysplex, caching mode X might meet your needs.
• In a minimal parallel sysplex, you may choose either caching mode, but you will probably find that X
meets your needs and is easier to implement.
• In a true parallel sysplex, you may choose either caching mode, but you will probably find that the
benefits of C are substantial.

XCF note pad
An XCF note pad is shared storage that can be accessed by programs throughout the sysplex. See z/OS
MVS Setting Up a Sysplex for complete information on XCF Note Pad Services.
Determining if Note pad services are in use
You can use the following command to determine if Note Pad Services are currently in use:
D XCF,NOTEPAD
Note pad structure sizes

See z/OS MVS Setting Up a Sysplex for complete information on XCF Note Pad Services. In particular, see
the section "Determining the sizes of the XCF note pad structures".
Note pad structure names
As described in z/OS MVS Programming: Sysplex Services Guide , the structure names for coupling facility
structures to be used for XCF note pads can be of the following forms:
• IXCNP_SYSXCFxx
• IXCNP_ownerxx
where xx is the EBCDIC representation of a hexadecimal number in the range X'00' to X'FF', and owner is
derived from the note pad name. To explicitly control the MFA CTC cache location preference or attributes,
you can define an owner-specific note pad structure for MFA using the name IXCNP_AZFxx, where xx is
any two characters, such as 00.
Duplexed cache
A duplexed structure will generally provide greater availability because the second copy makes it more
resilient to failure than a simplex structure which has only one copy. However, a simplex structure will
generally provide faster note request response times than a duplex. Duplexing preferences are described
in z/OS MVS Programming: Sysplex Services Guide .
If you want the MFA CTC cache to be duplexed you must either:
• Define all of the XCF default note pad structures, named IXCNP_SYSXCFxx, as duplexed.
• Or, define all owner specific note pad structures for MFA as duplexed.
Changing the caching mode C entries

IBM MFA allocates the XCF notepad used for caching mode C as persistent, so that valid authentication
tokens are preserved across a restart of IBM MFA. Because of this, you must take explicit action if you
change the STC cache entries setting to a larger value.
The following z/OS command displays whether the IBM MFA notepad exists, the maximum number of
notes allowed, and what systems are currently connected to an existing notepad:
D XCF,NP,NPNM=AZF.MFACACHE.<name>,SCOPE=DETAIL
where <name> is the STC cache name value.

You must take explicit action if you change the STC cache entries setting to a larger value. You can
perform this task in two ways:
• Change the IBM MFA STC cache name to a new value at the same time the cache entries is changed to a
larger value. After doing this, then:
1. Stop all instances of the IBM MFA STC that are sharing the cache.
2. Use the z/OS display command to ensure that instances of the IBM MFA STC are not still active.

3. Restart all instances of the IBM MFA STC that were stopped. A notepad with the new cache name
and entries value will be allocated by the first instance that starts.
4. At your convenience, delete the old, smaller, IBM MFA notepad. You can use the JCL found
in SYS1.SAMPLIB(IXCNPDEL) for this purpose. The notepad name will be of the form
AZF.MFACACHE.<old_name>.
• Change the IBM MFA STC cache entries to a larger value. This value will be ignored until you perform the
following steps:
1. Stop all instances of the IBM MFA STC that are sharing the cache.
2. Use the z/OS display command to ensure that instances of the IBM MFA STC are not still active.
3. Delete the existing IBM MFA notepad. You can use the JCL found in SYS1.SAMPLIB(IXCNPDEL) for
this purpose. The notepad name will be of the form AZF.MFACACHE.<old_name>.
4. Restart all instances of the IBM MFA STC that were stopped. A notepad with the new cache entries
value will be allocated by the first instance that starts.
Enabling strict PCI compliance mode

IBM MFA supports the Payment Card Industry Data Security Standard (PCI DSS) standard through the
Enable Strict PCI Compliance Mode setting. It is recommended that you do not enable this setting unless
you are fully aware of the ramifications.
About this task

The following actions are taken for in-band authentication when you enable Strict PCI Compliance Mode:
• All messages that indicate success or failure are modified to be generic.
• Messages that request more information when authentication succeeds are displayed. For example,
if the authentication succeeds but the password has expired, the password expiration message is
displayed.
• Unexpected conditions, server failures, and abends return COULD_NOT_EVALUATE. Messages
associated with the error are ignored and are not returned.
The following actions are taken for IBM MFA Out-of-Band authentication when you enable Strict PCI
Compliance Mode:
• The web page prompts for all factors before validating the user's response and returning a status. If
there is a failure, the user does not know which factor failed.
• Messages returned to the user for an authentication request are suppressed. The user does not know
which factor caused the authentication to fail. However, "need more information" messages generated
after a successful authentication are displayed.
• A cache token credential is always returned, even if the authentication request failed. The user cannot
determine which part of the authentication failed.
Procedure
1. Execute AZFEXEC and enter STC.
2. Set Enable Strict PCI Compliance Mode to Y.

Chapter 8. Configuring CSFSERV Resource Profiles
Configure access to the CSFSERV resource profiles described in this section. Check with your security
administrator before configuring these profiles to ensure that proper security is maintained.
About this task

Allow the CSFSERV resource profile access shown in Table 7 on page 29.
Note: Before you implement the access described in these profiles, review the profiles that are already in
place in your environment. Be mindful of any conflicts and potential security errors with other interfaces
that use these profiles. Adding specific profiles over generic profiles could effectively remove access
required by an existing user or application.
Table 7. CSFSERV Resource Profiles

Resource Profile Web Services STC User Administrator Who PAGENT User ID
ID Executes the Panels
CSFRNG READ READ READ
CSF1SKD READ READ
CSF1SKE READ READ
CSF1TRC READ READ
CSF1TRL READ READ
CSFOWH READ READ
CSF1GSK READ READ
CSFIQA READ READ READ
CSFRNGL READ READ
CSF1HMG READ READ
For example:
PERMIT CSFRNG CLASS(CSFSERV) ID(user-ID) ACC(READ)

SETROPTS RACLIST(CSFSERV) REFRESH
Note: If you create CSF.CSFSERV.AUTH.CSFOWH.DISABLE or CSF.CSFSERV.AUTH.CSFRNG.DISABLE

profiles in the XFACILIT class, the respective SAF checks are disabled, even if the CSFSERV class profiles
exist.
Special considerations for CHECKAUTH(YES)
The ICSF CHECKAUTH parameter specifies whether ICSF performs security access control checking of
Supervisor State or System Key callers. (As described in “Update SCHEDxx PARMLIB program properties”
on page 8, AZFSTCMN is in key 2.) If the ICSF started task is started with CHECKAUTH(YES), allow access
to the CSFSERV resource profiles as shown in Table 8 on page 29.
Table 8. CSFSERV Resource Profiles When CHECKAUTH is YES

Resource Profile IBM MFA Services Web Services STC User TCPIP Started Task
Started Task User ID ID AZFWEB User ID
AZFSTC
CSFDSG READ

Table 8. CSFSERV Resource Profiles When CHECKAUTH is YES (continued)
AZFSTC
CSFDSV READ
CSFOWH READ
CSFRNG READ READ
CSFRNGL READ READ
CSF1DVK READ
CSF1GAV READ
CSF1GKP READ
CSF1GSK READ
CSF1HMG READ READ
CSF1SKD READ READ READ
CSF1SKE READ
CSF1TRC READ
CSF1TRD READ READ READ
CSF1TRL READ READ
CSFPKI READ

Chapter 9. Configuring a PKCS#11 token
PKCS#11 is a programming interface to create and manipulate cryptographic tokens. PKCS#11 tokens
are containers that hold digital certificates and keys. TOTP components that run on z/OS use a PKCS#11
token to generate and manage secret keys, and to perform hash message authentication code (HMAC)
operations.
Before you begin

Before you configure a PKCS#11 token, refer to the configuration roadmap in Chapter 6, “IBM MFA
Important: CEXnC cryptographic coprocessor hardware is not required. The IBM MFA ICSF PKCS#11
support can run in software.
ICSF must be installed, configured, and the ICSF started task started, as described in z/OS Cryptographic
Services ICSF System Programmer's Guide . This procedure requires a VSAM data set called the token data
set (TKDS), which you might have not already configured. You can add a TKDS data set to an existing
PKCS#11 configuration.
Important: In a SYSPLEX, the RACF database and TKDS must be shared across member LPARs. IBM MFA
requires the TKDS and the RACF database to be shared across member LPARs in the same manner. If they
are not shared identically, errors such as being unable to decrypt shared secret values can occur.
You can add the TKDS data set one LPAR at a time in a SYSPLEX.
About this task

PKCS#11 tokens and objects are stored in the TKDS. The TKDS serves as the repository for persistent
cryptographic keys and certificates used by PKCS#11 applications.
This procedure summarizes the steps to create a PKCS#11 token for your convenience. See z/OS
Cryptographic Services ICSF Administrator's Guide for complete information.
See the introductory chapter of z/OS Cryptographic Services ICSF System Programmer's Guide for token
access information and guidelines.
Access to PKCS#11 tokens in ICSF is controlled by the CRYPTOZ class, with different access levels as well
as a differentiation between standard users and security officers. For each token, there are two resources
in the CRYPTOZ class for controlling access to tokens:
• The resource USER.token_name controls the access of the User role to the token.
• The resource SO.token_name controls the access of the Security Officer (SO) role to the token.
You must create your own PKCS#11 token using RACDCERT ADDTOKEN or the ICSF panels. The token
name you specify in this procedure must match the token name you subsequently use with AZFEXEC.
Important: Troubleshooting IBM MFA CRYPTOZ access problems can be difficult if a governing profile
does not exist. Under some circumstances, such as when the user ID of the web services started task
does not have access to one or more of the profiles in the CRYPTOZ class because the profile does not
exist, ICSF can deny a request without issuing an informative ICHnumber error message, leaving only the
reason code for guidance.
It is recommended that you create a governing CRYPTOZ class profile with a value of ** with a UACC
of NONE. In the absence of a profile that permits access, this restrictive profile causes a message to be
output so that you can determine the missing RACF profile.
RDEFINE CRYPTOZ SO.** UACC(NONE)

RDEFINE CRYPTOZ USER.** UACC(NONE)
If you create this profile, it is further recommended that you also create a profile for CLEARKEY.SYSTOK-
SESSION-ONLY and give READ access to applications that use secure TCP/IP sessions.

Procedure
1. Create the TKDS. A sample job illustrating the definition of the TKDS data set is shipped in
SYS1.SAMPLIB, in member CSFTKD2. Copy, edit, and run the sample job to initialize the TKDS data
set.
2. Edit the ICSF installation options data set in the PARMLIB member for the CSF started task. Set the
TKDSN or SYSPLEXTKDS directives, as appropriate:
• TKDSN identifies the VSAM data set that contains the token data set.
• SYSPLEXTKDS specifies whether the token data set should have sysplex-wide data consistency.
The SYSPLEXTKDS option is in effect only if the TKDSN option has also been specified.
In a sysplex, the required format of this directive is:
SYSPLEXTKDS(YES,FAIL(YES))
where YES specifies that the system is notified of updates made to the TKDS by other members of
the sysplex that have also specified SYSPLEXTKDS(YES,FAIL(fail-option)), and FAIL (YES)
specifies that ICSF initialization terminates abnormally if there is a failure creating the TKDS latch
set.
3. Create the PKCS#11 token using RACDCERT ADDTOKEN.
RACDCERT ADDTOKEN(token_name)
4. Activate the CRYPTOZ class with generics and RACLISTs:
SETROPTS CLASSACT(CRYPTOZ) GENERIC(CRYPTOZ) GENCMD(CRYPTOZ) RACLIST(CRYPTOZ)
5. Create generic profiles in the CRYPTOZ class.
RDEFINE CRYPTOZ SO.** UACC(NONE) OWNER(userid or group-name)

RDEFINE CRYPTOZ USER.** UACC(NONE) OWNER(userid or group-name)
6. Create a profile for the web service server's access to the token you created with RACDCERT
ADDTOKEN.
RDEFINE CRYPTOZ SO.token_name UACC(NONE)
7. Create a profile for the standard user's access to the token you created with RACDCERT ADDTOKEN:
RDEFINE CRYPTOZ USER.token_name UACC(NONE)
8. Give the user ID of the web services started task CONTROL access to the profile that protects the
token, where AZFWEB is the user ID of the web services started task.
PERMIT SO.token_name CLASS(CRYPTOZ) ID(AZFWEB) ACC(CONTROL)
9. Give the user ID of the administrator who executes the panels CONTROL access to the profile that
protects the token.
PERMIT SO.token_name CLASS(CRYPTOZ) ID(user-ID) ACC(CONTROL)
10. Give the user ID of the IBM MFA services started task UPDATE access to the profile that protects the
token, where AZFSTC is the user ID of the IBM MFA services started task.
PERMIT USER.token_name CLASS(CRYPTOZ) ID(AZFSTC) ACC(UPDATE)
11. Give the user ID of the web services started task UPDATE access to the profile that protects the
token, where AZFWEB is the user ID of the web services started task.
PERMIT USER.token_name CLASS(CRYPTOZ) ID(AZFWEB) ACC(UPDATE)
12. Give the user ID of the administrator who executes the panels UPDATE access to the profile that
protects the token.

PERMIT USER.token_name CLASS(CRYPTOZ) ID(user-ID) ACC(UPDATE)
13. Create the CLEARKEY.token-name resource profile.
RDEFINE CRYPTOZ CLEARKEY.token_name UACC(NONE)
14. Give the user ID of the administrator who executes the panels READ access to the profile.
PERMIT CLEARKEY.token_name CLASS(CRYPTOZ) ID(user-ID) ACC(READ)
15. Give the user ID of the IBM MFA services started task READ access to the profile that protects the
token, where AZFSTC is the user ID of the IBM MFA services started task.
PERMIT CLEARKEY.token_name CLASS(CRYPTOZ) ID(AZFSTC) ACC(READ)
16. Refresh the profile for the CRYPTOZ class, so that the changes take effect:
SETROPTS RACLIST(CRYPTOZ) REFRESH
Chapter 9. Configuring a PKCS#11 token 33

Chapter 10. Configuring IBM MFA web services
configuration attributes
You must configure the web services configuration attributes before you can use Certificate
Authentication, TOTP account enrollment, YubiKey self-enrollment, and IBM MFA Out-of-Band.
Important: If you are using only SecurID in-band, or any of the RADIUS factors in-band, you can skip this
chapter.
IBM MFA web services configuration requirements

Before you configure IBM MFA web services refer to the configuration roadmap in Chapter 6, “IBM MFA
Note: As described in Chapter 9, “Configuring a PKCS#11 token,” on page 31, it is recommended that
you create a governing CRYPTOZ class profile with a value of ** with a UACC of NONE. If you create this
profile, it is further recommended that you also create a profile for CLEARKEY.SYSTOK-SESSION-ONLY
and give READ access to applications that use secure TCP/IP sessions.
Define a user for AZF web services AZF#IN01 started task

Define a user for the AZF web services AZF#IN01 started task. In this document, AZFWEB is the user.
Procedure
1. Define a user for the AZF web services started task with the following properties:
• No passphrase or password
• Owned by a suitable started task group
• PROTECTED
• No TSO segment
• An OMVS segment with a unique user ID
For example:
USER=AZFWEB NAME=STCFORMFA OWNER=STCGROUPCREATED=15.257

DEFAULT-GROUP=STCGROUP PASSDATE=N/A PASS-INTERVAL=N/A
PHRASEDATE=N/A
ATTRIBUTES=PROTECTED
REVOKEDATE=NONE RESUMEDATE=NONE
LAST-ACCESS=15.282/13:36:54
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=STCGROUP AUTH=USE CONNECT-OWNER=STCGROUP CONNECT-DATE=15.257
CONNECTS=123 UACC=NONE LAST-CONNECT=15.282/13:36:54
CONNECT ATTRIBUTES=GRPACC
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
NO TSO INFORMATION
OMVS INFORMATION
----------------
UID= 0000015101
CPUTIMEMAX= NONE
ASSIZEMAX= NONE

FILEPROCMAX= NONE
PROCUSERMAX= NONE
THREADSMAX= NONE
MMAPAREAMAX= NONE
2. Save the change.

3. To verify the user information, you can use a command such as the following:
LU AZFWEB OMVS
4. If you want to audit successful authentications by SMF record type 83 subtype 7 records, you must
specify UAUDIT attributes for the started task user ID. See Appendix B, “IBM MFA SMF Record type 83
subtype 7 records,” on page 301 for information on SMF record type 83 subtype 7 records. See z/OS
Security Server RACF Macros and Interfaces for information on SMF records.
Note: Authentication failures always result in the generation of SMF type 83 subtype 7 records.
Define a profile for AZFWEB in the STARTED Class

Define a profile in the RACF STARTED class to ensure that the IBM MFA address space has the proper
level of authority.
Procedure
1. Define a profile in the STARTED class. For example:
CLASS NAME
----- ----
STARTED AZFWEB.** (G)
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING

----- -------- ---------------- ----------- -------
00 STCGROUP NONE NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
STDATA INFORMATION
------------------
USER= AZFWEB
GROUP= STCGROUP
TRUSTED= NO
PRIVILEGED= NO
TRACE= NO
Configure an AT-TLS profile

Configure an AT-TLS profile for HTTPS on the z/OS system you want to use for the IBM MFA web services
started task.
Before you begin

You must satisfy the following prerequisites before you configure an AT-TLS profile:

• You must have already installed and configured z/OS Communications Server and should be familiar
with Application Transparent Transport Layer Security (AT- TLS) policies.
Important: A sample AT-TLS policy is included in SYS1.SAZFSAMP(AZFTTLSX). IBM strongly
recommends that if you are not already familiar with AT-TLS policies, you should start with this sample.
User changeable parameters are indicated by ?XYZ?.
• This procedure assumes that you are using a public CA. It is strongly recommended that you use a
certificate issued by a well-known certificate authority (CA).
• Subject Alternative Name (SAN) is an extension to X.509 that allows multiple values (email addresses,
IP addresses, DNS host names, and so forth) that a certificate should match to be associated with the
certificate using a subjectAltName field. When ordering server certificates to use with IBM MFA web
services, ensure that you specify Subject Alternate Names that cover all names that a user may enter
into their browser to reach the server. For example, assume you have an LPAR named LP13 with two
TCP/IP stacks, and the host names are lp13 and lp13tcpip2. The Subject Alternate Name attributes
should be as follows. The DNS names and IP addresses are for example purposes only.
DNS Name=lp13.yourcompany.com
DNS Name=lp13
DNS Name=lp13tcpip2.yourcompany.com
DNS Name=lp13tcpip2
DNS Name=10.168.54.96
DNS Name=192.168.55.113
IP Address=10.168.54.96
IP Address=192.168.55.113
When you specify Subject Alternate Names, the base Subject Distinguished Name (DN) CN attribute is
not used by the browser to validate the certificate. See https://tools.ietf.org/html/rfc6125 for reference
information.
This procedure briefly summarizes the steps to create an AT-TLS policy for your convenience. See
z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration
Reference for complete information.
You might also find (IBM z/OS V2R1 Communications Server TCP/IP Implementation Volume 4: Security
and Policy-Based Networking http://www.redbooks.ibm.com/redbooks/pdfs/sg248099.pdf) to be a useful
resource.
About this task

AT-TLS policy conditions consist of a variety of selection criteria that act as filters for AT-TLS rules. Traffic
can be filtered based on local addresses, remote addresses, local port range, remote port range, job
name, user identification, and direction.
On the z/OS system you want to use for the IBM MFA web services started task, perform the following
tasks:
Important: The ALTNAME portion of the SYS1.SAZFSAMP(AZFTTLSX) sample describes how to specify
more than one IP address to contact the IBM MFA server.
Procedure
1. Create the certificate authority if you do not already have one. This command creates a new CA
certificate (and private key) and adds it to the CERTAUTH store. Replace ?CA-yyyy-mm-dd? with the
preferred expiration date of the CA certificate.
RACDCERT GENCERT CERTAUTH SUBJECTSDN(CN('MFA CERT AUTH')) SIZE(2048)

NOTAFTER(DATE(?CA-yyyy-mm-dd?)) WITHLABEL('server cert root CA label')
KEYUSAGE(CERTSIGN)
2. Refresh the RACF DIGTCERT class.
SETROPTS RACLIST(DIGTCERT) REFRESH
Chapter 10. Configuring IBM MFA web services configuration attributes 37

3. It is a best practice to also create an intermediate certificate authority if you do not already have
one. This command creates a new intermediate CA certificate (and private key) and adds it to the
CERTAUTH store. Replace ?CA-yyyy-mm-dd? with the preferred expiration date of the CA certificate.
RACDCERT GENCERT CERTAUTH SUBJECTSDN(CN('MFA INTERMEDIATE CERT AUTH')) SIZE(2048)

NOTAFTER(DATE(?CA-yyyy-mm-dd?)) WITHLABEL('server intermediate CA label')
SIGNWITH(CERTAUTH LABEL('server cert root CA label')) KEYUSAGE(CERTSIGN)
5. Create the MFA web services certificate if you do not already have one. This command creates a new
end-entity certificate (and private key). In this example AZFWEB is the user ID of the web services
AZF#IN01 started task.
RACDCERT GENCERT ID(AZFWEB) SUBJECTSDN( CN('MFA WEB SERVICES') ) SIZE(2048)

NOTAFTER(DATE(2050-12-31)) WITHLABEL('server cert label')
SIGNWITH(CERTAUTH LABEL('server intermediate CA label')) KEYUSAGE(HANDSHAKE DOCSIGN)
ALTNAME(IP(numeric-ip-address) DOMAIN('numeric-ip-address') DOMAIN('dns-name')
DOMAIN('hostname'))
7. Create the server key ring with the server certificate and necessary certificate authority certificates.
For System SSL, use a SAF key ring. This is typically a RACF key ring. RACF supports multiple PKI
private keys and certificates to be managed as a group. These groups are called key rings.
Create the SAF key ring with the RACDCERT ADDRING command, where AZFWEB is the user ID of the
web services started task.
RACDCERT ADDRING (ring-name) ID(AZFWEB)
8. Refresh the RACF DIGTRING class.
SETROPTS RACLIST(DIGTRING) REFRESH
9. Connect the certificate chain to the key ring.
RACDCERT ID(AZFWEB)
CONNECT(LABEL('server cert label') RING(ring-name))
RACDCERT ID(AZFWEB)
CONNECT(LABEL('intermediate root CA label') RING(ring-name))
RACDCERT ID(AZFWEB) CONNECT(CERTAUTH

LABEL('root CA label') RING(ring-name))
10. Refresh the RACF DIGTRING class.
SETROPTS RACLIST(DIGTRING) REFRESH
11. Use the RACDCERT LISTRING command to list the key ring.
RACDCERT ID(AZFWEB) LISTRING(ring-name)
12. Create Policy Agent files.

a) Create a Policy Agent main configuration file containing a TcpImage statement for the server
stack.
b) Create a Policy Agent image configuration file for the server stack.

c) If AT-TLS policies are to be retrieved from the policy server, create image-specific AT-TLS
configuration files, and optionally, common AT-TLS configuration files, on the policy server.
13. Add AT-TLS configuration.
a) For local AT-TLS policies, add a TTLSConfig statement to the Policy Agent image configuration
file, identifying the TTLSConfig policy file location:
TTLSConfig serverpath
b) For remote AT-TLS policies, add a PolicyServer statement to the policy client image
configuration file:
PolicyServer
{
ClientName name
PolicyType TTLS
{
…
}
…
}
c) Add a DynamicConfigPolicyLoad statement to the policy server main configuration file:
DynamicConfigPolicyLoad clientname
{
PolicyType TTLS
{
PolicyLoad serverpath
}
…
}
14. Add the AT-TLS policy statements to the serverpath file. Specific lines in the example are numbered
to the right so that you can associate them with the notes that follow.
Important: This example is a fragment extracted from the complete sample AT-TLS policy included
in SYS1.SAZFSAMP(AZFTTLSX).
TTLSRule AZFSrvAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?serverAuthPort? a
Direction Inbound
Priority 255
TTLSGroupActionRef AZFGroupAction1
TTLSEnvironmentActionRef AZFEnvAction1
TTLSConnectionActionRef AZFConnAction1
}
TTLSKeyringParms AZFKeyringParms
{
Keyring ?keyringName? b
}
TTLSGroupAction AZFGroupAction1
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction AZFEnvAction1
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvServer
TTLSKeyringParmsRef AZFKeyringParms
Trace 255
}
TTLSConnectionAction AZFConnAction1
{

TTLSCipherParmsRef AZFCipherParms c
TTLSConnectionAdvancedParmsRef AZFConnAdvParms1
CtraceClearText Off
Trace 255
}
TTLSEnvironmentAdvancedParms AZFEnvAdvServer
{
ClientAuthType PassThru
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
TTLSConnectionAdvancedParms AZFConnAdvParms1
{
SecondaryMap Off
}
TTLSCipherParms AZFCipherParms c
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
}
Callout Notes:
a. You need to specify this port when you run AZFEXEC to configure the IBM MFA web services
started task.
b. The name of the SAF key ring you created.
c. Use this specific set of ciphers to be compatible with an Apple Touch ID device.
15. Set up InitStack access control:
a) Define the EZB.INITSTACK.sysname.tcpname profile for each AT-TLS stack.
b) Permit administrative applications to use the stack before AT-TLS is initialized.
For examples of the security product commands needed to create this resource profile name and
grant users access to it, see member EZARACF in sample data set SEZAINST.
16. Enable AT-TLS. Set TCPCONFIG TTLS in PROFILE.TCPIP.

To authorize the IBM MFA web services started task user ID, you define a resource profile named
IRR.RFACTOR.USER in the FACILITY class.
Procedure
1. Define the profile in the FACILITY class for USER:
RDEF FACILITY IRR.RFACTOR.USER UACC(NONE)

RLIST FACILITY IRR.RFACTOR.USER
Authorize access to IRR.RFACTOR.USER profile

Authorize the user ID of the web services started task to the IRR.RFACTOR.USER profile.
Procedure
1. Allow UPDATE access for the user ID of the web services started task. For example, if the user ID of
the started task is AZFWEB:
PERMIT IRR.RFACTOR.USER ACCESS(UPDATE) CLASS(FACILITY) ID(AZFWEB)

Authorize access to IRR.DIGTCERT.LISTRING profile

Authorize the user ID of the web services started task to the IRR.DIGTCERT.LISTRING profile.
Procedure
1. Give the user ID of the web services started task READ access to the IRR.DIGTCERT.LISTRING profile
in the FACILITY class, where user-ID is the user ID of the web services started task.
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(AZFWEB) ACCESS(READ)
Configure IBM MFA web services started task

The IBM MFA web services component includes the TOTP registration function, certificate authentication,
and out-of-band authentication. You must configure the IBM MFA web services started task settings if you
want to use these features.
Procedure
1. Execute AZFEXEC and enter STC to configure IBM MFA web services.
2. Provide the following in the web services started task section:
Table 9. Web Services Started Task

Server Authentication Port Valid port number Enter the port number on which the
web server is listening. The port must
match the one configured for AT-TLS.
This port must be configured
with server authentication
(HandshakeRole is Server) in the AT-
TLS configuration.

Table 9. Web Services Started Task (continued)
Mutual Authentication Port Valid port number Enter the port number, or zero.
The mutual authentication port is
required only if "Enable certificate
authentication" is set to Y. Certificate
authentication requires that AT-TLS
be configured for client (mutual)
authentication on a dedicated port.
The port must match the one
configured for AT-TLS.
This port must be configured with
client authentication (HandshakeRole
is ServerWithClientAuth,
ClientAuthType is Required) in the AT-
TLS configuration.
Document Root Document root location The document root for the IBM MFA
web services started task.
Enter the default of /usr/lpp/IBM/
azfv2r2/htdocs, or your chosen
value.
Customized Document Root Document root location The document root from which
to serve translated messages and
HTML, as described in Chapter 37,
“Translating IBM MFA messages and
HTML,” on page 211.
PKCS#11 Token Name Actual PKCS#11 token name Enter the name of the PKCS#11
token to be used for cryptographic
operations. You created this token in
Chapter 9, “Configuring a PKCS#11
token,” on page 31.
Important: If the AZFTOTP1 settings
do not contain a token name, the
token name you specify on this
panel is used when creating an
AZFTOTP1 user session-object when
a user registers. If you change
the token name, all AZFTOTP1
user registrations will become
inaccessible, and users must re-
register.
Enable Client Token Display Y|N Enter Y or N.

When this setting is Y, the CTC is
displayed. When this setting is N, the
CTC is masked for additional security
to prevent it from being observed.
The default is Y.
The user has the option to display a
masked CTC on the IBM MFA Out-of-
Band page if needed.

Enable Out of Band Services Y|N Enter Y or N. The default is N.

Set this to Y if you plan to use
IBM MFA Out-of-Band as described
in “Configure IBM MFA web service
started task for IBM MFA Out-of-
Band” on page 47.
Enable TOTP Registration Y|N Enter Y or N. The default is N.

Services
Set this to Y if you plan to use
TOTP as described in Chapter 14,
“Configuring IBM MFA for TOTP,” on
page 69.
Enable Certificate Y|N Enter Y or N. The default is N.

Authentication
Set this to Y if you plan to
use Certificate Authentication as
described in Chapter 15, “Configuring
IBM MFA certificate authentication,”
on page 81.
Certificate authentication requires
that out-of-band services also be
enabled. Therefore, if set to Y,
"Enable out of band services" must
also be set to Y.
Enable Password Change Y|N Enter Y or N. The default is Y.

If set, Enable Out-of-Band Services
must also be set to Y.
See Chapter 30, “Changing a user
password with web interface,” on
page 189 for a description of this
feature.
Enable Password Reset Y|N Enter Y or N. The default is Y.

If set, Enable Out-of-Band Services
must also be set to Y.
See Chapter 31, “Resetting a user
password,” on page 191 for a
description of this feature.
Enable YubiKey Enrollment Y|N This value specifies whether the

YubiKey enrollment service is
enabled. Possible values are Y or N.
The default is N.
See “Configure Yubico OTP” on page
140 for more information.

Start the IBM MFA web services started task

In a sysplex environment where the RACF database and ICSF TKDS are shared across member LPARs,
the IBM MFA web services started task needs to run on at least one LPAR in the sysplex. You can run the
started task on all LPARs in the sysplex if you prefer.
Before you begin

If you configured the IBM MFA web services started task as described in “Configure IBM MFA web
services started task” on page 41, you must start it.
Procedure
1. To start the started task, enter the following operator command:
S <STC Job Name>
For example:
S AZF#IN01
2. Verify that the task started. The absence of errors in the SYSLOG indicates success.

Chapter 11. Configuring IBM MFA Out-of-Band
authentication
IBM MFA Out-of-Band authentication allows a user to authenticate outside of the z/OS authentication
process through a web browser. You can configure IBM MFA Out-of-Band authentication for one or more
users.
In-band versus out-of-band authentication

IBM MFA provides two approaches to authentication:
• In-band authentication. The user presents the credentials directly into the application. For in-band
authentication, the user generates a token and uses that token directly to log on.
You can use a factor in-band, with or without a policy assigned, if:
– No other factors (except the weak AZFPTKT1 and AZFPASS1 factors ) are active. Strong and weak
factors are described in Table 10 on page 46.
– It is a strong factor.
– The factor is active.
– The factor supports in-band authentication.
• Out-of band authentication. IBM MFA Out-of-Band authentication allows a user to authenticate outside
of the z/OS authentication process ("out-of-band") with one or more factors to retrieve a cache
token credential. You configure the authentication factors the user must provide, and the user is
then presented with a user-specific IBM MFA Out-of-Band web page for the configured authentication
factors. If the IBM MFA Out-of-Band authentication is successful, the user then uses the resulting cache
token credential to log on.
A cache token credential is created every time a user successfully logs on with IBM MFA Out-of-Band. If
the authentication policy specifies that the cache token credential can be reused by an application, it is
usable until the first cache sweep after it expires.
IBM MFA Out-of-Band provides significant advantages, as described in “Benefits of IBM MFA Out-of-Band
Authentication” on page 45.
Out-of-Band components
There are two major components to IBM MFA Out-of-Band server authentication:
• The IBM MFA services started task.
The started task must run in every z/OS instance where IBM MFA Out-of-Band users will log on.
• The IBM MFA web services started task.
The out-of-band server interface consists of web pages served to client web browsers via the server
authentication TLS connection. The web pages indicate which authentication factors are required and
which factors have been satisfied.
In a sysplex environment where the RACF database, IBM MFA cache, and ICSF TKDS are shared across
member LPARs, the web services started task needs to run only on one LPAR in the sysplex.
Benefits of IBM MFA Out-of-Band Authentication

Consider the following benefits of using IBM MFA Out-of-Band authentication:
• You can require the user to provide multiple authentication factors. By requiring multiple authentication
factors, you improve the security of the user account.
• You can require the user to use certificate authentication, including certificates stored on Common
Access Card (CAC) and Personal Identification Verification (PIV) cards.

• Because IBM MFA Out-of-Band authentication provides an 8-character cache token credential, you can
use it with applications that are strictly limited to 8-character passwords.
For example, if you want your users to use IBM MFA with SecurID with a hardware token without a
PINpad, not all applications provide a method to enter both the PIN and the 6- to 8-digit token code.
By using IBM MFA SecurID with IBM MFA Out-of-Band authentication, the user can instead use the
resulting 8-character cache token credential as the password.
• You can use the cache token credential in cases where the application replays the user password.
Token codes can be used only once, which can be problematic for applications that cache and replay
passwords. Using the resulting 8-character cache token credential as the password negates this
problem.
• You can customize IBM MFA Out-of-Band on a per-user basis. You can decide which users must provide
which factors based on your own environment and security needs. The user is then presented with a
customized, user-specific IBM MFA Out-of-Band web page to log in.
Benefits of compound authentication in IBM MFA Out-of-Band

Authenticating with two or more factors is called "compound authentication." The important thing to note
about compound authentication is that all configured authentication factors must succeed for the user to
retrieve the in-band authentication code.
For example, if you were to configure the user for both IBM MFA with SecurID and TOTP, both
authentications must succeed for the user to obtain the in-band authentication code. By requiring both a
SecurID token code and the OTP token, you improve the security of the user account.
How tokens work with IBM MFA Out-of-Band

A SecurID token code is valid only while it is displayed. An TOTP OTP value is valid within its Token
Period and Window constraints. These requirements remain true with IBM MFA Out-of-Band. However,
the difference is the IBM MFA Out-of-Band web page validates each token according to the existing
requirements.
For example, if the user provides the SecurID token, the IBM MFA Out-of-Band web page validates that
token in real time. If the user then provides an OTP token, the IBM MFA Out-of-Band web page then
validates that token in real time.
The user has a fixed amount of time to satisfy all authentication factors.
Types of factors
There are two types of authentication factors: strong and weak. Strong factors can be used alone or
combined in IBM MFA Out-of-Band.
In contrast, weak factors must be used in combination with a strong factor.
Table 10. Types of Factors

Factor Type In-Band/Out-of-Band
RSA SecurID ACEv5 UDP Strong Both
RSA SecurID Auth API Strong Both
(HTTPS) AZFSIDP3
TOTP AZFTOTP1 Strong Both
RADIUS AZFSFNP1 Strong Both
RADIUS AZFRADP1 Strong Both
RADIUS AZFSIDR1 Strong Both
IBM Security Verify Access Strong Both
AZFISAM1

Table 10. Types of Factors (continued)
Factor Type In-Band/Out-of-Band
Yubico OTP AZFYUBI1 Strong Both
LDAP AZFLDAP1 Strong Both
Certificate AZFCERT1 Strong Out-of-band only
Check CTC AZFCKCTC Strong in-band only
PassTicket AZFPTKT1 Weak In-band only
Password AZFPASS1 Weak Out-of-band only
IBM MFA Out-of-Band configuration requirements

Before you configure IBM MFA Out-of-Band STC, refer to the configuration roadmap in Chapter 6, “IBM
MFA configuration roadmap,” on page 13.
Identifying the LPAR or SYSPLEX in IBM MFA Out-of-Band

If you want to identify the LPAR or sysplex you are connected to in IBM MFA Out-of-Band without having
to extrapolate from the URL, you can use the translation feature described in Chapter 37, “Translating
IBM MFA messages and HTML,” on page 211 to edit translate.json or the HTML and add the LPAR or
sysplex name.
Configure IBM MFA web service started task for IBM MFA Out-of-
Band
You must configure the IBM MFA web services started task for IBM MFA Out-of-Band.
Before you begin

You must have already configured IBM MFA web services as described in Chapter 10, “Configuring IBM
MFA web services configuration attributes,” on page 35, including configuring a PKCS#11 token and an
AT-TLS profile.
Procedure
1. Configure the web services started task, as described in “Configure IBM MFA web services started
task” on page 41.
2. At a minimum, set Enable Out of Band Services to Y.
Create and manage multi-factor authentication policies

To use IBM MFA Out-of-Band you must use the RDEFINE command to define multi-factor authentication
policies, and the ALU command to apply the policies to one or more users.
Before you begin

Multi-factor authentication policies specify which authentication factors are required for IBM MFA Out-of-
Band. The multi-factor authentication policy determines which of the active factors are actually applied.
For example, if you activate TOTP (AZFTOTP1), Certificate Authentication (AZFCERT1), and IBM MFA with
SecurID (AZFSIDP1) for a user, but the policy includes only AZFCERT1 and AZFSIDP1, then AZFTOTP1 is
not required.
Important: If you apply a policy to a user, the user must have all the factors defined in the policy, and
those factors must be active for the user. RACF does not prevent you from applying a policy to a user who
Chapter 11. Configuring IBM MFA Out-of-Band authentication 47

does not have all the required factors defined. This will prevent the user from authenticating with IBM
MFA Out-of-Band.
About this task

You must create a multi-factor authentication policy under the following conditions:
• You activate a user for two or more strong factors, as described in Table 10 on page 46.
• You activate a user for Certificate Authentication, as described in Chapter 15, “Configuring IBM MFA
certificate authentication,” on page 81.
If you enable a user for a single factor, you can optionally create a multi-factor authentication policy for
that single factor and direct the user to the IBM MFA Out-of-Band web server login page. You might want
to do this for a reason described in “Benefits of IBM MFA Out-of-Band Authentication” on page 45.
Procedure
1. Enter the following command to create a multi-factor authentication policy:
RDEF MFADEF POLICY.POLICY-NAME MFPOLICY(FACTOR(FACTOR-NAME)

TOKENTIMEOUT(num-of-seconds) REUSE(Y|N))
Where:
• POLICY-NAME is a name of your choice between 1 and 20 characters. The allowed characters are
A-Z, 0-9. You might find it convenient to give the policy a descriptive name, such as CERTSIDPTOTP
or CERTONLY.
• FACTOR-NAME is a space-separated list of factor names. The allowed factor names are as follows:
– AZFSIDP1
– AZFSIDP3
– AZFTOTP1
– AZFCERT1
– AZFSFNP1
– AZFRADP1
– AZFSIDR1
– AZFPASS1
– AZFYUBI1
• TOKENTIMEOUT sets the length of time (in seconds) the IBM MFA Out-of-Band token is valid once
generated. The value can be between 1 and 86,400® (the number of seconds in a day). The default
is 300 seconds (5 minutes.)
• REUSE determines whether the IBM MFA Out-of-Band token can be reused by an application.
Possible values are Y or N. The default is N.
2. Repeat “1” on page 48 as needed.
3. Refresh the MFADEF class:
SETROPTS RACLIST(MFADEF) REFRESH
4. Enter the following command to display information about a specific policy:
RLIST MFADEF POLICY.POLICY-NAME MFPOLICY
5. Enter the following command to display information about all IBM MFA factors and policies:
RLIST MFADEF *
6. Enter the following command to apply the policy to a user:

ALU <USERID> MFA(ADDPOLICY(POLICY-NAME))
7. Repeat “6” on page 48 as needed. If you apply multiple policies to a user, instruct the user which
policy to use.
8. Enter the following command to display IBM MFA information for a user profile, including any applied
policies:
LU <USERID> MFA
MULTIFACTOR AUTHENTICATION INFORMATION:

---------------------------------------
PASSWORD FALLBACK IS ALLOWED
AUTHENTICATION POLICIES =
TOTPONLY
FACTOR = AZFSIDP1
STATUS = INACTIVE
FACTOR TAGS =
SIDUSERID:user
FACTOR = AZFTOTP1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:PROVISIONED
9. If needed, enter the following command to remove a policy from a user:
ALU <USERID> MFA(DELPOLICY(POLICY-NAME))
10. If needed, enter the following commands to delete a policy and refresh the MFADEF class:
RDEL MFADEF POLICY.POLICY-NAME


Use RDEFINE to define a resource profile in the FACILITY class to authorize the user ID of the web
services started task to a policy.
Procedure
1. Define a profile in the FACILITY class for IRR.RFACTOR.POLICY.POLICY-NAME, for each policy you
created in “Create and manage multi-factor authentication policies” on page 47.
RDEF FACILITY IRR.RFACTOR.POLICY.POLICY-NAME UACC(NONE)

OWNER(userid or group-name)
You may find it most convenient to instead define the profile for IRR.RFACTOR.POLICY.** to allow
access to all policies.
RDEF FACILITY IRR.RFACTOR.POLICY.** UACC(NONE)

OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.POLICY.POLICY-NAME
Chapter 11. Configuring IBM MFA Out-of-Band authentication 49

Authorize access to IRR.RFACTOR.POLICY.POLICY-NAME profile
Authorize the user ID of the web services started task to each IRR.RFACTOR.POLICY.POLICY-NAME profile
you created.
Procedure
1. Allow READ access for the user ID of the web services started task.
PERMIT IRR.RFACTOR.POLICY.POLICY-NAME ACCESS(READ) CLASS(FACILITY) ID(AZFWEB)

Activate and deactivate users for IBM MFA Out-of-Band

authentication
The authentication factors you activate determine which factors the user must provide.
Procedure
1. Select from the following authentication factors, and activate users as described in the referenced
sections:
• SecurID. See “Activate and deactivate users for IBM MFA SecurID” on page 58.
• TOTP. See “Administration and operation steps for TOTP” on page 76.
• Certificate Authentication. See “Activate and deactivate users for Certificate Authentication” on page
88.
• “Activate and deactivate users for generic RADIUS” on page 98.
• “Activate and deactivate users for SafeNet RADIUS” on page 109.
• “Activate and deactivate users for RSA SecurID RADIUS” on page 118.
• “Administration and operation steps for Yubico OTP” on page 144.
2. Apply one or more multi-factor authentication policies to a user, as described in “Create and manage
multi-factor authentication policies” on page 47.
3. Enter the following command to display IBM MFA information for a user profile:
LISTUSER [Login ID] MFA
4. Tell users they must use the IBM MFA Out-of-Band web server login page:
https://server-host:port/mfa/policy-name
where port is the server authentication port you configured and policy-name is the policy the user must
use. You may want to have the user bookmark this URL.
Note: If you do not include the policy-name in the URL you provide to the user, the user is prompted
for their policy name, which they must already know.
On the next page, they are shown user-specific information about the factors required for them to log
on.

Chapter 12. Configuring IBM MFA for RSA SecurID
You must configure IBM MFA for SecurID if you want to use that authentication factor.
SecurID configuration requirements

Before you configure IBM MFA for SecurID, refer to the configuration roadmap in Chapter 6, “IBM MFA
Additional RACF administration steps for SecurID

You must perform RACF administration steps for SecurID.
Define a resource profile in MFADEF class

class. To define a factor for SecurID, use RDEFINE to create a resource profile named FACTOR.AZFSIDP1
in the MFADEF class.
Procedure
1. Define the profile in the MFADEF class:
RDEF MFADEF FACTOR.AZFSIDP1 OWNER(userid or group-name)
3. Verify the change. For example:
RLIST MFADEF FACTOR.AZFSIDP1

To define authorization to execute the panels for SecurID administration, use RDEFINE to create a
resource profile named IRR.RFACTOR.MFADEF.AZFSIDP1 in the FACILITY class.
Procedure
1. Define the profile in the FACILITY class:
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFSIDP1 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFSIDP1

Authorize access to IRR.RFACTOR.MFADEF.AZFSIDP1 profile
Authorize the SecurID administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFSIDP1
profile.
Procedure

Permission Access
update, create, or delete SecurID parameters.
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFSIDP1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Additional system programming steps for SecurID

After you perform the RACF administration tasks, you must perform additional system programming tasks
to allocate data sets, copy the sdconf.rec file, and define SecurID parameters.
Allocate SDCONF.REC data set

Allocate the SDCONF.REC data set.
Procedure
1. Allocate the SDCONF.REC data set with the following attributes. The user ID under which the started
task runs must have read access to this data set.
• DSORG
– PS
• DCB:
– RECFM FB
– LRECL 3072
– BLKSIZE 3072
• SPACE:
– BLKS
– Primary 1
– Secondary 1

Allocate node secret data set
You must allocate the node secret data set. The RSA node secret is a shared secret known to IBM MFA
and the RSA Authentication Manager.
About this task

A new node secret is created by the RSA Authentication Manager on the first successful logon by any user.
The RSA Authentication Manager then sends the node secret to IBM MFA.
Procedure
1. Allocate the node secret data set with the following attributes. The user ID under which the started
task runs must have UPDATE access to this data set.
• DSORG
– PS
• DCB:
– RECFM FB
– LRECL 72
– BLKSIZE 72
• SPACE:
– TRKS
– Primary 1
– Secondary 1
Copy sdconf.rec to SDCONF.REC data set

The sdconf.rec file is the configuration file for connecting to the RSA Authentication Manager.
Obtain the sdconf.rec file from the RSA Authentication Manager (or the RSA Authentication Manager
administrator.) Copy the file into the SDCONF.REC data set you allocated. Make sure all file transfers are
executed in binary mode.
Procedure
1. Log in as administrator to the RSA Authentication Manager.
2. Navigate to Access > Authentication Agents > Generate Configuration File.
3. Select Generate Config File.
The message "The configuration file was successfully generated and is ready to download" is
displayed.
4. Select Download Now.
5. Unzip the resulting file to get the sdconf.rec file.
6. Use your tool of choice to copy sdconf.rec in to the SDCONF.REC data set on the z/OS system. Copy the
file in binary mode.
Optionally, create SDOPTS.REC file

In some environments, it might be necessary to use an SDOPTS.REC file to ensure that the AZFSIDP1
plug-in can correctly communicate with RSA Authentication Manager.
About this task

The SDOPTS.REC file adheres to the following syntax:
Chapter 12. Configuring IBM MFA for RSA SecurID 53

LPAR_NAME=<SYSTEM/LPAR NAME>
CLIENT_IP=<IP v4 Address Override>
LPAR_NAME=<SYSTEM/LPAR NAME of another system in SYSPLEX>
CLIENT_IP=<IP v4 Address Override for second LPAR>
where LPAR_NAME is the uppercase (case is sensitive) SYSNAME value that was specified when the
system was IPL'd. You can use the z/OS command D SYMBOLS to determine the value from the
&SYSNAME symbol.
In certain situations, such as a multi-homed LPAR, or a VIPA, it is possible that the host IP Address that is
auto-detected by the AZFSIDP1 plug-in does not match the IP address actually used for outgoing traffic.
In such cases, use the CLIENT_IP override to manually specify the IP Address that AZFSIDP1 should
use. (Currently, only IPV4 addresses are supported in the SDOPTS.REC file.)
Procedure
1. Allocate the SDOPTS.REC data set with the following attributes. The user ID of the IBM MFA services
started task must have read access to this data set.
• DSORG
– PS
• DCB:
– RECFM FB
– LRECL 72
– BLKSIZE 72
• SPACE:
– TRKS
– Primary 1
– Secondary 1
3. Create SDOPTS.REC with the needed parameters.
SDOPTS.REC must not include sequence numbers.
4. Save your changes.
Configure SecurID parameters

Execute AZFEXEC to configure the SecurID parameters.
Before you begin

You copied the AZFEXEC member to a data set in your SYSEXEC concatenation in “Copy
SAZFEXEC(AZFEXEC) ” on page 7 and customized the HLQ in “Customize AZFEXEC” on page 7.
Procedure
1. Execute AZFEXEC.
2. Choose AZFSIDP1.
3. Enter the data set values for SDCONF, the node secret, and optionally SDOPTS,
Table 12. AZFSIDP1 Factor Attributes

Setting Description
SDCONF data set Specify the SDCONF.REC data set you allocated
for the sdconf.rec file.

Table 12. AZFSIDP1 Factor Attributes (continued)
Setting Description
Node Secret data set Specify the data set you allocated for the node
secret file.
SDOPTS data set Specify the data set you allocated for the SDOPTS
file, if used.
Initial Trace Level The trace level used for tracing events within the
AZFSIDP1 plug-in. Valid values are 0 through 3,
where the higher number increases the level of
verbosity. The default is zero.
4. See “Configure IBM MFA Compound In-Band” on page 56 for information about configuring IBM MFA
Compound In-Band.
5. Save and verify the changes.
Start the IBM MFA services started task

The IBM MFA services started task supports authentication of users and validation of tags specified in the
RACF ALTUSER command at runtime.
Before you begin

MFA services started task:
• RSA SecurID ACEv5 UDP AZFSIDP1
• RSA SecurID Auth API (HTTPS) AZFSIDP3
• TOTP AZFTOTP1
• LDAP AZFLDAP1
Important: Start the IBM MFA started tasks after TCP/IP, PAGENT (for AT-TLS, if needed), and ICSF (if
needed) have started successfully and all TCP/IP-related services such as the resolver are running and
fully initialized. See Chapter 6, “IBM MFA configuration roadmap,” on page 13 for the factor-specific
configuration requirements.
Start the IBM MFA started tasks before applications that use IBM MFA.
If a user who has been activated for IBM MFA attempts to log on to an application and the IBM MFA
started tasks are not started, the logon fails. Only users with PWFALLBACK enabled as described in
Chapter 26, “Configuring Password Fallback,” on page 173 will be able to log on with their z/OS password
or passphrase.
About this task

In “Copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01)” on page 7, you copied the AZF#IN00
member of the SAZFSAMP data set to the PROCLIB from which you run started tasks.

Procedure
1. Start TCP/IP, AT-TLS (if needed), ICSF, and all TCP/IP-related services such as the resolver. See
Chapter 6, “IBM MFA configuration roadmap,” on page 13 for information about which authentication
factors require AT-TLS.
2. To start the started task if it is stopped, enter the following operator command:
S <STC Job Name>
For example:
S AZF#IN00
3. Start the started task on every z/OS instance sharing the RACF database where users log on.
4. Verify that the task started. The absence of errors after the "AZF2110I Started console receiver"
message in the SYSLOG indicates success.
Note: If you have configured multiple instances of a factor as described in Chapter 27, “Configuring
multiple instances of a factor,” on page 175, each factor instance is identified and logged separately in
the IBM MFA started task’s SYSPRINT.
Configure IBM MFA Compound In-Band

Configure IBM MFA Compound In-Band authentication only if you require the user to authenticate in-band
with a combination of a SecurID token, and a passphrase or password.
About this task

Important: When you enable IBM MFA Compound In-Band, it is enabled for all users that are active for
the AZFSIDP1 factor.
If both IBM MFA Compound In-Band and TSO pre-prompt are enabled, users may not be able to
change a password using in-band authentication. IBM recommends that you use identity tokens to
change passwords. See Chapter 29, “Changing a user password with an identity token,” on page 187 for
information about using identity tokens.
The z/OS application must support passphrases. IBM MFA Compound In-Band does not support
applications that are limited to an 8-character password. This is required because IBM MFA Compound
In-Band concatenates the SecurID token with the passphrase or password, separated by a valid
separator, and stores the result in the passphrase field.
Important: If a new SecurID PIN is required, or the RACF password is expired, it may be difficult for the
user to determine which one requires action. The recommended course of action is to use the standard
SecurID Windows interface outside of IBM MFA to change the SecurID PIN.
Procedure
1. Execute AZFEXEC.
2. Choose AZFSIDP1.
3. On the AZFSIDP1 factor attributes panel, configure the following attributes:
• Set Enable Compound In-band Authentication to Y.
• Choose whether you want the IBM MFA credential to be entered before or after the RACF credential.
The IBM MFA credential first is the default.
Note: This feature requires APAR OA54920 for RACF, which is available on z/OS V2R2 and later. (See
http://www-01.ibm.com/support/docview.wss?uid=isg1OA54920.)
• Change the Compound In-band Factor Separator field if needed. It is set to a colon (:) by default.
Possible values are shown in Table 13 on page 57. (FTP cannot use the forward slash (/) or

the colon (:). HTTP cannot use the forward slash (/). Other applications may have other character
restrictions.)
Note: Encodings are shown for code page IBM-1047.
Table 13. Valid Separator Characters

Character Name Character Hexadecimal (for reference)
Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Greater than sign > 6e
Ampersand & 50
Straight single quotation mark ' 7d
Left parenthesis ( 4d
Right parenthesis ) 5d
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Double quotation mark " 5c
Vertical bar | 4f
5. Restart the IBM MFA AZF#IN00 services started task.
6. Instruct the user to enter their SecurID token, the required separator, and their passphrase or
password in the password field, based on the credential order you selected. For example:
SecurID token:passphrase

Administration and operation steps for SecurID
Follow the steps in this section to provision users and start up and administer IBM MFA for SecurID. You
need to configure an RSA Authentication Agent for each z/OS system or LPAR that is running IBM MFA.
See your Authentication Manager documentation for details.
Activate and deactivate users for IBM MFA SecurID

You use the ALTUSER or ALU command to activate users for IBM MFA with SecurID.
Before you begin

Before you can activate users for IBM MFA, you must first create accounts for the users in RSA
Authentication Manager and assign RSA tokens.
When you activate a user for IBM Multi-Factor Authentication for z/OS, that user is no longer able to use
the z/OS password to log in. Therefore, the user must first have a valid token and credentials for RSA
Authentication Manager.
To defer activation to a later time, omit the ACTIVE keyword from the ALTUSER command, or supply the
NOACTIVE keyword to deactivate the authenticator for the user ID.
Procedure
1. Enter the following command to activate a user for IBM MFA:
ALU [Login ID] MFA(FACTOR(AZFSIDP1)

ACTIVE PWFALLBACK TAGS(SIDUSERID:[RSA User ID]))
Where:
• [Login ID] is the z/OS user name.
• ACTIVE activates the AZFSIDP1 authenticator for the user ID.
• PWFALLBACK configures password fallback for the user, as described in Chapter 26, “Configuring
Password Fallback,” on page 173.
• RSA User ID is the associated RSA user ID. The SIDUSERID tag identifies the RSA user ID to use
when an authentication request for this user is sent to the RSA server by IBM MFA:
– If the security manager user ID matches the RSA server user ID, you can either specify the RSA
server user ID in the SIDUSERID tag, or omit it and the security manager user ID is used by
default.
– If the security manager user ID does not match the RSA server user ID, you must specify the RSA
server user ID in the SIDUSERID tag.
2. If needed, enter the following command to defer activating a user for IBM MFA:

TAGS(SIDUSERID:[RSA User ID]))
Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the
AZFSIDP1 authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFSIDP1) ACTIVE)

---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = AZFSIDP1
STATUS = ACTIVE

FACTOR TAGS =
SIDUSERID:user
4. If needed, enter the following command to deactivate a user for IBM MFA:

NOACTIVE TAGS(SIDUSERID:[RSA User ID]))
Clear the node secret

The RSA node secret is a shared secret known to IBM MFA and the RSA Authentication Manager. If
this secret must be established (or re-established), your RSA Authentication Manager administrator will
request that the node secret be cleared from each z/OS client host.
Procedure
1. To clear the node secret, issue a Modify command as follows.
F <STC Job Name>,AZFSIDP1 CLEAR NODE SECRET
For example:
F AZF#IN00,AZFSIDP1 CLEAR NODE SECRET
2. Repeat step“1” on page 59 on each host or LPAR where IBM MFA is installed
3. Verify that the RSA Authentication Manager generates a new node secret on the first successful logon.
Print IBM MFA statistics

You can print statistics for IBM MFA with SecurID. The statistics are printed to the job log for the started
task.
Procedure
1. Issue a Modify command of the following form:
F <STC Job Name>,AZFSIDP1 PRINT STATS
For example:
F AZF#IN00,AZFSIDP1 PRINT STATS
2. Review the job log for the started task for the IBM MFA statistics:
AZFSTC:AZF2112I Console received modify command: AZFSIDP1

AZFSIDP:AZFSIDP1 Statistics:
AZFSIDP:Total inbound authentication requests:
AZFSIDP:Access granted:
AZFSIDP:Access not granted:
AZFSIDP:Could not evaluate:
AZFSIDP:New PIN cases:
AZFSIDP:Next Tokencode cases:
AZFSIDP:AZFSIDP1 has received no tag validation requests.
Disaster recovery for IBM MFA with SecurID

The disaster recovery steps you perform depend on which system has failed.
Scenario #1: LPAR is down, the RSA Authentication Manager is still up

Perform the following disaster recovery steps when the LPAR (or z/OS system) on which IBM MFA is
installed is down, and the Authentication Manager server is still up:

1. If the recovery LPAR has the same hostname as the failed LPAR, but a different IP address, ensure that
the RSA Authentication Agent host record on the RSA Authentication Manager server has the new IP
address as an alias. You configure an RSA Authentication Agent for each z/OS system or LPAR that is
running IBM MFA.
2. If the existing DASD has been replicated on the recovery LPAR, and therefore contains the existing
node secret file, no other changes are required.
3. If the existing DASD has not been replicated on the recovery LPAR and you are starting over, then you
must:
a. Configure IBM MFA for SecurID on the LPAR, as described in Chapter 12, “Configuring IBM MFA for
RSA SecurID,” on page 51.
b. Clear the node secret as described in “Clear the node secret” on page 59.
Scenario #2: LPAR is still up, the RSA Authentication Manager is down
Perform the following disaster recovery steps when the LPAR (or z/OS system) on which IBM MFA is
installed is up, and the Authentication Manager server is down:
1. Switch to the recovery Authentication Manager.
2. Prepare to use a new sdconf.rec file:
a. Allocate a data set for sdconf.rec, as described in “Allocate SDCONF.REC data set” on page 52.
b. Obtain and copy the sdconf.rec file, as described in “Copy sdconf.rec to SDCONF.REC data set”
on page 53.
3. Execute AZFEXEC to define the SecurID parameter for the data set name of SDCONF.REC, as
described in “Configure SecurID parameters” on page 54.
4. Restart the started task, as described in “Start the IBM MFA services started task” on page 55.
5. Clear the node secret, as described in “Clear the node secret” on page 59.
Scenario #3: LPAR is down, the RSA Authentication Manager is down

Perform the recovery steps from both “Scenario #1: LPAR is down, the RSA Authentication Manager is still
up” on page 59 and “Scenario #2: LPAR is still up, the RSA Authentication Manager is down” on page 60.

Authentication API
You must configure IBM MFA for RSA SecurID Authentication API if you want to use that authentication
factor. You might choose to configure RSA SecurID Authentication API instead of RSA SecurID because
RSA SecurID Authentication API requires the use of the HTTPS transport.
Before you configure IBM MFA for RSA SecurID Authentication API, refer to the configuration roadmap in
Chapter 6, “IBM MFA configuration roadmap,” on page 13.
Additional RACF administration steps for RSA SecurID

Authentication API
You must perform RACF administration steps for RSA SecurID Authentication API.

class. To define a factor for SecurID, use RDEFINE to create a resource profile named FACTOR.AZFSIDP3
in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFSIDP3 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFSIDP3

To define authorization to execute the panels for SecurID administration, use RDEFINE to create a
resource profile named IRR.RFACTOR.MFADEF.AZFSIDP3 in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFSIDP3 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFSIDP3

Authorize access to IRR.RFACTOR.MFADEF.AZFSIDP3 profile
Authorize the SecurID administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFSIDP3
profile.
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFSIDP3 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Additional system programming steps for RSA SecurID

Authentication API
to define SecurID Authentication API parameters.
Configure RSA SecurID Authentication API

You must enable the Authentication API interface from the RSA Security Console. You must be running
RSA Authentication Manager 8.2 SP1 or later to access this interface.
Before you begin

To enable the Authentication API interface from the RSA Security Console, perform the following steps:
Procedure
1. Open the RSA Security Console.
2. Select Setup > System settings > RSA SecurID Authentication API .
3. Click Enable Authentication API.
4. Click Apply Settings.
5. Make note of the Access Key and Communication Port, you will need them in the ISPF panel
configuration.
6. Configure an RSA Authentication Agent for each z/OS system or LPAR that is running IBM MFA server.
See your Authentication Manager documentation for details.

Configure SecurID Authentication API parameters
Execute AZFEXEC to configure the SecurID Authentication API parameters.
Before you begin

Procedure
1. Execute AZFEXEC.
2. Choose AZFSIDP3.
3. Enter the data set values:
Table 15. AZFSIDP3 Factor Attributes

Setting Description
PKCS#11 Token Name The name of the PKCS#11 token to be used for
cryptographic operations. You created this token
in Chapter 9, “Configuring a PKCS#11 token,” on
page 31.
Key Label The name of the key label that is used to encrypt
user registration information. The PKCS#11 key
label has a limit of 32 characters. The value you
specify for PKCS#11 key label is used if it already
exists and is created if it does not exist.
REST Service URL 1 Enter the URL of the primary RSA SecurID
Authentication API instance, including port and
base path. The protocol must be HTTPS. For
example, https://host:port/mfa/v1_1/.
The hostname must be sufficiently qualified for
web clients to resolve the hostname. Must be set.
REST Service URL 2 Enter the URL of the secondary RSA SecurID
web clients to resolve the hostname. This is
required only if you have multiple servers. The
hostname must be sufficiently qualified for web
clients to resolve the hostname.
REST Service URL 3 Enter the URL of the tertiary RSA SecurID
web clients to resolve the hostname. This is
required only if you have multiple servers. The
hostname must be sufficiently qualified for web
Client ID Enter the Authentication Agent name for the
IBM MFA server you configured in the RSA
Chapter 13. Configuring IBM MFA for RSA SecurID Authentication API 63
Table 15. AZFSIDP3 Factor Attributes (continued)
Setting Description
Access Key Enter the Access Key from the RSA
Timeout The amount of time the connection between IBM
MFA and the RSA server can remain inactive
before the session is timed out.
AZFSIDP3 plug-in. Valid values are 0 through 3,
4. Define an AT-TLS rule to handle outbound traffic to the RSA REST Service URL and port, as described in
“Configure an AT-TLS profile” on page 36.
Compound In-Band.
6. Save and verify the changes.

Before you begin

• TOTP AZFTOTP1
• LDAP AZFLDAP1
or passphrase.

About this task
Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of SecurID Authentication API, and a passphrase or password.
About this task

the AZFSIDP3 factor.
In-Band concatenates the passcode with the passphrase or password, separated by a valid separator, and
stores the result in the passphrase field.
Procedure
1. Execute AZFEXEC.
2. Choose AZFSIDP3.
3. On the AZFSIDP3 factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their credential, the required separator, and their passphrase or password in
the password field, based on the credential order you selected. For example:
passcode:passphrase

Administration and operation steps for SecurID Authentication API
Follow the steps in this section to provision users and start up and administer IBM MFA for SecurID
Authentication API.
Activate and deactivate users for IBM MFA SecurID Authentication API
You use the ALTUSER or ALU command to activate users for IBM MFA with SecurID Authentication API.
Before you begin

Before you can activate users for IBM MFA, you must first create accounts for the users in RSA
Authentication Manager and assign RSA tokens.
When you activate a user for IBM Multi-Factor Authentication for z/OS, that user is no longer able to use
the z/OS password to log in. Therefore, the user must first have a valid token and credentials for RSA
Procedure
1. Enter the following command to activate a user for IBM MFA:

Where:
• ACTIVE activates the AZFSIDP3 authenticator for the user ID.
default.
2. If needed, enter the following command to defer activating a user for IBM MFA:

AZFSIDP3 authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFSIDP3) ACTIVE)

---------------------------------------
FACTOR = AZFSIDP3
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
4. If needed, enter the following command to deactivate a user for IBM MFA:


Chapter 14. Configuring IBM MFA for TOTP
You must configure IBM MFA for TOTP if you want to use TOTP authentication.
TOTP configuration requirements

Before you configure IBM MFA for TOTP, refer to the configuration roadmap in Chapter 6, “IBM MFA
The hardware clock must be synchronized to UTC time using an external time source. If this is not done,
IBM MFA may reject TOTP tokens generated by a client device.
Additional RACF administration steps for TOTP

You must perform additional RACF administration steps for TOTP.

You define TOTP factors by creating a general resource profile for the factor name in the MFADEF class.
To define a factor for TOTP, use RDEFINE to create a resource profile named FACTOR.AZFTOTP1 in the
MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFTOTP1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFTOTP1 MFA
Define resource profiles in FACILITY class

Use RDEFINE to define resource profiles in the FACILITY class for authorizing administrators who execute
TOTP panels and to authorize the user ID of the started task.
About this task

You must define two profiles in the FACILITY class:
• To define the authorization to execute the panels for TOTP administration, define a resource profile
named IRR.RFACTOR.MFADEF.AZFTOTP1 in the FACILITY class.
• To authorize the IBM MFA web services started task user ID, you define a resource profile named
IRR.RFACTOR.USER in the FACILITY class.
Procedure
1. Define the profile in the FACILITY class for AZFTOTP1:
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFTOTP1 OWNER(userid or group-name)
2. Define the profile in the FACILITY class for USER:

RDEF FACILITY IRR.RFACTOR.USER UACC(NONE)
3. Authorize the IBM MFA web services started task user ID to the profile:
PERMIT IRR.RFACTOR.USER ACCESS(UPDATE) CLASS(FACILITY) ID(AZFWEB)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFTOTP1

RLIST FACILITY IRR.RFACTOR.USER
Authorize access to IRR.RFACTOR.MFADEF.AZFTOTP1 profile

Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFTOTP1 profile. The
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFTOTP1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

PERMIT IRR.RFACTOR.MFADEF.AZFTOTP1 ACCESS(READ) CLASS(FACILITY) ID(AZFWEB)
Additional system programming steps for TOTP

for TOTP.
Configure AZFTOTP1
You must configure the AZFTOTP1 settings for use with both TOTP and generic TOTP.
Before you begin

You must have already configured PKCS#11 tokens and AT-TLS before you configure the AZFTOTP1
settings.
About this task

Configuration data for AZFTOTP1 is stored in the RACF database. The AZFTOTP1 configuration data
include settings related to the AZFTOTP1 authentication load module.

Procedure
1. Execute AZFEXEC and choose AZFTOTP1.
2. Provide the following:
Table 18. AZFTOTP1 Factor Attributes

Setting Description
PKCS#11 Token Name The name of the PKCS#11 token to be used for
cryptographic operations. You created this token
in Chapter 9, “Configuring a PKCS#11 token,” on
page 31.
Key Label The name of the key label that is used to encrypt
user registration information. The PKCS#11 key
label has a limit of 32 characters. The value you
specify for PKCS#11 key label is used if it already
exists and is created if it does not exist.
Use Single-key Encryption Specifies whether single-key encryption should
be used for a newly-registered user. If enabled,
a single factor-level TKDS encryption key is used
when user registration information is encrypted.
If disabled, a new TKDS object is created to hold
the TOTP secret for each new enrolling user.
Single-key encryption reduces the proliferation of
TKDS encryption keys. You should use single-key
encryption whenever possible.
Important: Single-key encryption requires
that all systems that share the same
RACF database have the relevant PTFs for
APAR PH20136. (See https://www-01.ibm.com/
support/docview.wss?uid=swg1PH20136.) If
enabled, new user-registration information will
be unusable on systems that do not support
single-key encryption. Existing user registration
information will remain unchanged.
The default is determined as follows:
• If previous AZFTOTP1 settings exist, or exist
with the value set to N, the default is N.
• If previous AZFTOTP1 settings do not exist, or
exist with the value set to Y, the default is Y.
Chapter 14. Configuring IBM MFA for TOTP 71

Table 18. AZFTOTP1 Factor Attributes (continued)
Setting Description
Realm Name Enter the realm name for your web services
server. This setting is used in combination with
the SAF User ID to generate a default label
for a user's TOTP account. The generated label
takes the form <User ID>@<Realm Name>.
For example, a user with SAF User ID "USER1"
provisioned with a TOTP account using the realm
name of "MYREALM" would receive the default
TOTP account label of "USER1@MYREALM".
If you intend to provision TOTP accounts
from systems controlled by separate enterprise
security manager (ESM) databases, set the
realm name differently across those various ESM
databases. This can help to ensure that a user
enrolled for TOTP across multiple environments
will be able to distinguish between their various
TOTP accounts at a glance, even within the same
TOTP client application running on their device.
Initial Trace Level The initial trace level for AZFTOTP1 web services.
Valid values are 0 through 3, where the higher
number increases the level of verbosity. The
default is zero.
Digest Algorithm Choose the default digest algorithm. AZFTOTP1
uses the digest algorithm, the shared secret key,
and the current time to generate the TOTP value.
Possible values are SHA1, SHA256, SHA384, and
SHA512. The default is SHA256.
Token Code Length Choose the number of digits in the generated
token. Possible values are 6, 7, and 8. The default
is 8.
Token Period Choose the time (in seconds) between changes
in value for the token. This number determines
how long a one-time password is active before
the next one-time password generates. Possible
values are 15, 30, and 60. The default is 30
seconds.
Window Enter the skew intervals of the algorithm.
The skew intervals consider any possible
synchronization delay between the server and
the client that generates the one-time password.
For example, a skew interval of 2 means a one-
time password in up to two intervals in the
past, or two in the future, are also valid. If it is
interval 563, and intervals are 30 seconds, then
one-time passwords for intervals 561- 565 are
computed and checked against within a range of
2.5 minutes. The maximum is 10.

Table 18. AZFTOTP1 Factor Attributes (continued)
Setting Description
AZFTOTP1 plug-in. Valid values are 0 through 3,
Suspension Threshold See the note following the table for
important information before you set Suspension
Threshold.
The Suspension Threshold limits the number of
times a user consecutively fails to provide a valid
TOTP code. Valid values are 0 through 255.
Note: The Suspension Threshold setting is
separate and distinct from a RACF revoked
status. The Suspension Threshold setting is most
useful in IBM MFA Out-of-Band authentication
to prevent brute force attacks. To prevent any
conflict or user confusion with the RACF revoke
count for in-band authentication, you should set
the Suspension Threshold setting to a number
significantly higher than the RACF revoke count.
A value of 0 indicates that brute force protection
is not enabled for the AZFTOTP1 authentication
method.
Any numeric value greater than zero is treated
as the number of times a user may consecutively
fail to provide a valid TOTP code. If a user fails
exactly this number of times and then provides a
valid TOTP code:
• Authentication succeeds.
• Their failure count is reset to zero.
If the user fails more than this number of times:
• Authentication fails.
• Their SUSPENDED tag is set to YES
Important: The Suspension Threshold setting is incompatible with prior versions of IBM MFA. Do not
enable this setting unless all of the IBM MFA systems have the relevant PTFs for APAR PH20136. (See
https://www-01.ibm.com/support/docview.wss?uid=swg1PH20136.)
If you do inadvertently set Suspension Threshold for a prior version, you must do the following:
a. Set Suspension Threshold to zero and restart the IBM MFA started task.
b. For each user already provisioned for TOTP authentication, delete the SUSPENDED and FAILCOUNT
tags to remove them from the user's stored IBM MFA data:
ALU [Login ID] MFA(FACTOR(AZFTOTP1) DELTAGS(SUSPENDED FAILCOUNT))
If invoked on a system running a previous release, this command generates a warning because the
SUSPENDED and FAILCOUNT tags are not recognized. The tags are deleted and you can ignore this
warning.

3. See “Next Steps: Configure IBM MFA Compound In-Band” on page 75 for information about
configuring IBM MFA Compound In-Band.
The PKCS#11 token name you specify on this panel is used when creating an AZFTOTP1 user session-
object when a user registers. If you change the PKCS#11 token name or key label values, all user
registrations will become inaccessible, and users must re-register.

Before you begin

• TOTP AZFTOTP1
• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>
For example:

S AZF#IN00
Next Steps: Configure IBM MFA Compound In-Band

After you are able to successfully log in using TOTP in-band, the next step is to require authentication
in-band with a combination of a TOTP token, and a passphrase or password.
About this task

the AZFTOTP1 factor.
In-Band concatenates the OTP token with the passphrase or password, separated by a valid separator,
and stores the result in the passphrase field.
Procedure
1. Execute AZFEXEC.
2. Choose AZFTOTP1.
3. On the AZFTOTP1 factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50

Table 19. Valid Separator Characters (continued)
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their OTP token, the required separator, and their passphrase or password in
OTP token:passphrase
Administration and operation steps for TOTP

Follow the steps in this section to provision users and start up and administer TOTP.
Configure a TOTP profile for users

You must configure a TOTP profile for the user. The specified tag values are provided to the user's TOTP
application so it knows how to properly generate a token for use with IBM MFA.
About this task

Important: You can set the tags described in Table 20 on page 77 as described in the procedure.
After the registration state changes to PROVISIONED, you cannot change the tags identified in the table
as Requires REGSTATE OPEN. In addition, although you are not explicitly prevented from deleting
these tags after the registration state changes to PROVISIONED, do not delete them. (If you were to do
so, the OTP value would become invalid and you would have to re-register the user.)

Table 20. Available TOTP Tags
Tag Description Allowed Values Requires
REGSTATE
OPEN?
REGSTATE Indicates the user ID TOTP device OPEN. N
registration status.
Other values can
be displayed but
are managed only
by IBM MFA.
ALG Specifies the digest algorithm. Possible values Y

are SHA1,
SHA256, SHA384,
and SHA512.
The default is
SHA256.
NUMDIGITS Specifies the length of the generated one- Possible values Y
time passwords. are 6, 7, and 8.
The default is 8.
PERIOD Specifies the number of seconds that an Possible values Y
interval lasts. This number determines how are 15, 30, and
long a one-time password is active before 60. The default is
the next one-time password generates. 30 seconds.
WINDOW Specifies the skew intervals of the Possible values N
algorithm. The skew intervals consider any are 1-10. The
possible synchronization delay between the default is 1.
server and the client that generates the
one-time password.
For example, a skew interval of 2 means a
one-time password in up to two intervals
in the past, or two in the future, are also
valid. If it is interval 563, and intervals
are 30 seconds, then one-time passwords
for intervals 561- 565 are computed and
checked against within a range of 2.5
minutes.
Procedure
1. Ensure that the user is not active for TOTP.
2. Enter the following command to set the TOTP registration state for the user to OPEN. (Case is sensitive
for OPEN.)
ALU [Login ID] MFA(FACTOR(AZFTOTP1)

TAGS(REGSTATE:OPEN))
Note: Perform steps 3 through 6 only if you want to override the configured default settings for this login
ID's TOTP account. You set the default settings in “Configure AZFTOTP1” on page 70.
3. Enter the following command to set the TOTP digest algorithm used to generate the one-time
password.
Important:

If you set the default algorithm to be SHA-1 in “Configure AZFTOTP1” on page 70, any users who are
provisioned for IBM TouchToken for iOS must have the ALG tag set to ALG:SHA256, ALG:SHA384, or
ALG:SHA512. Otherwise, a failure occurs during registration. SHA-1 is valid only for generic TOTP.

TAGS(ALG:SHA384))
4. Enter the following command to set the length of the generated one-time passwords:

TAGS(NUMDIGITS:6))
5. Enter the following command to set the number of seconds an interval lasts:

TAGS(PERIOD:60))
6. Enter the following command to set the skew intervals of the algorithm:

TAGS(WINDOW:2))

---------------------------------------
FACTOR = AZFTOTP1
STATUS = INACTIVE
FACTOR TAGS =
REGSTATE:OPEN
Configure TOTP for users

TOTP supports common Quick Response (QR) codes on both Android and Apple iOS devices.
Before you begin

Note: Not all TOTP client applications support all combinations of token length, period, or digest
algorithm. In addition, not all TOTP applications display errors when importing combinations of TOTP
parameters that the application does not support. IBM recommends that you confirm that a specific
combination of token length, period, and digest algorithm is compatible with a specific TOTP application
prior to rolling out AZFTOTP1 in production environments.
Procedure
1. Instruct the user to open the TOTP start page in a desktop web browser and log in with their z/OS user
name and password:
https://hostname:6789/AZFTOTP1/genericStart
A page that contains the AuthURL and the encoded QR code is displayed.
2. Instruct the user to point their device at the generated QR code and scan it with an application such as
IBM Verify, Google Authenticator, Duo Mobile, and so forth.
The application displays the TOTP code.
3. Instruct the user to enter the TOTP code on the web page and click Generic TOTP Enrollment.
4. If an error occurs, the user is prompted to retry enrollment. In this case, for the greatest compatibility
with QR applications, first set the following tag values:
• ALG SHA1
• NUMDIGITS 6

• PERIOD 30

TAGS(ALG:SHA1 NUMDIGITS:6 PERIOD:30))
Instruct the user to click Retry enrollment.

5. If the enrollment is successful, the message "New TOTP token has been confirmed and is ready to
use." is displayed.
6. The user must now use this TOTP token code to log on to their z/OS application.
Activating a user when SUSPENDED is YES

The suspension threshold limits the number of times a user consecutively fails to provide a valid TOTP
code. If the user fails more than this number of times, their SUSPENDED tag is set to YES. The suspension
threshold setting is separate and distinct from a RACF revoked status.
About this task

See “Configure AZFTOTP1” on page 70 for important information regarding the Suspension Threshold
setting.
Procedure
1. Enter the following command to display IBM MFA information for a user profile, including the
suspended state:

---------------------------------------
FACTOR = AZFTOTP1
SUSPENDED:YES a
FAILCOUNT:0 b
STATUS = ACTIVE
FACTOR TAGS =
Callout Notes:
a. The user has exceeded the suspension threshold you set, and the SUSPENDED tag is set to YES.
b. The user's consecutive failure count is reset to zero.
2. Enter the following command to reactivate a user for TOTP.

TAGS(SUSPENDED:NO))
3. Enter the following command to confirm that the user is no longer in the suspended state:
Re-registering a user for TOTP

You typically do not need to re-register a user for TOTP.
About this task

You typically do not need to re-register a user for TOTP unless there is a problem with the device, the
security of the shared secret is in question, and so forth.
Procedure
1. Deactivate the user for TOTP:

NOACTIVE)
2. Delete the TOTP AZFTOTP1 tags associated with the account:

NOACTIVE NOTAGS)
3. Enter the following command to set the TOTP registration state for the user to OPEN. (Case is sensitive
for OPEN.)

4. Follow the steps in “Configure TOTP for users” on page 78 or Chapter 32, “Configure TOTP for users,”
on page 193, as appropriate.

Chapter 15. Configuring IBM MFA certificate
authentication
You can configure IBM MFA for certificate authentication. This is a general purpose certificate
authentication that includes Common Access Card (CAC) and Personal Identification Verification (PIV)
cards.
Certificate authentication uses the client identity certificate to authenticate the user.
Certificate Authentication configuration requirements

Before you configure Certificate Authentication, refer to the configuration roadmap in Chapter 6, “IBM
Additional RACF administration steps for certificate authentication

You must perform additional RACF administration steps for certificate authentication.

class. To define a factor for Certificate Authentication, use RDEFINE to create a resource profile named
FACTOR.AZFCERT1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFCERT1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFCERT1

To define authorization to execute the panels for Certificate Authentication administration, use RDEFINE
to create a resource profile named IRR.RFACTOR.MFADEF.AZFCERT1 in the FACILITY class.
Procedure
1. Define the profile in the FACILITY class for AZFCERT1:
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFCERT1 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFCERT1

Authorize access to IRR.RFACTOR.MFADEF.AZFCERT1 profile
Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFCERT1 profile. The
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFCERT1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

PERMIT IRR.RFACTOR.MFADEF.AZFCERT1 ACCESS(READ) CLASS(FACILITY) ID(AZFWEB)
Additional system programming steps for certificate

authentication
for certificate authentication.
Import root CA certificate of client certificate chain

The root CA certificate of the client certificate chain must be present as a CERTAUTH certificate in the
z/OS server keyring.
Before you begin

How to obtain the root CA certificate varies by vendor and application. If you do not already have the
client CA trusted root certificate, you might be able to export it to a file from the client Windows system:
1. Select Internet Options > Content > Certificates > location-of-your-certificate.
2. Double-click on the certificate you want to use for client authentication.
3. Click the Certification Path tab.
4. Select the certificate at the top of the chain. This is the root CA certificate.
5. Click View Certificate. On the Certificate Information window, the Issued to and Issued by fields
should be the same.
6. Select the Details tab.
7. Click Copy to File.
8. Follow the Certificate Export wizard to export the certificate to a file. You can accept the default of DER
encoded binary x.509 (.cer).
About this task

The root CA certificate of the client certificate chain must be present as a CERTAUTH in the z/OS server
keyring. The user certificate must match the Subject DN and Issuer DN of the root CA certificate.

If you are using certificates from more than one issuer, as could be the case if you are using smart cards
from more than one source, the root CA certificate of each certificate chain must be present.
Procedure
1. Allocate a data set on the z/OS system for the certificate. You must specify a cataloged data set,
and it may not be a PDS or a PDS member. The record format (RECFM) expected by RACDCERT is
variable-block (VB).
2. Copy the certificate file to the data set you allocated. If you use ftp to transfer the file, transfer it in
binary mode.
3. Add the certificate to the RACF database as a trusted CERTAUTH with a label of your choice.
RACDCERT ADD('cert-data-set') CERTAUTH TRUST

WITHLABEL('Cert Label')
4. Connect the certificate to the keyring you created in “Configure an AT-TLS profile” on page 36.
RACDCERT ID(ID of the web services started task) CONNECT(CERTAUTH

LABEL('client cert root CA label') RING(server ring name))
5. Refresh the DIGTCERT class:
Configure client (mutual) authentication

Configure the AT-TLS profile for mutual authentication on the z/OS system you are using as the web
services server.
Before you begin

You must have already configured an AT-TLS profile for HTTPS on the z/OS system, as described in
“Configure an AT-TLS profile” on page 36. This procedure builds upon that existing profile by defining the
rule for the mutual authentication port.
About this task

In AT-TLS, whether or not client authentication is done is controlled by the HandshakeRole
parameter on either the TTLSEnvironmentAction or TTLSConnectionAction statements. When
the HandshakeRole parameter is set to ServerWithClientAuth, a certificate request is sent to the
client during the handshake. The client can send its certificate to the server, which can then validate the
certificate.
The level of validation done by the server is controlled with the ClientAuthType parameter on the
TTLSEnvironmentAdvancedParms statement.
Procedure
1. Edit the policy you created in “Configure an AT-TLS profile” on page 36 to add a new rule for client
authentication. The example rule uses the same keyring and cipher suites.
2. Add the HandshakeRole and ClientAuthType parameters. Specific lines in the example are
numbered to the right so that you can associate them with the notes that follow.
Note: This is an example fragment. See SYS1.SAZFSAMP(AZFTTLSX) for sample AT-TLS rule
definitions for IBM MFA.
TTLSRule client_AZF
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange 6777 a
Direction Inbound
Priority 255
Chapter 15. Configuring IBM MFA certificate authentication 83

TTLSGroupActionRef clientgA-AZF
TTLSEnvironmentActionRef clienteA-AZF
TTLSConnectionActionRef clientcA-AZF
}
TTLSGroupAction clientgA-AZF
{
TTLSEnabled On
Trace 2
}
TTLSEnvironmentAction clienteA-AZF
{
HandshakeRole ServerWithClientAuth b
TTLSEnvironmentAdvancedParmsRef clienteAdv1-AZF
TTLSGskAdvancedParmsRef gskAdvMutWithCRL
TTLSKeyringParmsRef keyR1~AZF
Trace 2
}
TTLSConnectionAction clientcA-AZF
{
TTLSCipherParmsRef cipher-AZF
TTLSConnectionAdvancedParmsRef clientcAdv1-AZF
CtraceClearText Off
Trace 2
}
TTLSConnectionAdvancedParms clientcAdv1-AZF
{
HandshakeTimeout 30 c
SecondaryMap Off
}
TTLSEnvironmentAdvancedParms clienteAdv1-AZF
{
ClientAuthType Required d
CertValidationMode RFC5280 e
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 On
TLSv1.2 On
}
TTLSGskAdvancedParms gskAdvMutWithCRL f
{
TTLSGskHttpCdpParms
{
HttpCdpEnable On
}
TTLSGskOcspParms
{
OcspAiaEnable On
}
GSK_V3_SESSION_TIMEOUT 5 g
}
Callout Notes:
a. The example uses port 6777, but you can choose your own value. You need to specify this port
when you run AZFEXEC to configure the web services mutual authentication port.
b. Enable client authentication.
c. Specifies the number of seconds to wait for the initial handshake to complete. Allow sufficient time
for the user to validate a smart card PIN and provide the client certificate, if needed.
d. The server ensures that the signer of the client’s certificate is trusted by checking the trusted root
CA certificate that is in the server’s key ring.
e. Specifies that certificates are validated by using the method described in RFC 5280. If you are
using z/OS Version 2 Release 1, use the highest supported validation method.
f. For z/OS Version 2 Release 2 and later, implement certificate revocation checking. See z/OS
Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration
Reference for complete information.
g. This value is the number of seconds that lapse until a session identifier expires. Set
GSK_V3_SESSION_TIMEOUT to a low value, such as 5, to require the user to always re-enter

their Common Access Card (CAC) and Personal Identification Verification (PIV) card PIN at logon. If
the value is set too high, the TLS connection uses an abbreviated handshake that does not use the
client's private key and therefore does not require the user to enter their PIN.
Configure IBM MFA web service started task for Certificate Authentication
You must configure the IBM MFA web services started task for Certificate Authentication.
Before you begin

You must have already configured IBM MFA web services as described in Chapter 10, “Configuring IBM
MFA web services configuration attributes,” on page 35, including configuring a PKCS#11 token and an
AT-TLS profile.
Procedure
1. Execute AZFEXEC and enter STC to configure the web services started task.
2. Configure the web services started task, as described in “Configure IBM MFA web services started
task” on page 41.
3. Set Mutual Authentication Port to the value you configured in “Configure client (mutual)
authentication” on page 83.
4. Set Enable Out of Band Services to Y.
5. Set Enable Certificate Authentication to Y.
Configure Certificate Authentication

You must configure Certificate Authentication to use this factor.
About this task

As part of the initial logon process, the user must select the certificate they want to use to log and
complete Certificate Enrollment. You must either configure certificate enrollment automatic approval or
approve the certificate presented by a user to be sure it is correct and approved for the specific user. The
user cannot use the certificate to log on with IBM MFA Certificate Authentication until you complete this
process.
The certificate approval process you must follow is described in “Approve user certificates” on page 89.
You can configure Certificate Authentication to notify an administrator by email when a user enrolls a
certificate.
Procedure
1. Execute AZFEXEC and choose AZFCERT1 to configure Certificate Authentication.
Table 22. AZFCERT1 Factor Attributes

Setting Description
SMTP Server Host Enter the host name or IP address of the
Simple Mail Transfer Protocol (SMTP) server for
outbound email.
SMTP Server Port Enter the port of the SMTP server.
SMTP User Id Enter the user ID you want to use to log in to the
SMTP server.

Table 22. AZFCERT1 Factor Attributes (continued)
Setting Description
SMTP User Password Enter the password for the user ID you want to
use to log in to the SMTP server.
Administrator Email Address Enter the email address to be notified when a
user enrolls a certificate.
Sender Email Address Enter the email address used to send the email
notification.
Require Exact Certificate Possible values are Y or N. The default is N.
By default, the client certificate must match
the Subject DN and Issuer DN of the root CA
certificate and a hash is created. This parameter
addresses the use case where the user gets a
new certificate and the hash does not match. If
set to Y, the user certificate must match the hash
as well as the Subject DN and Issuer DN of the
root CA certificate.
Enable Auto-Approval in Certificate Enrollment When this option is enabled, the certificate
Service enrollment web service checks whether the
ESM has already been configured to map
the user-provided certificate to the SAF User
ID attempting enrollment. If so, the user's
REGSTATE is immediately set to APPROVED and
the REVIEW state is skipped. The option values
are as follows:
• N - Never. Do not auto-approve user certificate
enrollments. When a user completes self-
service certificate enrollment, the user's
REGSTATE tag is set to REVIEW. This is the
default.
• E - ESM. Users performing self-service
certificate enrollment are required to provide
a user ID. If the ESM has been configured
such that the InitACEE (IRRSIA00) callable
service reports that the presented certificate
maps to the same user ID, then the user's
REGSTATE tag is set to APPROVED. Otherwise,
the REGSTATE tag is set to REVIEW.
One way to perform this task is with the
RACDCERT MAP, as described in z/OS Security
Server RACF Command Language Reference .
• A - Always. If a user completes self-service
certificate enrollment, the REGSTATE tag data
is set to APPROVED.
Default: N.
Default Application Name for Certificate Auto- This value should only be specified if the ESM
Approval has been configured for certificate name filtering
via DIGTNMAP profiles. This value controls the
APPL-id parameter used by MFA when invoking
IRRSIA00.

Table 22. AZFCERT1 Factor Attributes (continued)
Setting Description
AZFCERT1 plug-in. Valid values are 0 through 3,

Before you begin

• TOTP AZFTOTP1
• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>

For example:
S AZF#IN00
Administration and operation steps for Certificate Authentication

Follow the steps in this section to provision users for Certificate Authentication.
Activate and deactivate users for Certificate Authentication

You use the ALTUSER or ALU command to activate users for Certificate Authentication.
Procedure
1. Enter the following command to activate a user for Certificate Authentication:
ALU [Login ID] MFA(FACTOR(AZFCERT1)

ACTIVE PWFALLBACK)
Where:
• ACTIVE activates the AZFCERT1 authenticator for the user ID.
2. You must create a multi-factor authentication policy as described in “Create and manage multi-factor
authentication policies” on page 47.
3. Apply the multi-factor authentication policy to the user as described in “Create and manage multi-
factor authentication policies” on page 47.

---------------------------------------
CERTTOTPONLY
FACTOR = AZFSIDP1
STATUS = INACTIVE
FACTOR TAGS =
SIDUSERID:user
FACTOR = AZFTOTP1
STATUS = ACTIVE
FACTOR TAGS =
FACTOR = AZFCERT1
STATUS = ACTIVE
5. If needed, enter the following command to deactivate a user for Certificate Authentication:

NOACTIVE)

Approve user certificates
You may need to approve the certificate presented by a user before the user can use it to log on.
About this task

You have the option to configure certificate enrollment automatic approval, as described in “Configure
Certificate Authentication” on page 85. If you configure certificate enrollment automatic approval, you
may not need to approve user certificates as described in this section, depending on your configuration
choice. See z/OS Security Server RACF Command Language Reference for information on the RACDCERT
MAP command.
If you do not configure certificate enrollment automatic approval, you must approve the certificate
presented by a user to be sure it is correct and approved for the specific user. The user cannot use
the certificate to log on with Certificate Authentication until you complete this process. The user can
enroll only one certificate for their account.
You can configure Certificate Authentication to notify an administrator by email when a user enrolls a
certificate, as described in “Configure Certificate Authentication” on page 85.
Note: If at a later time you need to repeat this procedure to remove the current certificate and approve a
different certificate for the user, first remove the existing AZFCERT1 tags:
ALU [Login ID] MFA(FACTOR(AZFCERT1) NOTAGS)
Special Considerations for Internet Explorer and Windows 10

Internet Explorer with Windows 10 introduces some limitations for how the SSL state is handled with
certificate authentication. To minimize the disruption to the user, follow these steps:
• Have the user clear the SSL state before they enroll the certificate. This is a best practice for all
browsers, but it is required for Internet Explorer with Windows 10.
• Tell the user what URL on the server authentication port to use to authenticate, including the policy
name. (You configured the server authentication port in “Configure IBM MFA web services started task”
on page 41.) The user can then bookmark this URL for future use. For example:
https://servername:port/mfa/policy-name
where port is the server authentication port and policy-name is the certificate authentication policy.
Important: If the user were to instead bookmark the URL of the loaded mutual authentication port after
the authentication begins, subsequent authentication attempts will likely fail.
Procedure
1. Set the user REGSTATE to OPEN for the AZFCERT1 factor. (Case is sensitive for OPEN.)

2. Instruct the user to clear the SSL state if using Internet Explorer with Windows 10. (This is a best
practice for all browsers.)
To do this, the user selects Control Panel > Internet Options > Content > Clear SSL State.
3. Instruct the user to begin the Certificate Authentication logon process at the web server login page
you configured, such as:
https://servename:port/AZFCERT1/enroll
where port is the server authentication port.

4. On the AZFCERT1 Enrollment page, instruct the user to click on "Begin Certificate Enrollment."
5. The user must select the certificate they want to use to log in and click OK. The .cer (DER) and PEM
formats are supported.

For PIV/CAC cards, the user must then enter their valid PIN.
6. If successful, the user receives a message indicating the certificate enrollment succeeded and to
await further instruction from the administrator.
7. This step is needed only if you have not configured certificate enrollment automatic approval. Use the
LU command to check the AZFCERT1 factor status and certify the certificate information is correct for
the user. Notice that the REGSTATE has changed to REVIEW.
Note: The example shows a test PIV card used for demonstration purposes only.
LU [Login ID] MFA

FACTOR = AZFCERT1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:REVIEW
SUBJECT:CN=Test Cardholder VII,C=US,O=Test Government,OU=Test Departm
ent
ISSUER:CN=Test RSA 2048-bit CA for Test PIV Cards,C=US,O=Test Certifi
cates 2010,OU=Test CA
CERTHASH:94A8B7B184FE198FC0A89640ECD9145BFFAC6491
SERIAL:02BF
8. This step is needed only if you have not configured certificate enrollment automatic approval. If the
certificate information is correct for the user, set the user REGSTATE to APPROVED for the AZFCERT1
factor. (Case is sensitive for APPROVED.)

TAGS(REGSTATE:APPROVED))
9. Instruct the user to open the web server login page with the policy you want them to use. Tell them to
bookmark this page for subsequent logins.
https://server-name:port/mfa/policy-name
where port is the server authentication port and policy-name is the certificate authentication policy.
Note: Users of Internet Explorer and Windows 10 will be prompted for their certificate and PIN at this
point.
10. Instruct the user to click "Begin Certificate-based Authentication."
11. The user must select the certificate they want to use to log in and click OK.
For PIV/CAC cards, the user must then enter their valid PIN.
12. On the "Cache Token Credential" page, instruct the user to copy the generated cache token credential
and use it to log on to the z/OS application.

Chapter 16. Configuring IBM MFA for generic RADIUS
Generic RADIUS refers to the RADIUS server of your choice that returns a simple allowed/denied
response. You must configure IBM MFA for generic RADIUS if you want to use that authentication factor.
IBM MFA supports Password Authentication Protocol (PAP) only.
Before you configure IBM MFA for generic RADIUS, refer to the configuration roadmap in Chapter 6, “IBM
Choosing between generic RADIUS and SafeNet RADIUS

If you are using the SafeNet RADIUS server, as a general rule you should use SafeNet RADIUS instead, as
described in Chapter 17, “Configuring IBM MFA for SafeNet RADIUS,” on page 101. However, if you must
use Transmission Control Protocol (TCP) as the connection type, use generic RADIUS. SafeNet RADIUS
supports User Datagram Protocol (UDP) only.
Additional RACF administration steps for generic RADIUS

You must perform RACF administration steps for generic RADIUS.

class. To define a factor for generic RADIUS, use RDEFINE to create a resource profile named
FACTOR.AZFRADP1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFRADP1
RLIST MFADEF FACTOR.AZFRADP1

To define authorization to execute the panels for generic RADIUS administration, use RDEFINE to create a
resource profile named IRR.RFACTOR.MFADEF.AZFRADP1 in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFRADP1
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFRADP1

Authorize access to IRR.RFACTOR.MFADEF.AZFRADP1 profile
Authorize the RADIUS administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFRADP1
profile.
Procedure

Permission Access
READ Able to view configuration options, but may
not update, create, or delete generic RADIUS
parameters.
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFRADP1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Authorize access to resource profiles for shared secret

You must authorize the administrators who access the panel to set or change the shared secret to the
resource profiles. You must also authorize the user ID of the IBM MFA services started task to the
USER.TOKEN_NAME resource profile.
Procedure
Table 24. Required User Authorization

Resource Profile/Data Set Class Access
SO.TOKEN_NAME CRYPTOZ CONTROL
USER.TOKEN_NAME CRYPTOZ UPDATE
CSFRNG CSFSERV READ
CSF1SKE CSFSERV READ
CSF1TRL CSFSERV READ
CSF1GSK CSFSERV READ
For example:


Additional system programming steps for generic RADIUS
to define generic RADIUS parameters.
Configure generic RADIUS

You must configure the IBM MFA AZFRADP1 settings if you want to use generic RADIUS.
Before you begin

The AZFRADP1 authentication factor uses the PKCS#11 token to encrypt the shared secret before it is
stored in RACF, and to generate random authenticators for use inside the RADIUS packet.
You must configure a PKCS#11 token, as described in Chapter 9, “Configuring a PKCS#11 token,” on page
31. You need READ access to the CSF1TRC profile in the CSFSERV class.
About this task

Configuration data for generic RADIUS is stored in the RACF database. The configuration data include
settings related to the AZFRADP1 authentication load module.
Procedure
1. Execute AZFEXEC and choose AZFRADP1.
Table 25. AZFRADP1 Factor Attributes

Key Label Actual PKCS#11 key label The name of the key label that is
used to encrypt the shared secret.
The PKCS#11 key label has a limit of
32 characters. The value you specify
for PKCS#11 key label is used if it
already exists and is created if it does
not exist.
Primary Server Host Name Valid host name or IP address Enter the hostname or IP address
for the primary RADIUS server.
The hostname must be sufficiently
qualified for web clients to resolve
the hostname. Must be set.
Primary Server Port Valid port number The port number of the primary
RADIUS server. The default is 1812.
Secondary Server Host Name Valid host name or IP address Enter the hostname or IP address
for the secondary RADIUS server, if
applicable. This is required only if you
have multiple servers. The hostname
must be sufficiently qualified for web
Chapter 16. Configuring IBM MFA for generic RADIUS 93

Table 25. AZFRADP1 Factor Attributes (continued)
Secondary Server Port Valid port number The port number of the secondary
RADIUS server, if applicable. This is
required only if you have multiple
servers.
Tertiary Server Host Name Valid host name or IP address Enter the hostname or IP address
for the tertiary RADIUS server, if
Tertiary Server Port Valid port number The port number of the tertiary
RADIUS server, if applicable. This is
servers.
Number of Retries Integer, from 1 through 15 The number of times IBM MFA
attempts to contact the RADIUS
should the connection become
inactive.
Timeout Number of seconds, from 1 The amount of time the connection
through 180 between IBM MFA and the RADIUS
can remain inactive before the
session is timed out.
Shared Secret Actual shared secret The shared secret (case-sensitive
password) that is used by the RADIUS
server to recognize the IBM MFA
RADIUS client. The RADIUS client
uses the same shared secret when
communicating with the RADIUS
primary server or RADIUS replica
servers.
Important: The shared secret must
be the same for all LPARs in
a sysplex. Consult your RADIUS
documentation for configuration
information.
Note: The shared secret is not
displayed on the panel after you enter
it.
Note: When translating EBCDIC into
ASCII to send to an external server
the translation is performed using
host code page IBM-1047 and server
code page ISO-8859-1. This may
have implications if you are using
other code pages when specifying the
host data.

Table 25. AZFRADP1 Factor Attributes (continued)
Connection Type UDP or TCP Select the connection type for
the RADIUS server, User Datagram
Protocol (UDP) or Transmission
Control Protocol (TCP). Both UDP and
TCP use Internet Protocol (IP) as
the underlying protocol. UDP is the
default.
Important: See
SYS1.SAZFSAMP(AZFTTLSX) for a
sample AZFClientRule rule when
using RADIUS over TCP.
Deny All Challenges Y or N Specifies whether RADIUS server

challenge requests are performed or
denied. When set to N a challenge
request is performed. When set to
Y a challenge request causes the
authentication request to be denied.
One possible use of the Y setting is if
the RADIUS server accepts the first
part of a non-combined credential
and responds with a challenge for
the second part of the credential.
Denying the challenge prevents the
user from determining if the first
part of the credential is valid, which
has security implications in strict PCI
mode.
The default is N.
Compound In-Band.
5. Configure the generic RADIUS server to accept communications from each z/OS system or LPAR that
is running the IBM MFA services started task. Consult your RADIUS documentation for configuration
information.
If you change the PKCS#11 token name or key label values, you must re-enter the shared secret value.

Before you begin


• TOTP AZFTOTP1
• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of generic RADIUS, and a passphrase or password.
About this task

the AZFRADP1 factor.
Procedure
1. Execute AZFEXEC.
2. Choose AZFRADP1.
3. On the AZFRADP1 factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60

Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their credential, the required separator, and their passphrase or password in
passcode:passphrase
Administration and operation steps for generic RADIUS

Follow the steps in this section to provision users and start up and administer IBM MFA for generic
RADIUS.
Activate and deactivate users for generic RADIUS

You use the ALTUSER or ALU command to activate users for generic RADIUS.
Before you begin

Before you can activate users for generic RADIUS, you must first provision the users in the RADIUS server.
For example, you might require the users to supply a valid passcode, PIN, or some other credential. You
must provide the users with this information.
Important: The credential format is known only to the RADIUS server you are using, If your generic
RADIUS credentials are longer than 8 characters, ensure that passphrases are enabled. IBM MFA cannot
process generic RADIUS credentials split between the Password and New Password fields.
When you activate a user for IBM MFA, that user is no longer able to use the z/OS password to log in.
Therefore, the user must first have valid credentials.
Procedure
1. Enter the following command to activate a user for generic RADIUS:
ALU [Login ID] MFA(FACTOR(AZFRADP1)

ACTIVE PWFALLBACK TAGS(RADUSERID:[User ID]))
Where:

• ACTIVE activates the AZFRADP1 authenticator for the user ID.
• User ID is the associated RADIUS user ID.
2. If needed, enter the following command to defer activating a user for generic RADIUS:

TAGS(RADUSERID:[User ID]))
AZFRADP1 authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFRADP1) ACTIVE)

---------------------------------------
FACTOR = AZFRADP1
STATUS = ACTIVE
FACTOR TAGS =
RADUSERID:user
4. If needed, enter the following command to deactivate a user for generic RADIUS:

NOACTIVE TAGS(RADUSERID:[User ID]))
Clear the shared secret

The RADIUS shared secret is a shared secret known to IBM MFA and the RADIUS server. If this secret
must be established (or re-established), your RADIUS administrator will request that the shared secret be
cleared from each z/OS instance sharing the RACF database where users log on.
Procedure
1. Edit the RADIUS client and change the shared secret as documented in your RADIUS documentation.
2. Repeat “1” on page 99 for all of the associated RADIUS clients. (All LPARs in a sysplex must use the
same shared secret.)
3. Execute AZFEXEC and choose AZFRADP1.
4. Change the shared secret to match that of the RADIUS client setting.
Note: The administrator who performs this step must be authorized as shown in “Authorize access to
resource profiles for shared secret” on page 92.
6. Restart the started task, as described in “Start the IBM MFA services started task” on page 55 on each
z/OS instance sharing the RACF database.

Chapter 17. Configuring IBM MFA for SafeNet RADIUS
You must configure IBM MFA for SafeNet RADIUS if you want to use that authentication factor. IBM MFA
supports Password Authentication Protocol (PAP) only.
Before you configure IBM MFA for SafeNet RADIUS, refer to the configuration roadmap in Chapter 6, “IBM
SafeNet logon matrix

Important: IBM MFA supports the MobilePASS token, and has been tested with the SafeNet
Authentication Service Token Templates and Server-Side PIN policies. Consult your SafeNet
documentation for configuration information.
How the user logs on to the z/OS application depends on how you have configured the Token Templates
and the Server-Side PIN policies, as shown in Table 27 on page 101 and Table 28 on page 101. Make sure
you tell the users exactly which procedure to follow.
Table 27. TSO/E Logon Options for SafeNet Quick Log
PIN Passphrase Accepted? You Enter...
No PIN Yes Enter the MobilePASS passcode in the TSO/E

Password field.
Server-side User Select Yes Enter your PIN followed by the MobilePASS
passcode in the TSO/E Password field.
User-selected PIN Yes Enter the MobilePASS passcode in the TSO/E

Password field.
New PIN required Yes 1. Enter your current PIN followed by

the MobilePASS passcode in the TSO/E
Password field. (The PIN is not needed
in User-selected PIN mode.)
2. When prompted, enter a new PIN in the
Password field.
3. Confirm the PIN.
Table 28. TSO/E Logon Options for SafeNet Challenge-Response
No PIN Yes 1. Enter any single alphabetic character

in the TSO/E Password field and press
Enter.
2. Copy the challenge, paste it in
MobilePASS, and generate a passcode.
3. Enter the MobilePASS passcode in the
TSO/E Password field.
Server-side User Select Yes 1. Enter any single alphabetic character

Enter.
3. Enter the PIN followed by the
MobilePASS passcode in the TSO/E
Password field.

Table 28. TSO/E Logon Options for SafeNet Challenge-Response (continued)
User-selected PIN Yes 1. Enter any single alphabetic character

Enter.
3. Enter the passcode in the TSO/E
Password field.
New PIN required Yes 1. Enter any single alphabetic character

Enter.
3. Enter the PIN followed by the passcode
in the TSO/E Password field. (The PIN is
not needed in User-selected PIN mode.)
4. Respond to the prompts to enter a new
PIN.
Additional RACF administration steps for SafeNet RADIUS

You must perform RACF administration steps for SafeNet RADIUS.

class. To define a factor for SafeNet RADIUS, use RDEFINE to create a resource profile named
FACTOR.AZFSFNP1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFSFNP1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFSFNP1

To define authorization to execute the panels for SafeNet RADIUS administration, use RDEFINE to create
a resource profile named IRR.RFACTOR.MFADEF.AZFSFNP1 in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFSFNP1 OWNER(userid or group-name)

RLIST FACILITY IRR.RFACTOR.MFADEF.AZFSFNP1
Authorize access to IRR.RFACTOR.MFADEF.AZFSFNP1 profile

Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFSFNP1 profile.
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFSFNP1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)


Procedure

CSFRNG CSFSERV READ
For example:

Chapter 17. Configuring IBM MFA for SafeNet RADIUS 103

Additional system programming steps for SafeNet RADIUS
to define SafeNet RADIUS parameters.
Configure SafeNet RADIUS

You must configure the AZFSFNP1 settings if you want to use SafeNet RADIUS.
Before you begin

The AZFSFNP1 authentication factor uses the PKCS#11 token to encrypt the shared secret before it is
stored in RACF, and to generate random authenticators for use inside the RADIUS packet.
You must configure a PKCS#11 token, as described in Chapter 9, “Configuring a PKCS#11 token,” on page
31. You need READ access to the CSF1TRC profile in the CSFSERV class.
About this task

Configuration data for SafeNet RADIUS is stored in the RACF database. The configuration data include
settings related to the AZFSFNP1 authentication factor.
Procedure
1. Execute AZFEXEC and choose AZFSFNP1.
Table 31. AZFSFNP1 Factor Attributes

used to encrypt the shared secret.
The PKCS#11 key label has a limit of
not exist.
Primary Server Host Name Valid host name or IP address Enter the hostname or IP address for
the primary SafeNet RADIUS server.
the hostname. Must be set.
Primary Server Port Valid port number The port number of the primary
SafeNet RADIUS server. The default
is 1812. Must be set.

Table 31. AZFSFNP1 Factor Attributes (continued)
Secondary Server Host Name Valid host name or IP address Enter the hostname or IP address
for the secondary SafeNet RADIUS
server, if applicable. This is required
only if you have multiple servers.
the hostname.
SafeNet RADIUS server, if applicable.
This is required only if you have
multiple servers.
Tertiary Server Host Name Valid host name or IP address Enter the hostname or IP address for
the tertiary SafeNet RADIUS server, if
Tertiary Server Port Valid port number The port number of the tertiary
SafeNet RADIUS server, if applicable.
multiple servers.
attempts to contact the SafeNet
RADIUS should the connection
become inactive.
through 180 between IBM MFA and the SafeNet
RADIUS can remain inactive before
the session is timed out.

Table 31. AZFSFNP1 Factor Attributes (continued)
password) that is used by the
SafeNet RADIUS server to recognize
the IBM MFA RADIUS client. The
RADIUS client uses the same shared
secret when communicating with the
RADIUS primary server or RADIUS
replica servers.
a sysplex. Consult your SafeNet
information.
it.
host data.
Compound In-Band.
5. Configure the SafeNet RADIUS server to accept communications from each z/OS system or LPAR
that is running the IBM MFA services started task. Consult your SafeNet RADIUS documentation for
configuration information.

Before you begin

• TOTP AZFTOTP1

• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of an SafeNet RADIUS passcode, and a passphrase or password.
About this task

the AZFSFNP1 factor.

Procedure
1. Execute AZFEXEC.
2. Choose AZFSFNP1.
3. On the AZFSFNP1 factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f

Vertical bar | 4f
6. Instruct the user to enter their passcode, the required separator, and their passphrase or password in
passcode:passphrase
Administration and operation steps for SafeNet RADIUS

Follow the steps in this section to provision users and start up and administer IBM MFA for SafeNet
RADIUS.
Activate and deactivate users for SafeNet RADIUS

You use the ALTUSER or ALU command to activate users for SafeNet RADIUS.
Before you begin

Before you can activate users for IBM MFA, you must first create accounts for the users in the SafeNet
RADIUS server and assign tokens.
Therefore, the user must first have a valid token and credentials for the SafeNet RADIUS server.
Procedure
1. Enter the following command to activate a user for SafeNet RADIUS:
ALU [Login ID] MFA(FACTOR(AZFSFNP1)

Where:
• User ID is the associated SafeNet RADIUS user ID.
2. If needed, enter the following command to defer activating a user for SafeNet RADIUS:

AZFSFNP1 authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFSFNP1) ACTIVE)


---------------------------------------
FACTOR = AZFSFNP1
STATUS = ACTIVE
FACTOR TAGS =
RADUSERID:user
4. If needed, enter the following command to deactivate a user for SafeNet RADIUS:


The SafeNet RADIUS shared secret is a shared secret known to IBM MFA and the SafeNet RADIUS server.
If this secret must be established (or re-established), your SafeNet RADIUS administrator will request
that the shared secret be cleared.
Procedure
1. Edit the SafeNet RADIUS client and change the shared secret as documented in your SafeNet
documentation.
2. Repeat “1” on page 110 for all of the associated RADIUS clients. (All LPARs in a sysplex must use the
same shared secret.)
3. Execute AZFEXEC and choose AZFSFNP1.
4. Change the shared secret to match that of the SafeNet RADIUS client setting.

RADIUS
You must configure IBM MFA for RSA SecurID RADIUS if you want to use the Remote Authentication
Dial-In User Service (RADIUS) protocol for SecurID. IBM MFA supports Password Authentication Protocol
(PAP) only.
You can use RSA SecurID RADIUS with RSA Authentication Manager to authenticate users. The RSA
RADIUS server receives remote user access requests from the RADIUS client, in this case IBM MFA. RSA
Authentication Manager determines whether the user's credentials are valid and, if so, returns success
to IBM MFA. RACF then resumes control and completes the authentication and authorization process as
usual.
Note: From the user's perspective, there is no difference between being authenticated by the AZFSIDR1
factor and the ASZSIDP1 factor. In both cases they enter their user ID, RSA SecurID token, and PIN.
Choosing between RSA SecurID RADIUS and generic RADIUS

If you are using SecurID, you should choose RSA SecurID RADIUS (AZFSIDR1) instead of generic RADIUS
(AZFRADP1). RSA SecurID RADIUS (AZFSIDR1) provides substantially more useful feedback for both
successful and unsuccessful authentications. Generic RADIUS (AZFRADP1) returns a simple allowed/
denied response.
RSA SecurID RADIUS configuration requirements

Before you configure IBM MFA for RSA SecurID RADIUS, refer to the configuration roadmap in Chapter 6,
“IBM MFA configuration roadmap,” on page 13.
Additional RACF administration steps for RSA SecurID RADIUS

You must perform RACF administration steps for RSA SecurID RADIUS.

class. To define a factor for RSA SecurID RADIUS, use RDEFINE to create a resource profile named
FACTOR.AZFSIDR1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFSIDR1
RLIST MFADEF FACTOR.AZFSIDR1

To define authorization to execute the panels for RSA SecurID RADIUS administration, use RDEFINE to
create a resource profile named IRR.RFACTOR.MFADEF.AZFSIDR1 in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFSIDR1
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFSIDR1
Authorize access to IRR.RFACTOR.MFADEF.AZFSIDR1 profile

Authorize the Radius administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFSIDR1
profile.
Procedure

Permission Access
READ Able to view configuration options, but may
not update, create, or delete RSA RADIUS
parameters.
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFSIDR1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)


Procedure


Table 34. Required User Authorization (continued)
CSFRNG CSFSERV READ
For example:

Additional system programming steps for RSA SecurID RADIUS

to define RSA SecurID RADIUS parameters.
Configure RSA SecurID RADIUS

You must configure the IBM MFA AZFSIDR1 settings if you want to use RSA SecurID RADIUS.
Before you begin

You must have already performed the following tasks:
• Configured a PKCS#11 token as described in Chapter 9, “Configuring a PKCS#11 token,” on page 31
before you configure IBM MFA for RSA SecurID RADIUS. The AZFSIDR1 authentication factor users
the PKCS#11 token to encrypt the shared secret before it is stored in RACF, and to generate random
authenticators for use inside the RADIUS packet.
• Configured the RSA SecurID RADIUS server to accept communications from each z/OS system or LPAR
that is running the IBM MFA services started task. The network administrator may configure a RADIUS
client with or without an RSA Authentication Agent for each z/OS system or LPAR that is running the IBM
MFA services started task.
About this task

Configuration data for RSA SecurID RADIUS is stored in the RACF database. The configuration data
include settings related to the AZFSIDR1 authentication load module.
Procedure
1. Execute AZFEXEC and choose AZFSIDR1.
Table 35. AZFSIDR1 Factor Attributes

Chapter 18. Configuring IBM MFA for RSA SecurID RADIUS 113

Table 35. AZFSIDR1 Factor Attributes (continued)
Key Label Actual PKCS#11 key label The PKCS#11 key label has a limit of
not exist.
Primary Server Host Name Valid host name or IP address Enter the fully qualified hostname
or IP address for the primary RSA
SecurID RADIUS server. Must be set.
Primary Server Port Valid port number The port number of the primary RSA
SecurID RADIUS server. Must be set.
The default is 1812.
Secondary Server Host Name Valid host name or IP address Enter the fully qualified hostname or
IP address for the secondary RSA
SecurID RADIUS server, if applicable.
RSA SecurID RADIUS server, if
applicable.
Tertiary Server Host Name Valid host name or IP address Enter the fully qualified hostname
or IP address for the tertiary RSA
Tertiary Server Port Valid port number The port number of the tertiary RSA
attempts to contact the RSA
Authentication Server should the
connection become inactive.

through 180 between IBM MFA and the RADIUS
server can remain inactive before the

Table 35. AZFSIDR1 Factor Attributes (continued)
password) that is used by the
RSA RADIUS server to recognize
the IBM MFA RADIUS client. The
RADIUS client uses the same shared
secret when communicating with the
RADIUS primary server or RADIUS
replica servers.
a sysplex. Consult your RADIUS
information.
it.
host data.
Compound In-Band.
5. Verify that the RSA SecurID RADIUS server accepts communications from each z/OS system or LPAR
that is running the IBM MFA services started task.

Before you begin

• TOTP AZFTOTP1

• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of an RSA SecurID RADIUS passcode, and a passphrase or password.
About this task

the AZFSIDR1 factor.

Procedure
1. Execute AZFEXEC.
2. Choose AZFSIDR1.
3. On the AZFSIDR1 factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f

6. Instruct the user to enter their passcode, the required separator, and their passphrase or password in
passcode:passphrase
Administration and operation steps for RSA SecurID RADIUS

Follow the steps in this section to provision users and start up and administer SecurID RADIUS. You need
to configure an RSA Authentication Agent for each z/OS system or LPAR that is running IBM Multi-Factor
Authentication for z/OS. See your Authentication Manager documentation for details.
Activate and deactivate users for RSA SecurID RADIUS

You use the ALTUSER or ALU command to activate users for RSA SecurID RADIUS.
Before you begin

Before you can activate users for RSA SecurID RADIUS, you must first create accounts for the users in
RSA Authentication Manager and assign RSA tokens.
Therefore, the user must first have a valid token and credentials for RSA Authentication Manager.
Procedure
1. Enter the following command to activate a user for RSA SecurID RADIUS:
ALU [Login ID] MFA(FACTOR(AZFSIDR1)

Where:
• ACTIVE activates the AZFSIDR1 authenticator for the user ID.
default.
2. If needed, enter the following command to defer activating a user for RSA SecurID RADIUS:

AZFSIDR1 authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFSIDR1) ACTIVE)


---------------------------------------
FACTOR = AZFSIDR1
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
4. If needed, enter the following command to deactivate a user for RSA SecurID RADIUS:


The RADIUS shared secret is a shared secret known to IBM MFA and the RSA Authentication Manager. If
this secret must be established (or re-established), your RSA Authentication Manager administrator will
request that the shared secret be cleared from each z/OS instance sharing the RACF database where
users log on..
Procedure
1. Edit the RADIUS client and change the shared secret as documented in your RADIUS documentation.
2. Repeat Step “1” on page 119 for all of the associated RADIUS clients. (All LPARs in a sysplex must use
the same shared secret.)
3. Execute AZFEXEC and choose AZFSIDR1.
4. Change the shared secret to match that of the RADIUS client setting.

Chapter 19. Configuring IBM MFA for IBM Security
Verify Access
You must configure IBM MFA for IBM Security Verify Access if you want to use IBM Security Verify Access
authentication.
IBM Security Verify Access configuration requirements

Before you configure IBM Security Verify Access, refer to the configuration roadmap in Chapter 6, “IBM
Additional RACF administration steps for IBM Security Verify

Access
You must perform additional RACF administration steps for IBM Security Verify Access.

You define IBM Security Verify Access factors by creating a general resource profile for the factor name
in the MFADEF class. To define a factor for IBM Security Verify Access, use RDEFINE to create resource
profiles named FACTOR.AZFISAM1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFISAM1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFISAM1 MFA

Use RDEFINE to define a resource profile in the FACILITY class for authorizing administrators who
execute IBM Security Verify Access panels.
About this task
Procedure
1. Define a profile in the FACILITY class:
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFISAM1 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFISAM1

Authorize access to IRR.RFACTOR.MFADEF.AZFISAM1 profile
Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFISAM1 profile.
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFISAM1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Additional system programming steps for IBM Security Verify

Access
for IBM Security Verify Access.
Configure IBM MFA for IBM Security Verify Access

You must configure the IBM MFA for IBM Security Verify Access settings.
Before you begin

• If you have not already installed the IBM Security AppX Installer, navigate to https://
exchange.xforce.ibmcloud.com/hub/extension/ad8f86525d3a9c1186c1bce524edc9c3 in a browser
and download and install it. Log in with an IBM ID if you have not already done so.
The IBM Security AppX Installer enables configuration of your IBM Security Verify Access appliance for
use with partner applications published on the IBM Security App Exchange.
• Navigate to IBM Security Verify Access Extension for Multi-factor Authentication API in a browser. Log in
with an IBM ID if you have not already done so.
Follow the provided links on the page to download the software and review the documentation.
Pay close attention to the documented Oauth configuration parameters for running the installer script.
These parameters begin with the prefix --oauth (for example --oauthproxy) and they define the
back channel interface that is used by IBM MFA to perform OTP authentication.
• Ensure that backchannelcomplete.json complies with the following syntax:
{"username":"@USERNAME@","status":"success"}
The following syntax is also valid. (The example is wrapped for format requirements.)
{"username":"@USERNAME@","authenticationMechanismTypes":"@AUTHNMECHTYPES@",
"status":"success"}

• On the IBM MFA server, you must have already configured PKCS#11 tokens. You must have already
configured an AT-TLS profile, as described in “Configure an AT-TLS profile” on page 36. This procedure
builds upon that existing profile by defining an AT-TLS outbound rule in Step “7” on page 123.
About this task

Configuration data for IBM Security Verify Access is stored in the RACF database. The IBM Security Verify
Access configuration data include settings related to the AZFISAM1 authentication load module.
Procedure
1. Log in to the IBM Security Verify Access local management interface (LMI).
2. Navigate to Secure Access Control > Global Settings > Template Files > C > authsvc >
authenticator > apimfa > browser.html.
3. Configure the authentication context in the browser.html file:
<td>
<select name="authnctx">
<option value="server-authnctx">Arbitrary text
that describes your server</option>
</select>
</td>
where server-authnctx must match that of the Authentication Context on the IBM MFA server.
4. A pending change message is displayed at the top of the main pane. Click Click here to review the
changes or apply them to the system.
5. In the Deploy Pending Changes page:
a) To view the details of changes that are made to a particular module, click the link to that module.
b) To deploy the changes, click Deploy.
c) To abandon the changes, click Roll Back.
d) To close the pop-up page without any actions against the changes, click Cancel.
6. Add the root CA public certificate of the IBM Security Verify Access server as a CERTAUTH in the z/OS
keyring you created in “Configure an AT-TLS profile” on page 36.
7. Configure an AT-TLS outbound rule. The rule must allow the IBM MFA services AZF#IN00 started
task to negotiate the client side of a server-authentication TLS connection with the IBM Security
Verify Access server. The HandshakeRole role is Client.
If the connection port for the IBM Security Verify Access server is not otherwise used by the IBM MFA
services AZF#IN00 started task, you can scope the outbound rule to the port number.
Note: The code fragment is for example purposes only and is not complete. See
SYS1.SAZFSAMP(AZFTTLSX) for sample AT-TLS rule definitions for IBM MFA.
TTLSRule AZFClientRule
{
Jobname AZF* a
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort? b
Direction Outbound c
Priority 255
TTLSEnvironmentActionRef eActAZFClient
}
{
TTLSCipherParmsRef AZFCipherParms
CtraceClearText Off
Trace 255
}
Chapter 19. Configuring IBM MFA for IBM Security Verify Access 123
:
:
Callout Notes:
a. The Jobname directive indicates that the rule applies only to connections made from the started
task.
b. The RemotePortRange indicates the port on which IBM Security Verify Access server is
listening.
c. The Direction Outbound directive indicates that the rule applies to outgoing connections.
8. Execute AZFEXEC and choose AZFISAM1.
Table 38. AZFISAM1 Factor Attributes

used to encrypt the client secret. The
PKCS#11 key label has a limit of
already exists and is created if it
does not exist.
Client ID Actual client ID User ID that is used to obtain an
access or bearer token.
Client Secret Actual value Password for Client ID.
Authentication Context Default application context Enables specific OTP generations
per authentication context. This is
typically a SYSPLEX name, and is
only more granular than a SYSPLEX
if the application context is included
as a user tag. Must match that of
the IBM Security Verify Access server
unless the application context is
included as a user tag.
Access Token URL URL The URL to which to send the client
ID and secret to obtain the access or
bearer token.
One-Time Passcode URL URL to which to send user
Validation URL authentication requests.
through 30 can remain inactive before the

Table 38. AZFISAM1 Factor Attributes (continued)
Suspension Threshold 0 through 255 The Suspension Threshold limits the
number of times a user consecutively
fails to provide a valid token code.
Valid values are 0 through 255.
Note: The Suspension Threshold
setting is separate and distinct
from a RACF revoked status. The
Suspension Threshold setting is most
useful in IBM MFA Out-of-Band
authentication to prevent brute force
attacks. To prevent any conflict or
user confusion with the RACF revoke
count for in-band authentication, you
should set the Suspension Threshold
setting to a number significantly
higher than the RACF revoke count.
A value of 0 indicates that brute force
protection is not enabled for the
AZFISAM1 authentication method.
Any numeric value greater than zero
is treated as the number of times
a user may consecutively fail to
provide a valid token code. If a user
fails exactly this number of times and
then provides a valid token code:
• Authentication succeeds.
If the user fails more than this
number of times:
• Authentication fails.
• Their SUSPENDED tag is set to YES
Initial Trace Level 0 through 3 The trace level used for tracing
events within the AZFISAM1 plug-
in. Valid values are 0 through 3,
where the higher number increases
the level of verbosity. The default is
zero.
10. See “Configure IBM MFA Compound In-Band” on page 127 for information about configuring IBM
MFA Compound In-Band.
If you change the PKCS#11 token name or key label values, you must re-enter the client secret value.
Before you begin

• TOTP AZFTOTP1
• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>
For example:
S AZF#IN00


with a combination of an IBM Security Verify Access password, and a RACF passphrase or password.
About this task

the AZFISAM1 factor.
In-Band concatenates the IBM Security Verify Access password with the RACF passphrase or password,
separated by a valid separator, and stores the result in the passphrase field.
Procedure
1. Execute AZFEXEC.
2. Choose AZFISAM1.
3. On the AZFISAM1 factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their IBM Security Verify Access token, the required separator, and their
passphrase or password in the password field, based on the credential order you selected. For
example:
token:passphrase
Administration and operation steps for IBM Security Verify Access

Follow the steps in this section to provision users and start up and administer IBM Security Verify Access.
Activate and deactivate users for IBM Security Verify Access

You use the ALTUSER or ALU command to activate users for IBM Security Verify Access.
Before you begin

The user must already have an IBM Security Verify Access account that allows them to authenticate with
multi-factor authentication and an OTP one-time password.
Procedure
1. Enter the following commands to activate a user for IBM Security Verify Access:
ALU [Login ID] MFA(FACTOR(AZFISAM1)

ACTIVE PWFALLBACK) TAGS(ISAMUSERID:user-ID AUTHCTX:auth-context))
Where:
• ACTIVE activates the AZFISAM1 authenticator for the user ID.
• ISAMUSERID is the IBM Security Verify Access user ID.

• AUTHCTX optionally overrides the authentication context you configured in “Configure IBM MFA for
IBM Security Verify Access” on page 122.

FACTOR = AZFISAM1
STATUS = ACTIVE
FACTOR TAGS =
ISAMUSERID:user-id
FAILCOUNT:0
AUTHCTX:myAuthCtx
3. If needed, enter the following commands to deactivate a user for IBM Security Verify Access:

NOACTIVE)
What to do next
Typical User Login Flow
This section describes the typical user login flow. The exact steps the user must follow depend on your
IBM Security Verify Access configuration. As part of the login flow, you must provide the user with the
following:
• The URL of the IBM Security Verify Access login page. For example, https://server-name/apimfa.html, as
described in the documentation.
• Their user name on the IBM Security Verify Access server.
• The name of the application to use on the Generate application one-time password page.
Important: As part of the login flow, the user needs to register and use a device that is running the IBM
Verify application. This device must have network connectivity to the IBM Security Verify Access server.
1. Navigate to the web page provided by your administrator and log in with your IBM Security Verify
Access user name.
The API Multi-factor authentication page is displayed.
2. Click on Manage / Register IBM Verify and FIDO U2F. This step is needed only on your first access.
a. Under Authenticators::Register new authenticator, select AuthenticatorClient in the drop-down
menu.
b. Click register new authenticator.
c. Launch IBM Verify on the device and point the camera at the displayed QR code.
d. IBM Verify connects with API Multi-factor authentication and creates a new account.
e. Click Home on the web page to return to the API Multi-factor authentication page.
3. Click Obtain application OTP. The Mobile Multi Factor Device Selection page is displayed.
a. Click the radio button corresponding to the device you registered.
b. Click Submit. This device will receive a notification.
c. The Mobile Multi Factor Pending Authentication page is displayed.
d. Accept the Please log me in: user name notification on your device. Click the check mark and
verify with your fingerprint if you configured Touch ID.
e. If the Mobile Multi Factor Pending Authentication page does not disappear, click Verify.
4. On the Generate application one-time password page:
a. Select the application the administrator instructs you to use from the Application drop-down
menu.
b. Click Generate OTP. The OTP is displayed:
Application One-time Password
Username username
Application app-name
One-time password OTP
Expires In (hh:mm:ss)
c. Copy the OTP to the clipboard.

5. Log in to the z/OS application with your z/OS user ID. You do not use the IBM Security Verify Access
user name for this step.
6. Paste the OTP from the clipboard as your password.
Activating a user when SUSPENDED is YES

The suspension threshold limits the number of times a user consecutively fails to provide a valid token
code. If the user fails more than this number of times, their SUSPENDED tag is set to YES. The suspension
threshold setting is separate and distinct from a RACF revoked status.
Procedure
1. Enter the following command to display IBM MFA information for a user profile, including the
suspended state:

FACTOR = AZFISAM1
STATUS = ACTIVE
FACTOR TAGS =
ISAMUSERID:user-id
SUSPENDED:YES a
FAILCOUNT:0 b
AUTHCTX:myAuthCtx
Callout Notes:
a. The user has exceeded the suspension threshold you set, and the SUSPENDED tag is set to YES.
b. The user's consecutive failure count is reset to zero.
2. Enter the following command to reactivate a user for IBM Security Verify Access.

TAGS(SUSPENDED:NO))
3. Enter the following command to confirm that the user is no longer in the suspended state:

Chapter 20. Configuring LDAP
You must configure LDAP if you want to use LDAP authentication with IBM MFA.
LDAP configuration requirements

Note: The LDAP password represents a single authentication factor. It is recommended that you use
LDAP together with compound in-band authentication or with another factor in IBM MFA Out-of-Band
authentication.
Before you configure LDAP, refer to the configuration roadmap in Chapter 6, “IBM MFA configuration
roadmap,” on page 13.
Additional RACF administration steps for LDAP

You must perform additional RACF administration steps for LDAP.

You define LDAP factors by creating a general resource profile for the factor name in the MFADEF class.
To define a factor for LDAP, use RDEFINE to create a resource profile named FACTOR.AZFLDAP1 in the
MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFLDAP1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFLDAP1 MFA

execute LDAP panels.
About this task
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFLDAP1 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFLDAP1

Authorize access to IRR.RFACTOR.MFADEF.AZFLDAP1 profile
Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFLDAP1 profile.
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFLDAP1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Additional system programming steps for LDAP

for LDAP.
Configure LDAP
You must configure the LDAP settings.
Before you begin

You must have already configured an AT-TLS profile, as described in “Configure an AT-TLS profile” on page
36. This procedure builds upon that existing profile by defining an AT-TLS outbound rule.
About this task

Configuration data for LDAP is stored in the RACF database. The LDAP configuration data include settings
related to the AZFLDAP1 authentication load module.
Procedure
1. Configure an AT-TLS outbound rule for LDAP. The rule must allow the IBM MFA services AZF#IN00
started task to negotiate the client side of a server-authentication TLS connection with the LDAP
server. The HandshakeRole role is Client.
Note: The code fragment is for example purposes only and is not complete. See
SYS1.SAZFSAMP(AZFTTLSX) for a sample of connecting to a secure LDAP port.
{
Jobname AZF*
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort?
Direction Outbound
Priority 255
}

{
CtraceClearText Off
Trace 255
}
:
:
2. Execute AZFEXEC and choose AZFLDAP1.

Table 41. AZFLDAP1 Factor Attributes

Primary Server Host Name Valid host name or IP address The hostname (or IP address) of the
primary LDAP server.
the hostname.
Primary Server Port Valid port number The port number used on the primary
LDAP server for authentication.
Default: 636.
Secondary Server Host Name Valid host name or IP address The hostname (or IP address) of the
secondary LDAP server.
multiple servers. The default is blank.
the hostname.
Secondary Server Port Valid port number The port number used on
the secondary LDAP server for
authentication.
multiple servers. The default is 0.
Tertiary Server Host Name Valid host name or IP address The hostname (or IP address) of the
tertiary LDAP server.
multiple servers. The default is blank.
the hostname.
Tertiary Server Port Valid port number The port number used on
the secondary LDAP server for
authentication.
multiple servers. The default is 0.
Chapter 20. Configuring LDAP 133

Table 41. AZFLDAP1 Factor Attributes (continued)
Timeout Number of seconds, from 1 The number of seconds a server is
through 180 allowed to take before a retry will
occur if there is no response. The
default is 3 seconds.
events within the AZFLDAP1 plug-in.
Valid values are 0 through 3, where
the higher number increases the level
of verbosity. The default is zero.
Compound In-Band.

Before you begin

• TOTP AZFTOTP1
• LDAP AZFLDAP1
or passphrase.
About this task


Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of an LDAP password, and a RACF passphrase or password.
About this task

the AZFLDAP1 factor.
In-Band concatenates the LDAP password with the RACF passphrase or password, separated by a valid
separator, and stores the result in the passphrase field.
Important: Unexpected results can occur if the user's LDAP password includes the separator character
you choose.
Procedure
1. Execute AZFEXEC.
2. Choose AZFLDAP1.
3. On the AZFLDAP1 factor attributes panel, configure the following attributes:
restrictions.)


Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their LDAP password, the required separator, and their RACF passphrase or
password in the password field, based on the credential order you selected. For example:
LDAP password:passphrase

Administration and operation steps for LDAP
Follow the steps in this section to provision users and start up and administer LDAP.
Activate and deactivate users for LDAP

You use the ALTUSER or ALU command to activate users for LDAP.
Before you begin

You need the fully-qualified domain name for each user you want to authenticate with LDAP. For example,
the Windows whoami /fqdn command returns results similar to the following:
C:\Users\juser>whoami /fqdn
CN=J User,OU=Users,OU=Company Offices,DC=companyname,DC=com
About this task
Procedure
1. Enter the following command to activate a user for LDAP. Note that the fully-qualified domain name for
each user is enclosed in single quotation marks.
ALU [Login ID] MFA(FACTOR(AZFLDAP1)

ACTIVE PWFALLBACK TAGS('DN:CN=J User,OU=Users,OU=Company Offices,
DC=companyname,DC=com'))
Where:
• ACTIVE activates the AZFLDAP1 authenticator for the user ID.
• DN is the fully-qualified domain name for the user.
2. If needed, enter the following command to defer activating a user for LDAP:

TAGS('DN:CN=J User,OU=Users,OU=Company Offices,
DC=companyname,DC=com')
AZFLPAD1 authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFLDAP1) ACTIVE)

---------------------------------------
FACTOR = AZFLDAP1
STATUS = ACTIVE
FACTOR TAGS =
DN:CN=J User,OU=Users,OU=Company Offices, DC=companyname,DC=com
4. If needed, enter the following command to deactivate a user for LDAP:

NOACTIVE)

Chapter 21. Configuring Yubico OTP
You must configure Yubico OTP if you want to use the Yubico OTP authentication method.
Yubico OTP configuration requirements

Note: The OTP generated by the YubiKey token represents a single authentication factor. It is
recommended that you use Yubico OTP together with compound in-band authentication or with another
factor in IBM MFA Out-of-Band authentication.
Before you configure Yubico OTP, refer to the configuration roadmap in Chapter 6, “IBM MFA
Additional RACF administration steps for Yubico OTP

You must perform additional RACF administration steps for Yubico OTP.

You define Yubico OTP factors by creating a general resource profile for the factor name in the
MFADEF class. To define a factor for Yubico OTP, use RDEFINE to create a resource profile named
FACTOR.AZFYUBI1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFYUBI1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFYUBI1 MFA

execute Yubico OTP panels. The user ID of the IBM MFA web services started task requires READ access
to this profile.
About this task
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFYUBI1 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFYUBI1

Authorize access to IRR.RFACTOR.MFADEF.AZFYUBI1 profile
Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFYUBI1 profile. The
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(READ) CLASS(FACILITY) ID(AZFWEB)
Additional system programming steps for Yubico OTP

for Yubico OTP.
Configure Yubico OTP

You must configure the Yubico OTP AZFYUBI1 settings.
Before you begin

You must have already configured PKCS#11 tokens before you configure Yubico OTP.
About this task

Configuration data for Yubico OTP is stored in the RACF database. The Yubico OTP configuration data
include settings related to the AZFYUBI1 authentication load module.
Procedure
1. Execute AZFEXEC and choose AZFYUBI1.
Table 44. AZFYUBI1 Factor Attributes


Table 44. AZFYUBI1 Factor Attributes (continued)
used to encrypt the client secret. The
PKCS#11 key label has a limit of
32 characters. This label is created
when you run the Yubico OTP bulk
provisioning feature if it does not
exist.
events within the AZFYUBI1 plug-in.
Valid values are 0 through 3, where
the higher number increases the level
of verbosity. The default is zero.
Compound In-Band.
5. Set Enable YubiKey Enrollment to Y in the web services started task configuration, as described in
“Configure IBM MFA web services started task” on page 41 if you want users to be able to enroll a
YubiKey on the YubiKey Enrollment page. The YubiKey Enrollment page and process is described in
“Ingesting the .csv configuration file” on page 145.
If you change the PKCS#11 token name or key label values, all user registrations will become
inaccessible, and users must re-register.

Before you begin

• TOTP AZFTOTP1
• LDAP AZFLDAP1
Chapter 21. Configuring Yubico OTP 141

or passphrase.
About this task

Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of an Yubico OTP OTP, and a passphrase or password.
About this task

the AZFYUBI1 factor.
In-Band concatenates the Yubico OTP with the passphrase or password, separated by a valid separator,
Procedure
1. Execute AZFEXEC.
2. Choose AZFYUBI1.
3. On the AZFYUBI1 factor attributes panel, configure the following attributes:

restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60
Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their Yubico OTP, the required separator, and their passphrase or password
in the password field, based on the credential order you selected. For example:
YubiKey token:passphrase

Administration and operation steps for Yubico OTP
Follow the steps in this section to provision users and start up and administer Yubico OTP.
Tip: There are two methods you can use to provision users for Yubico OTP:
• Allow the users to self-enroll their own tokens. This method allows you to activate a large number
of users for Yubico OTP authentication without being concerned with which user has which specific
YubiKey token.
• Enroll tokens for users. This methods is more time consuming and is best suited to activate a small
number of users. It allows you to control which user has which specific token and does not require the
IBM MFA web services started task.
Creating a .csv configuration file

If you already have a .csv configuration file from your YubiKey provider, you can skip this section. You
can create a .csv configuration file that contains the YubiKey token key material if you do not have one
from your YubiKey provider. Yubico OTP is the only supported Yubico format.
Before you begin

You must download and install the YubiKey Personalization Tool from the Yubico website https://
www.yubico.com/.
About this task

Note: As described in the YubiKey documentation, the Yubico OTP generated by the YubiKey token
represents a single authentication factor. It is recommended that you use Yubico OTP together with
compound in-band authentication or with another factor in IBM MFA Out-of-Band authentication.
Procedure
1. Insert the YubiKey token in a USB slot.
2. Run the YubiKey Personalization Tool.
3. Select the Settings tab.
4. In the Log configuration output control, select Yubico format.
5. Select the Yubico OTP tab. This is the only supported format.
6. Click Quick.
7. Select Configuration Slot 2.
Note: You can use either slot 1 or 2 with IBM MFA. However, slot 2 is recommended because it
requires a long press, making it less likely that the Yubikey is accidentally triggered.
8. Click Write Configuration.
The configuration is stored in a format similar to the following:
7699966,tvhcjlhgucln,ba29fe0f63b4,3ae7fa1cd82885153a2ae8dea864a22b,
000000000000,2018-08-23T16:06:21,
where the first field is the serial number of the YubiKey token and the key material follows.
9. Save the configuration .csv file to a secure location of your choice.
Important: The configuration .csv file contains important key material. Save the file only to a secure
location. A malicious actor could attempt to use the key material to gain system access.
10. Insert the next Yubikey tokens (if any) and repeat Step “8” on page 144 for each additional YubiKey
token.
11. Copy the .csv file to a secure z/OS UNIX file on the IBM MFA system.

Allowing users to self-enroll their tokens
Allowing users to self-enroll their YubiKey token on the web enrollment page lets you activate users for
Yubico OTP authentication. Use the self-enrollment process when you do not need to control which user
has which specific YubiKey token.
Ingesting the .csv configuration file

You ingest the .csv configuration file in to the IBM MFA database, and then activate users.
Before you begin

Note: Ensure that you have the following access, as described in Chapter 9, “Configuring a PKCS#11
• CONTROL access to the SO.token_name profile that protects the token.
• UPDATE access to the USER.token_name profile that protects the token.
About this task

The azfyubi1_ingest command has the parameters shown in Table 46 on page 145.
Table 46. azfyubi1_ingest Parameters

Parameter Description
SCAN Iterates over the entire input file, attempts to validate each line as
a Yubico format token descriptor, and determines whether an IBM
MFA record already exists for the parsed token Public ID. Must be in
uppercase.
INGEST mode without COMMIT Includes the SCAN behavior, and indicates which IBM MFA record
additions would have been made. Must be in uppercase.
INGEST mode with COMMIT Includes the SCAN behavior, and indicates which IBM MFA record
additions were made. Must be in uppercase.
CLEAN mode without COMMIT Includes the SCAN behavior, and indicates which IBM MFA record
deletions would have been made. Must be in uppercase.
CLEAN mode with COMMIT Includes the SCAN behavior, and indicates which IBM MFA record
deletions were made. Must be in uppercase.
Procedure
1. Add the /usr/lpp/IBM/azfv2r2/bin/ directory to your PATH.
export PATH=/usr/lpp/IBM/azfv2r2/bin:${PATH}
2. Run the ./azfyubi1_ingest program with the SCAN parameter and check for errors. The output is
for example purposes and contains only one CSV record.
./azfyubi1_ingest yubikey.csv SCAN

Proceeding in SCAN mode
AZF Yubico OTP Settings:
PKCS#11 Token Name: AZFTOTP.TOKEN
PKCS#11 Key Label: AZFYUBI1.AESKEY
Ingest Utility Results:

Addressed the specified PKCS#11 token: Yes
Addressed the specified key record: Yes

Last PKCS#11 return/reason codes: p11rc=0, p11rsn=0x0
Valid CSV records in input file: 1
Those with PubID already in TKDS: 0
Number of TKDS records written: 0
Number of TKDS records deleted: 0
Total input file lines processed: 1
3. Run the ./azfyubi1_ingest program with the INGEST parameter without the COMMIT parameter
and check for errors.
./azfyubi1_ingest yubikey.csv INGEST

Proceeding in INGEST mode with committing OFF
Skipped attempt to create a new TKDS record for token with
public ID vvjkeehkbkuj

Tip: The following error indicates that you do not have sufficient access to a required CSFSERV or
CRYPTOZ resource profile.
AZFYUBI:AZF9547E Failed to encrypt sensitive AZFYUBI data

Failed to create a new TKDS record for token with public ID vvjkeehkbkuj,
input line 1
See “AZF9547E” on page 289 for additional information about this message.
4. Run the ./azfyubi1_ingest program with the INGEST parameter with the COMMIT parameter.
./azfyubi1_ingest yubikey.csv INGEST

COMMIT
Proceeding in INGEST mode with committing ON
Added a new TKDS record 0000011C for token with public ID vvjkeehkbkuj

Completing the self-enrollment

Allowing users to self-enroll their YubiKey token on the web enrollment page lets you activate users for
Yubico OTP authentication. Use the self-enrollment process when you do not need to control which user
has which specific YubiKey token.
About this task


Procedure
2. Create an input file in the following format to provision users for Yubico OTP:
user-name policy-name AZFYUBI1

There are many ways to accomplish this step, depending on your environment. For example, you can
edit z/OS UNIX files by using the TSO/E OEDIT command to invoke ISPF File Edit or by selecting File
Edit on the ISPF menu, if it is installed. In a shell, you can use the ed and sed editors for editing z/OS
UNIX files. You can use the oedit shell command to invoke ISPF File Edit.
If you are using TSO/E OMVS, you can use OEDIT to create a new file or edit an existing one.
For example:
USERA YUBI1 AZFYUBI1

USERB YUBIONLY AZFYUBI1
USERC YUBIONLY AZFYUBI1
USERD YUBIONLY AZFYUBI1
USERE YUBIONLY AZFYUBI1
USERF YUBIONLY AZFYUBI1
3. Run the azfbulk program without the COMMIT parameter.
azfbulk input-file
4. Check the resulting azfprov1.sh file for errors. azfprov1.sh invokes azfbulkcmd.sh, which
allows you to make any needed customizations if you are using an ESM other than RACF. No changes
to azfbulkcmd.sh are required if you are using RACF.
Important: azfbulk generates an azfprov2.sh file that is not needed or functional in this
workflow. Do not run the azfprov2.sh file.
5. Correct any errors in your input file and re-run azfbulk. Repeat as needed.
6. When you are satisfied with the azfprov1.sh script, run the azfbulk program with the COMMIT
parameter.
azfbulk input-file COMMIT
7. Run the azfprov1.sh shell script.
sh azfprov1.sh
8. Instruct the user to insert the YubiKey into a USB port on their Windows system.
9. Instruct the user to launch the YubiKey Enrollment page:
Note: Enable YubiKey Enrollment must be set to Y, as described in “Configure IBM MFA web services
started task” on page 41.
https://server-name:port/AZFYUBI1/enroll
Instruct the user to provide their user name and password, and tap the YubiKey to generate an OTP in
the YubiKey OTP field. Remind the users that a YubiKey token in Configuration Slot 2 requires the long
press.
The user receives a message that the YubiKey was associated with their account.
Information
Your YubiKey device was successfully associated with your account.

10. Enter the following command to display IBM MFA information for a user profile. Note that the
REGSTATE changes to CONFIRMED and the factor state changes to ACTIVE. (The key material is for
example purposes only.)
FACTOR = AZFYUBI1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:CONFIRMED
SERIAL:6489515
PUBNAME:lcefiedkcvjcfdvgirifrvcndbgvkfdj
PRIVID:i2l2hzz4mCqbkZPtyrxYJKDuBx3R37lakyk/y6uc9HY=
SECRET:CfWgi/DhJXxgWF1ko9OATQxT+4OxO6LtLVPxw3IQKruqhubXIBqU2wIPZCBu3Y
mf
CREATED:2018-07-31T18:40:00
MODIFIED:1535468661
YKCTR:9
YKUSE:2
YKTSL:43480
YKTSH:106
11. If needed, enter the following commands to deactivate a user for Yubico OTP:
ALU [Login ID] MFA(FACTOR(AZFYUBI1)

NOACTIVE)
Enrolling tokens for users

Enroll the tokens for users when you need to control which user has which specific YubiKey token. This
method does not require the IBM MFA web services started task.
Before you begin

Note: Ensure that you have the following access, as described in Chapter 9, “Configuring a PKCS#11
• UPDATE access to IRR.RFACTOR.USER in the FACILITY class.
About this task

Procedure
2. Create a z/OS UNIX file of the following format:
user-name policy-name AZFYUBI1 csv-data

where csv-data is the complete string from the configuration .csv file that you want to assign to this
user.

For example, if you are using TSO/E OMVS, you can use OEDIT to create a new file or edit an existing
one.
Note: If you open the .csv file on a Windows system to copy the csv-data string, open the file in a
text editor. The default Windows application association might be different.
For example:
USERA YUBIPOL AZFYUBI1 "7699966,tvhcjlhgucln,ba29fe0f63b4,

3ae7fa1cd82885153a2ae8dea864a22b,000000000000,2018-08-23T16:06:21,"
azfbulk input-file
4. Check the resulting azfprov1.sh and azfprov2.sh files for errors. azfprov1.sh invokes
azfbulkcmd.sh, which allows you to make any needed customizations if you are using an ESM
other than RACF. No changes to azfbulkcmd.sh are required if you are using RACF.
6. When you are satisfied with the azfprov1.sh and azfprov2.sh scripts, run the azfbulk program
with the COMMIT parameter. (COMMIT must be in uppercase.)
sh azfprov1.sh
ALU USER MFA(FACTOR(AZFYUBI1) NOACTIVE NOPWFALLBACK NOTAGS)

ALU USER MFA(FACTOR(AZFYUBI1) TAGS(REGSTATE:OPEN))
ALU USER MFA(ADDPOLICY(YUBIPOL))
sh azfprov2.sh
Existing AZFYUBI1 tag data for user USER:

REGSTATE: OPEN
SERIAL: (not set)
PUBNAME: (not set)
PRIVID: (not set)
SECRET: (not set)
CREATED: (not set)
MODIFIED: 0
YKCTR: 0x00
YKUSE: 0x0
YKTSL: 0x00
YKTSH: 0x0
Parsed CSV successfully; pending AZFYUBI1 tag data for user USER:
REGSTATE: WANTSYNC
SERIAL: 7699966
PUBNAME: vvtvvrdfgtne
PRIVID: OaGKIt1QL/KZu/IcgUsizsP90UfzBPfaXJcnE/PelL4=
SECRET: d1cNHlipJ1XKdYWKwwZEH4qQJKVN7wS7t/8ElKwnx7GnYJZq+/nqsxIOfn5VuOYK
CREATED: 2020-01-24T11:39:38
MODIFIED: 0
YKCTR: 0x00
YKUSE: 0x0
YKTSL: 0x00
YKTSH: 0x0
Committed AZFYUBI1 factor data for USER.
9. Instruct the user to insert the YubiKey into a USB port on their Windows system.
10. Instruct the user to log in to the z/OS application and tap the YubiKey to generate a token in the
password field. Remind the users that a YubiKey token in Configuration Slot 2 requires the long press.
11. Enter the following command to display IBM MFA information for a user profile. Note that the
REGSTATE changes to CONFIRMED and the factor state changes to ACTIVE. (The key material is for
example purposes only.)

FACTOR = AZFYUBI1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:CONFIRMED
SERIAL:7699966
PUBNAME:vvtvvrdfgtne
PRIVID:OaGKIt1QL/KZu/IcgUsizsP90UfzBPfaXJcnE/PelL4=
SECRET:d1cNHlipJ1XKdYWKwwZEH4qQJKVN7wS7t/8ElKwnx7GnYJZq+/nqsxIOfn5VuO
YK
CREATED:2020-01-24T11:39:38
MODIFIED:1579894287
YKCTR:1
YKUSE:1
YKTSL:24519
YKTSH:78
12. If needed, enter the following commands to deactivate a user for Yubico OTP:
ALU [Login ID] MFA(FACTOR(AZFYUBI1)

NOACTIVE)

Chapter 22. Configuring IBM MFA generic RADIUS to
authenticate with IBM Security Verify
You can configure generic RADIUS to work with IBM Security Verify. In this configuration, you use the
IBM Verify Gateway for RADIUS application on a Windows server or desktop system as the gateway that
connects IBM MFA for generic RADIUS to IBM Security Verify.
Overview
IBM Security Verify helps you secure user productivity with cloud-delivered Single Sign On (SSO),
multifactor authentication, and identity governance. It comes with thousands of prebuilt connectors to
help you quickly provide access to popular SaaS apps, and prebuilt templates to help integrate in-house
apps.
You can configure IBM MFA with generic RADIUS to work with the trial version of IBM Security Verify.
To understand how the various components work together, consider the following broad outline. The
steps are described in detail in the sections that follow.
1. Use an existing or new IBM account to start a trial of IBM Security Verify. Your IBM account becomes
the administrator account you use to create a IBM Security Verify hostname, configure an API client,
and add IBM Security Verify user accounts.
2. Install IBM Verify Gateway for RADIUS application on a Windows server or desktop system.
Edit the configuration file to identify both the IBM Security Verify hostname you created, the LPAR
or system where IBM MFA generic RADIUS is configured, and the shared secret you want IBM Verify
Gateway for RADIUS and IBM MFA generic RADIUS to use.
3. Configure IBM MFA generic RADIUS on the LPAR or system to specify the hostname or IP address of
the Windows system where IBM Verify Gateway for RADIUS is running.
4. Configure the IBM MFA generic RADIUS user with the IBM Security Verify user name in
TAGS(RADUSERID:CLOUD-ID).
5. When the user logs in using IBM MFA generic RADIUS, the user specifies their IBM Security Verify
password.
Starting a trial of IBM Security Verify

To start a trial of IBM Security Verify, you use a new or existing IBM account to log in. The trial is then
associated with this IBM account. You use this IBM account to create a IBM Security Verify hostname,
configure an API client, and to add IBM Security Verify user accounts.
Procedure
1. Open the Try IBM Security Verify page https://www.ibm.com/account/reg/us-en/signup?
formid=urx-30041 in a browser.
If you already have an IBM account, click Log in.
Otherwise, fill in your account information and click Start Your Free Edition and respond to the
verification email.
In both cases, you receive a verification email. Your IBM account is added to the IBM Security Verify
admin group for the hostname you configure.
2. On the IBM Security Verify Connect Registration page, enter a host name. The hostname you specify is
then used in a URL of the form https://hostname.ice.ibmcloud.com.
3. Click Start Trial.
4. The https://hostname.ice.ibmcloud.com/ui/admin page is displayed.

What to do next
Tip: If at a future time you need to log back in to https://hostname.ice.ibmcloud.com, you are presented
with a login choice. Take note of the following:
IBM Security Verify

Sign in with Cloud Directory
User name
Password
Sign in with IBMid
• If you sign in with your IBM ID, the https://hostname.ice.ibmcloud.com/usc/applications IBM Security
Verify page is displayed. You can select Switch to admin to perform administrative functions.
• Signing in with Cloud Directory is for IBM Security Verify users you create. This is a user-level login with
limited functionality.
Note: You can optionally create a IBM Security Verify user and add that user to the Admin user group if
you choose.
Configuring an IBM Security Verify API client

Configure an IBM Security Verify API client to authenticate IBM Security Verify users.
About this task

The steps to configure an IBM Security Verify API client are described in https://www.ibm.com/support/
knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/tasks/t_gateway_config.html and are summarized
here for your convenience.
Procedure
1. Open the https://hostname.ice.ibmcloud.com/ui/admin page. If the page does not open directly to the
Admin page, click the person icon in the top right portion of the page and select Switch to admin.
2. Click the menu icon in the top left corner of the page.
3. Click Settings.
4. Click API Access.
5. Click Add API Client.
6. In the popup window, enter a name of your choice for the client, such as IBM MFA RADIUS.
7. Click (set) the following check boxes:
• Authenticate any user
• Manage second-factor authentication enrollment for all users
• Manage users and standard groups
• Read second-factor authentication enrollment for all users
• Read second-factor authentication method configuration
• Read users and groups
8. Click Save.
Configuring IBM Security Verify Users

Configure users who will use IBM Security Verify when logging in with IBM MFA with generic RADIUS.
Procedure

3. Click Users and Groups.
4. The Users and Groups page is displayed. Your IBM account is listed as the first user.
5. Click Add.
6. Complete all fields. For Identity Source, select Cloud Directory.
Note: For phone number +<country_code> is required.
7. Verify that Enabled is on.
8. Verify that Email new account is on.
9. Click Save.
10. Add additional users as needed.
What to do next
The user receives an IBM Security "Account Created" email and is instructed to click the link to log in to
https://hostname.ice.ibmcloud.com/ui.
The user must log in with IBM Security Verify and change their password.
Important: The user will need to use this password when logging in to IBM MFA with generic RADIUS.
Configuring IBM Security Verify authentication factors

Configure the authentication factors that IBM Security Verify users will be able to use.
Procedure
3. Click Security.
4. The Authentication Factors page is displayed.
5. Verify that the following authentication factors are enabled:
• Email One-Time Password.
• SMS One-Time Password
• Time-Based One-Time Password
• IBM Verify Authentication
6. Click Save if you make any changes.
Configuring IBM Verify Gateway for RADIUS

You install and configure IBM Verify Gateway for RADIUS on a Windows server or desktop system as the
gateway that connects IBM MFA for generic RADIUS to IBM Security Verify.
Before you begin

Important: For the best outcome, you should install IBM Verify Gateway for RADIUS on a Windows
system with a static IP address.
The Windows server or desktop system requires network connectivity to the IBM Security Verify
hostname, by default on port 443. Ensure that your network firewall allows access to this port. If you
are unsure, ask your network administrator.
Configuring IBM Verify Gateway for RADIUS server is described in https://www.ibm.com/support/
knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/tasks/t_gateway_config.html. This section
Chapter 22. Configuring IBM MFA generic RADIUS to authenticate with IBM Security Verify 153
summarizes the steps for your convenience. See https://www.ibm.com/support/knowledgecenter/en/
SSCT62/com.ibm.iamservice.doc/tasks/t_gateway_config.html for complete details.
Procedure
1. From a Windows server or desktop system, navigate to https://exchange.xforce.ibmcloud.com/hub/
extension/cb468c6c4539fad9c64eff7a1b107e86 in a browser and download IBM Verify Gateway for
RADIUS.
2. Extract the files from the downloaded .zip file and run setup.exe to install IBM Verify Gateway for
RADIUS on the Windows server or desktop system.
3. Open the https://hostname.ice.ibmcloud.com/ui/admin page, If the page does not open directly to the
5. Click Settings.
6. Click API Access.
7. Locate your API client in the list and hover the end of the row to display the edit icon.
8. Click the edit icon. The API client information is displayed.
9. Copy the Client ID and Secret to the clipboard (one at a time) and save the information, or click the
eye icon to view the Client ID and secret and save the information. You will need this information
when you edit the IbmRadiusConfig.json configuration file in Step “11” on page 154.
10. Click Cancel. No changes are necessary.
11. Edit the IbmRadiusConfig.json configuration file in the installation directory on your Windows
system where you installed IBM Verify Gateway for RADIUS,
12. Substitute the question marks (?) as shown in the following example:
{
"address":"::",
"port":1812, a
/* "trace-file":"c:/tmp/ibm-auth-api.log", */ b
"ibm-auth-api":{
"client-id":"??????", c
"client-secret":"??????", d
"protocol":"https",
"host":"??????.ice.ibmcloud.com", e
"port":443, f
"max-handles":16
},
"clients":[
{
"name":"??????", g
"address": "??????", h
"secret":"??????", i
"auth-method":"password" j
},
Callout Notes:
a. Remember this port, 1812, you will need it when you configure the IBM MFA generic RADIUS
panel. If Generic Radius and SafeNet RADIUS are both using the same IP address, you can
specify a different port number.
b. Uncomment this entry and specify a location to create a log file for debugging purposes.
c. Specify the client ID you copied in Step “9” on page 154.
d. Specify the client secret you copied in Step “9” on page 154.
e. Specify the IBM Security Verify hostname you created.
f. This is the port that your Windows system uses to connect to the IBM Security Verify host. Your
Windows system must be able to establish connections from this port.
g. Specify the LPAR or system name where IBM MFA generic RADIUS is configured.
h. Specify the LPAR or system IP address where IBM MFA generic RADIUS is configured.

i. Specify the shared secret you want IBM Verify Gateway for RADIUS and IBM MFA generic
RADIUS to use. Remember this secret, you will need it when you configure the IBM MFA generic
RADIUS panel.
j. See the sections that follow for information on the specific authentication methods.
Tip: If the shared secret is not the same in IBM Verify Gateway for RADIUS and the generic RADIUS panel,
a message similar to the following is logged in the IBM Verify Gateway for RADIUS log file:
["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"400","detail":
"CSIAI0160E Authentication failed.","scimType":"INVALID_CREDS"}
Configuring IBM Verify Gateway for RADIUS for password authentication

In password authentication, the user provides only their IBM Security Verify password.
Before you begin

The auth-method you set must match the authentication method you set for users in IBM Security
Verify.
Procedure
1. In the installation directory on your Windows system where you installed IBM Verify Gateway for
RADIUS, edit the IbmRadiusConfig.json configuration file to set the auth-method to password:
{
"address":"::",
"port":1812,
"trace-file":"c:/directory-name/ibm-auth-api.log",
"ibm-auth-api":{
"client-id":"client-id",
"client-secret":"client-secret",
"protocol":"https",
"host":"hostname.ice.ibmcloud.com",
"port":443,
"max-handles":16
},
"clients":[
{
"name":"hostname.company.com",
"address": "ip-address",
"secret":"your-secret",
"auth-method":"password"
},

3. When the user logs in, they must use the IBM Security Verify password they chose, as described in
“Configuring IBM Security Verify Users” on page 152.
Configuring IBM Verify Gateway for RADIUS for IBM Verify

In password-and-device, the user provides their IBM Security Verify password plus the authentication
is verified through the IBM Verify application on their mobile device. The user must configure their device
in IBM Security Verify.
Before you begin

The auth-method you set must match the authentication method you set for users in IBM Security
Verify.
The user's device must have connectivity to the IBM Security Verify Access system.
Procedure
1. Instruct the user to install the IBM Verify application on their mobile device.
2. Instruct the user to open https://hostname.ice.ibmcloud.com/ui and log in to their IBM Security Verify
account.
3. Instruct the user to perform the following steps:
a. Click the person icon and click Security settings.
b. Click Add new.
c. Click Next: Connect your account.
d. Launch the IBM Verify application on their mobile device.
e. Choose Use Touch ID.
f. Tap to connect a new account.
g. Scan the QR Code on the IBM Security Verify web page using the device’s camera.
h. Allow IBM Verify to send you notifications.
i. On the IBM Security Verify web page, click Verify.
j. On the device, click the check mark and enter your fingerprint to verify the device.
k. On the IBM Security Verify web page, click Done.
The device is listed on the user's web page under IBM Verify.
RADIUS, edit the IbmRadiusConfig.json configuration file to set the auth-method to password-
and-device:
{
"address":"::",
"port":1812,
"ibm-auth-api":{
"protocol":"https",
"port":443,
"max-handles":16
},
"clients":[
{
"auth-method":"password-and-device"
},

6. In password-and-device authentication, the login flow is as follows:
a. The user must provide their IBM Security Verify password.
b. The authentication is then verified through the IBM Verify application on the user's mobile device.
The user is prompted as follows:
A push notification has been sent to your device :device-name.

Please refresh your IBM Verify application if you did not receive it.
ENTER MFA INFORMATION:
c. The user must follow the prompts to verify the push notification on their mobile device.
d. The user must enter any single character as the response to the ENTER MFA INFORMATION
prompt and press Enter to continue.
Note: In IBM MFA Out-of-Band authentication, the user must enter any single character in
response to the Response prompt and press Submit.

Tip: When the user attempts to log in, the following error in the IBM Verify Gateway for
RADIUS trace log indicates that the IBM Security Verify authentication factor settings are incorrect.
{"messageId":"CSIAK4300E","messageDescription":"You are not authorized to access this resource."}.
See “Configuring IBM Security Verify authentication factors” on page 153 for the correct settings.
Configuring IBM Verify Gateway for RADIUS for SMS message with an OTP
In password-then-transsmsotp, the user provides their IBM Security Verify password. Then, an SMS
message with an OTP value is sent to the phone number in the user's profile. A RADIUS challenge
requests the OTP value.
Before you begin

The password-then-transsmsotp you set must match the authentication method you set for users in
IBM Security Verify.
Procedure
RADIUS, edit the IbmRadiusConfig.json configuration file to set the auth-method to password-
then-transsmsotp:
{
"address":"::",
"port":1812,
"ibm-auth-api":{
"protocol":"https",
"port":443,
"max-handles":16
},
"clients":[
{
"auth-method":"password-then-transsmsotp"
},

3. In password-then-transsmsotp authentication, the login flow is as follows:
a. The user must provide their IBM Security Verify password.
b. An SMS message with an OTP value is sent to the phone number in the user's profile.
Your passcode is: 9131-963017.

It expires in 5 minutes.
c. The user must enter the OTP value, 963017 in this example, in response to the ENTER MFA
INFORMATION prompt and press Enter to continue.
ICH70008I IBM MFA Message:

Enter OTP 9131:963017
IKJ56469I ENTER MFA INFORMATION:
Enter the OTP value in the Password field if TSO pre-prompt is not enabled.
Starting the IBM Verify Gateway for RADIUS service
During the installation, IBM Verify Gateway for RADIUS is configured as a Windows service.
Before you begin

The IBM Verify Gateway for RADIUS service is not started (set to manual start) because you must first edit
the IbmRadiusConfig.json file, as described in “Configuring IBM Verify Gateway for RADIUS” on page
153. After you have edited IbmRadiusConfig.json, start the service and set it to automatically start.
Procedure
1. From a Windows server or desktop system, navigate to the Services setting.
2. Select the IBM RADIUS Service from the list.
3. Right click on IBM RADIUS Service and select Start.
Note: Errors, warnings and informational messages are sent to the Windows Event log. If
the service fails to start, examine the Event Log for possible causes, such as an error
in the IbmRadiusConfig.json file. You can also uncomment the trace-file entry in
IbmRadiusConfig.json and examine the contents of the trace file.
4. Right click on IBM RADIUS Service and select Properties.
5. Set the startup type to Automatic.
Configuring generic RADIUS for IBM Security Verify

You must configure generic RADIUS to use it with IBM Security Verify.
About this task

You configure generic RADIUS as described in Chapter 16, “Configuring IBM MFA for generic RADIUS,” on
page 91, with these specific values:
Procedure
1. Set the Primary Server Host Name to be the host name or IP address of the Windows system
where the IBM Verify Gateway for RADIUS service is running.
2. Set the Primary Server Port to 1812. (This is the default value.)
3. Set the Shared Secret to be the shared secret you configured in “Configuring IBM Verify Gateway
for RADIUS” on page 153.
4. Restart the IBM MFA services and web services started tasks.
5. When you provision a user, specify the username you created in “Configuring IBM Security Verify
Users” on page 152.
ALU <userid> MFA(FACTOR(AZFRADP1) TAGS(RADUSERID:CLOUD-ID) ACTIVE)

Chapter 23. Configuring check CTC
You must configure check CTC if you want to use that authentication factor.
The check CTC authentication factor combines elements of IBM MFA Out-of-Band and in-band
authentication. It allows a CTC, obtained via IBM MFA Out-of-Band authentication in one SYSPLEX, to
be used for in-band authentication to additional IBM MFA protected z/OS systems where the CTC would
otherwise be unrecognized.
The check CTC authentication factor is intended for customers with multiple z/OS instances that are not
members of the same SYSPLEX.
In the typical check CTC use case, you configure one or more IBM MFA servers to be the CTC destination
and one or more IBM MFA servers to be the CTC source.
The CTC destination does not perform any authentication on its own, and instead relies on the IBM MFA
CTC source to authenticate the user's IBM MFA Out-of-Band authentication factor data and generate a
CTC. The user then uses the CTC to log in in-band to an application on the CTC destination.
Conceptually, the user generates a CTC out-of-band on the CTC source, and uses that CTC to log in only
in-band on the CTC destination.
You may find this feature to be particularly useful for the following reasons:
• The CTC destination and the CTC source do not need to be in the same SYSPLEX or share the same
RACF database.
• You can have multiple CTC destinations being served by a single CTC source.
• The CTC destination does not require network connectivity to your RSA SecurID, RADIUS, LDAP, or IBM
Security Verify Access system. The CTC destination requires network connectivity only to the IBM MFA
CTC source.
• The user name on the CTC destination and CTC source does not need to be the same.
What you configure on the CTC source

You configure the IBM MFA server you are using as the CTC source just as you would if you were not using
check CTC. The IBM MFA server you are using as the CTC source does not require any check CTC-specific
configuration.
What you configure on the CTC destination

The IBM MFA server you are using as the CTC destination requires a reduced level of configuration
compared to the CTC source:
• Configure the IBM MFA STC configuration attributes as described in “Configure IBM MFA STC
configuration attributes” on page 21. You do not need to configure the IBM MFA web services
configuration attributes.
• Configure the check CTC authentication factor, as described in “Configure check CTC” on page 161.
• Configure an AT-TLS profile, as described in “Configure an AT-TLS profile” on page 36.
• Start the IBM MFA services started task after TCP/IP and PAGENT have started successfully and all
TCP/IP-related services such as the resolver are running and fully initialized.
What you do not need to configure on the CTC destination

On the IBM MFA server you are using as the CTC destination you do not need to configure the following:
• Any other authentication factors or any authentication policies.
• The IBM MFA web services started task.

• A PKCS#11 token.
Additional RACF administration steps for check CTC

You must perform RACF administration steps on the CTC destination for check CTC.

You define IBM MFA factors by creating a general resource profile for the factor name in the
MFADEF class. To define a factor for check CTC, use RDEFINE to create a resource profile named
FACTOR.AZFCKCTC in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFCKCTC OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFCKCTC

To define authorization to execute the panels for check CTC administration, use RDEFINE to create a
resource profile named IRR.RFACTOR.MFADEF.AZFCKCTC in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFCKCTC OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFCKCTC
Authorize access to IRR.RFACTOR.MFADEF.AZFCKCTC profile

Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFCKCTC profile.
Procedure

Permission Access

For example:
PERMIT IRR.RFACTOR.MFADEF.AZFCKCTC ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Additional system programming steps for check CTC

on the CTC destination to define check CTC parameters.
Configure check CTC

You must configure the check CTC settings on the CTC destination if you want to use check CTC.
About this task

Configuration data for check CTC is stored in the RACF database. The configuration data include settings
related to the AZFCKCTC authentication factor.
Procedure
1. Execute AZFEXEC and choose AZFCKCTC.
Table 48. AZFCKCTC Factor Attributes

Primary Server URL https://hostname:port/ Enter the hostname (or IP address)
checkCTC and port used by the IBM MFA web
services started task on the primary
IBM MFA CTC source, appended
with /checkCTC. The hostname must
be sufficiently qualified for web
clients to resolve the hostname. Must
be set.
Secondary Server URL https://hostname:port/ Enter the hostname (or IP address)
checkCTC and port used by the IBM MFA
web services started task on the
secondary IBM MFA CTC source,
appended with /checkCTC. This is
servers. The hostname must be
sufficiently qualified for web clients
to resolve the hostname.
Tertiary Server URL https://hostname:port/ Enter the hostname (or IP address)
checkCTC and port used by the IBM MFA web
services started task on the tertiary
IBM MFA CTC source, appended
with /checkCTC. This is required
only if you have multiple servers.
the hostname.
Chapter 23. Configuring check CTC 161

Table 48. AZFCKCTC Factor Attributes (continued)
through 180 between the IBM MFA destination
server and the CTC source can remain
inactive before the session is timed
out. The default is 5.
Compound In-Band.
5. Configure an AT-TLS profile, as described in “Configure an AT-TLS profile” on page 36.
6. If needed, add the root CA public certificate of the IBM MFA CTC source as a CERTAUTH in the z/OS
keyring you created in “Configure an AT-TLS profile” on page 36.
7. Configure an AT-TLS outbound rule. The rule must allow the IBM MFA services AZF#IN00 started task
to negotiate the client side of a server-authentication TLS connection with the IBM MFA server that
generates the CTC. The HandshakeRole role is Client.
Note: This is an example fragment. See SYS1.SAZFSAMP(AZFTTLSX) for sample AT-TLS rule
definitions for IBM MFA.
{
Jobname AZF* a
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort? a
Direction Outbound
Priority 255
}
TTLSKeyringParms AZFClientKeyringParms
{
Keyring ?clientRingName?
}
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction eActAZFClient
{
HandshakeRole Client c
TTLSKeyringParmsRef AZFClientKeyringParms
Trace 255
TTLSEnvironmentAdvancedParmsRef eAdvAZFClient
}
{
CtraceClearText Off
Trace 255
}

TTLSEnvironmentAdvancedParms eAdvAZFClient
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
{
SecondaryMap Off
}
TTLSCipherParms AZFCipherParms
{
}
Callout Notes:
a. The rule allows the IBM MFA services started task to negotiate the client side of a server-
authentication TLS connection.
b. This rule specifies an outbound connection.
c. The port is the port used by the IBM MFA web services started task on the IBM MFA CTC source.
d. The HandshakeRole role is Client.

About this task

Important: The
Start the IBM MFA started task on the CTC destination before applications that use IBM MFA.
Chapter 26, “Configuring Password Fallback,” on page 173 will be able to log on with their z/OS password.
Procedure
S <STC Job Name>
For example:
S AZF#IN00

with a combination of an check CTC CTC, and a passphrase or password.
About this task

the AZFCKCTC factor.
In-Band concatenates the Yubico OTP with the passphrase or password, separated by a valid separator,
Procedure
1. Execute AZFEXEC.
2. Choose AZFCKCTC.
3. On the AZFCKCTC factor attributes panel, configure the following attributes:
restrictions.)

Plus sign + 4e
Less than sign < 4c
Equal sign = 7e
Ampersand & 50
Comma , 6b
Underscore _ 6d
Hyphen - 60

Period . 4b
Slash right / 61
Colon : 7a
Semicolon ; 5e
Question mark ? 6f
Percent % 6c
Asterisk * 7f
Vertical bar | 4f
6. Instruct the user to enter their CTC obtained from the CTC source, the required separator, and their
passphrase or password for the CTC destination in the password field, based on the credential order
you selected. For example:
CTC:CTC-destination-passphrase
Tip: To prevent confusion, ensure that you tell users to use their destination system passphrase or
password.
Administration and operation steps for check CTC

Follow the steps in this section to provision users and start up and administer check CTC on the CTC
destination.
Activate and deactivate users check CTC

You use the ALTUSER or ALU command to activate users for AZFCKCTC.
Procedure
1. Enter the following command to activate a user for AZFCKCTC:
Important: If you activate a user for AZFCKCTC, the user cannot be associated with a policy name or
have any other active authentication factors.
ALU [Login ID] MFA(FACTOR(AZFCKCTC)

ACTIVE PWFALLBACK TAGS(ALTUSERID:[User ID]))
Where:
• ACTIVE activates the AZFCKCTC authenticator for the user ID.
• ALTUSERID is the user name of the user on the CTC source. The user name on the CTC destination
and CTC source does not need to be the same.

2. Tell users they must use the IBM MFA Out-of-Band web server login page on the CTC source to get a
CTC, where the hostname and port specify the IBM MFA CTC source, and policy-name is the policy the
user must use. You may want to have the user bookmark this URL.
https://server-host:port/mfa/policy-name
The user is then presented with IBM MFA Out-of-Band web page for the configured authentication
factors.
If the IBM MFA Out-of-Band authentication is successful, the user then uses the resulting CTC to log
on in-band to an application on the CTC destination.
Tip: To prevent confusion, ensure that you tell users to use the CTC as their password on the
destination system.
3. If needed, enter the following command to defer activating a user for AZFCKCTC:

TAGS(ALTUSERID:[User ID]))
AZFCKCTC authenticator for the user ID:
ALU <USERID> MFA(FACTOR(AZFCKCTC) ACTIVE)

---------------------------------------
FACTOR = AZFCKCTC
STATUS = ACTIVE
FACTOR TAGS =
ALTUSERID:user
5. If needed, enter the following command to deactivate a user for AZFCKCTC:

NOACTIVE)

Chapter 24. Configuring IBM MFA for ELF
Express® Logon Feature (ELF) is an enhanced logon solution that is provided by IBM host access products
Host on Demand (HoD) and Personal Communications. (ELF is also referred to as certificate-based logon.)
ELF enables you to log on to host applications using an X.509 certificate for authentication without
entering an ID or password. You must configure IBM MFA for ELF if you want to use that authentication
method.
Before you configure IBM MFA for ELF, refer to the configuration roadmap in Chapter 6, “IBM MFA
Configure IBM MFA for ELF

IBM MFA for ELF allows IBM MFA in-band authentication from Express® Logon Feature (ELF). IBM MFA for
ELF uses the AZFCERT1 factor and returns a cache token credential if the authentication is successful.
Before you begin

IBM MFA for ELF requires a functioning Express® Logon Feature (ELF) configuration that uses an ELF
script and EXPRESSLOGONMFA to delegate the authentication decision to IBM MFA. IBM MFA performs
the authentication and, if successful, IBM MFA returns a cache token credential.
Important: The EXPRESSLOGONMFA statement requires you to configure AT-TLS, as described in the
EXPRESSLOGONMFA statement description.
See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP
Configuration Reference for information about EXPRESSLOGONMFA support in the TN3270E Telnet Server.
Tip: You perform all of the same IBM MFA configuration steps as for Certificate Authentication, and the
user must register their certificate as for that factor. The functional difference is that the user does not use
the IBM MFA Out-of-Band web page to log in, and instead follows the ELF login procedure. ELF uses the
IBM MFA cache token credential to log the user in without user action.
Procedure
1. Perform the RACF administration steps for Certificate Authentication, as described in “Additional RACF
administration steps for certificate authentication” on page 81.
2. Import the root CA certificate of the client certificate chain, as described in “Import root CA certificate
of client certificate chain” on page 82.
3. Configure Certificate Authentication, as described in “Configure Certificate Authentication” on page
85.
4. Configure a policy with the AZFCERT1 factor for the user, or use an existing policy with only that factor
configured.
The Default Policy Name configured in “Configure IBM MFA STC configuration attributes” on page 21
applies as follows:
• If the user has only one policy attached, IBM MFA attempts to use it. This policy must have only one
factor, AZFCERT1.
• If the user has more than one policy attached, one of them must be the default policy. IBM MFA
attempts to use the default policy.
• If a default policy is not configured and the user has more than one policy assigned, IBM MFA fails
the request.
5. Activate the users for Certificate Authentication as described in “Activate and deactivate users for
Certificate Authentication” on page 88.
6. Instruct the users to enroll their certificates, as described in IBM Z Multi-Function Authentication User's
Guide .

Important: The user must register the same certificate used in their ELF configuration.
7. Approve the user certificates, as described in “Approve user certificates” on page 89.
8. When requested by ELF, IBM MFA for ELF authenticates the user certificate and returns a cache token
credential if successful.
Note: If ELF is configured with EXPRESSLOGONMFA FALLBACK, and the following conditions occur:
• The IBM MFA services started task is not running.
• The user is not configured for IBM MFA password fallback.
then RACF fails the login attempt.
9. ELF uses the cache token credential to log the user in without user action.

Chapter 25. Configuring IBM MFA Password
Authentication
You can configure IBM MFA for password and passphrase authentication. IBM MFA Password
Authentication is a weak factor and requires the user to enter their RACF password or passphrase in
addition to at least one other strong authentication factor. IBM MFA Password Authentication is supported
only in IBM MFA Out-of-Band.
IBM MFA Password Authentication credentials are used as entered

The current and new credentials values specified for AZFPASS1 are used exactly as entered, including
any leading and trailing blanks. Leading or trailing blanks will cause authentication failures if a password
is being used or a passphrase that does not have the same leading or trailing blanks is being used. If a
password is being changed, leading or trailing blanks in the new password will cause it to be rejected as
invalid. If a passphrase is being changed, leading or trailing blanks will be included in the new passphrase,
and will cause it to be unusable by any applications, such as TSO, which remove leading or trailing blanks
from a passphrase before using it to authenticate.
The IBM MFA Password Authentication credential considerations apply in the following workflows:
• When the user is provisioned for AZFPASS1 and enters their password.
• When the user attempts to change their password with the pwChange.html web interface.
• When the user attempts to reset their password with the pwReset.html web interface.
Additional RACF administration steps for IBM MFA Password

Authentication
You must perform additional RACF administration steps for IBM MFA Password Authentication.

class. To define a factor for IBM MFA Password Authentication, use RDEFINE to create a resource profile
named FACTOR.AZFPASS1 in the MFADEF class.
Procedure
RDEF MFADEF FACTOR.AZFPASS1 OWNER(userid or group-name)
RLIST MFADEF FACTOR.AZFPASS1

To define authorization to execute the panels for IBM MFA Password Authentication administration, use
RDEFINE to create a resource profile named IRR.RFACTOR.MFADEF.AZFPASS1 in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFPASS1 OWNER(userid or group-name)
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFPASS1
Authorize access to IRR.RFACTOR.MFADEF.AZFPASS1 profile

Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFPASS1 profile.
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFPASS1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)

Administration and operation steps for IBM MFA Password

Authentication
Follow the steps in this section to provision users for IBM MFA Password Authentication.
Configure IBM MFA Password Authentication

Execute AZFEXEC to configure the IBM MFA Password Authentication.
Before you begin

Procedure
1. Execute AZFEXEC.

2. Choose AZFPASS1.
3. Change the initial trace level, if needed. You can otherwise accept the default.
Table 51. AZFPASS1 Factor Attributes

Setting Description
AZFPASS1 plug-in. Valid values are 0 through 3,
4. Save the configuration, even if you did not make any changes, to complete the configuration process.
Activate and deactivate users for IBM MFA Password Authentication

You use the ALTUSER or ALU command to activate users for IBM MFA Password Authentication. IBM MFA
Password Authentication is supported only in IBM MFA Out-of-Band.
Procedure
1. Enter the following command to activate a user for IBM MFA Password Authentication:
ALU [Login ID] MFA(FACTOR(AZFPASS1)

ACTIVE PWFALLBACK)
Where:
• ACTIVE activates the AZFPASS1 authenticator for the user ID.
• PWFALLBACK configures password fallback for the user. If you configure user accounts with the
password fallback parameter, users can log in with their z/OS password or passphrase if the started
task is down. The password fallback mechanism is provided as a fail-safe authentication method. If
you omit this parameter, the default is NOPWFALLBACK.
2. You must create a multi-factor authentication policy as described in “Create and manage multi-factor
authentication policies” on page 47. IBM MFA Password Authentication is a weak factor and requires
the policy to contain at least one other strong authentication factor.
3. Apply the multi-factor authentication policy to the user as described in “Create and manage multi-
factor authentication policies” on page 47.
4. Enter the following command to deactivate a user for IBM MFA Password Authentication:
ALU [Login ID] MFA(FACTOR(AZFPASS1)

NOACTIVE)

---------------------------------------
FACTOR = AZFPASS1
STATUS = ACTIVE
Chapter 25. Configuring IBM MFA Password Authentication 171

Chapter 26. Configuring Password Fallback
If you configure user accounts with the password fallback parameter, users can log in in-band with their
z/OS password or passphrase if the started task is down. The password fallback mechanism is provided
as a fail safe authentication method.
About this task

Password fallback is a user setting that applies to all in-band IBM MFA authentications performed with
that user ID, and the most recent setting takes precedence. That is, if you set PWFALLBACK for a user in
one authentication factor and later set NOPWFALLBACK or accept the default for that same user in another
factor, NOPWFALLBACK applies to all factors. This is true regardless of whether the factors are active for
the user.
Procedure
1. Enter the following command to set password fallback:
ALU [Login ID] MFA(PWFALLBACK|NOPWFALLBACK)
Where PWFALLBACK configures password fallback for the user. If you omit this parameter, the default
is NOPWFALLBACK.

---------------------------------------
FACTOR = AZFTOTP1
STATUS = ACTIVE
FACTOR TAGS =
KEYLABEL:AZF.MDHUNTA.D13D317557E799C8
ALG:SHA512
CVALUE:49071141
NUMDIGITS:7
PERIOD:30
WINDOW:3

Chapter 27. Configuring multiple instances of a factor
There may be circumstances in which you want to have different SecurID or RADIUS servers, or check
CTC sources, for different users. For example, your organization may have multiple user communities that
have different authentication requirements. For this use case, IBM MFA allows you to create multiple
instances of factors.
The following factors support multiple instances:
• AZFRADP1
• AZFSIDP1
• AZFSIDP3
• AZFSIDR1
• AZFSFNP1
• AZFLDAP1
• AZFISAM1
• AZFCKCTC
Usage guidelines
• The expected use case is where your organization supports multiple user communities that have
different authentication requirements. For example, in this use case, AZFRADP1#2 might support one
user community, while AZFRADP1#3 supports some other subset of users.
• Although not considered to be a primary use case, you could configure a user for more than one active
instance of a factor. However, if you do so, the user must use IBM MFA Out-of-Band authentication,
where the policy determines which instance of the factor applies.
• You must configure each authentication factor multiple instance, just as you would a single instance.
This includes, but not limited to, the PKCS#11 token name, key label, primary hostname and port,
SecurID sdconf.rec file, node secret, and RADIUS shared secret where applicable.
Additional RACF administration steps for multiple instances

You must perform RACF administration steps for multiple factor instances.

class. To define multiple instances of a factor, use RDEFINE to create a resource profile named
FACTOR.FACTOR-NAMEsuffix in the MFADEF class.
About this task

FACTOR.FACTOR-NAME requires a valid factor name, such as AZFSIDP1. The appended suffix is a factor
instance name of your choice of up to 12 characters. It can contain only A-Z, 0-9, '#', '$', and '@'
characters. See Enable Dynamic Instance Name for additional considerations.
Note: The factor instance names do not need to be contiguous. For example, AZFSFNP1$EAST,
AZFSFNP1$WEST, and AZFSFNP1$EMERGENCY would be valid.
Procedure
RDEF MFADEF FACTOR.FACTOR_NAMEsuffix

For example:
RDEF MFADEF FACTOR.FACTOR_NAME#2
RLIST MFADEF FACTOR.FACTOR_NAMEsuffix

To define authorization to execute the panels for generic RADIUS administration, use RDEFINE to create a
resource profile named IRR.RFACTOR.MFADEF.FACTOR_NAMEsuffix in the FACILITY class.
Procedure
RDEF FACILITY IRR.RFACTOR.MFADEF.FACTOR_NAMEsuffix
RLIST FACILITY IRR.RFACTOR.MFADEF.FACTOR_NAMEsuffix
Authorize access to IRR.RFACTOR.MFADEF.FACTOR-NAMEsuffix profile

Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.FACTOR_NAMEsuffix
profile.
Procedure

Permission Access
For example:
PERMIT IRR.RFACTOR.MFADEF.FACTOR_NAMEsuffix ACCESS(ALTER) CLASS(FACILITY) ID(user-id)


Additional system programming steps for multiple instances
to define parameters.
Configure the instance of a factor

You must configure the IBM MFA settings for the multiple-instance factor.
About this task
Procedure
1. Execute AZFEXEC and enter the suffix in the text field adjacent to the Basename. For example, if the
base factor name is AZFRADP1 and the suffix is #2, enter #2 in the AZFRADP1 text field.
Note: You must already know the suffix. You can check the started task log for the suffix if needed. You
can enter the following command to show all defined IBM MFA factor profiles:
SEARCH CLASS(MFADEF) FILTER(FACTOR.AZF*)
You can also enter the following command to show all defined IBM MFA AZFRADP1 profiles, for
example:
SEARCH CLASS(MFADEF) FILTER(FACTOR.AZFRADP1*)
2. Place the cursor anywhere within the Basename field and press Enter to display the panel. (You can
also enter the number for the Basename in the Command field and press Enter.)
3. Configure the factor settings based on the factor type:
• AZFRADP1
• AZFSIDP1
• AZFSIDP3
• AZFSIDR1
• AZFSFNP1
• AZFLDAP1
• AZFISAM1
• AZFCKCTC
Compound In-Band.

Before you begin

• TOTP AZFTOTP1
Chapter 27. Configuring multiple instances of a factor 177

• LDAP AZFLDAP1
or passphrase.
About this task

Procedure
S <STC Job Name>
For example:
S AZF#IN00

Administration and operation steps for multiple instances
Follow the steps in this section to provision users and start up and administer IBM MFA for multiple
instances of factors
Activate and deactivate users for multiple instance factors

You use the ALTUSER or ALU command to activate users for multiple instance factors. You can configure
a user for more than one active instance of a factor. However, if you do so, the user must use IBM MFA
Out-of-Band authentication, where the policy determines which instance of the factor applies.
Before you begin

Therefore, the user must first have valid credentials.
Procedure
1. For example, enter the following command to activate a user for a generic RADIUS multiple instance
factor:
ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)

Where:
• FACTOR(<FACTOR_NAME><suffix>) is the specific factor instance.
• User ID is the associated RADIUS user ID.
2. If needed, enter the following command to defer activating a user. The example uses AZFRADP1.

AZFRADP1 authenticator for the user ID. The example uses AZFRADP1.
ALU <USERID> MFA(FACTOR(AZFRADP1<suffix>) ACTIVE)

---------------------------------------
FACTOR = <FACTOR_NAME><suffix>
STATUS = ACTIVE
FACTOR TAGS =
RADUSERID:user
4. If needed, enter the following command to deactivate a user. The example uses AZFRADP1.


Create and manage policies for multiple instance factors
To use IBM MFA Out-of-Band you must use the RDEFINE command to define policies for multiple
instance factors, and the ALU command to apply the policies to one or more users.
Before you begin

Important: If you apply a policy to a user, the user must have all the factors defined in the policy, and
those factors must be active for the user. RACF does not prevent you from applying a policy to a user who
does not have all the required factors defined. This will prevent the user from authenticating with IBM
MFA Out-of-Band.
Procedure
1. Enter the following command to create a multi-factor authentication policy:
RDEF MFADEF POLICY.POLICY-NAME MFPOLICY(FACTOR(FACTOR-NAME<suffix>)

TOKENTIMEOUT(num-of-seconds) REUSE(Y|N))
Where:
• POLICY-NAME is a name of your choice between 1 and 20 characters. The allowed characters are
A-Z, 0-9. You might find it convenient to give the policy a descriptive name, such as CERTSIDPTOTP
or CERTONLY.
• FACTOR-NAME<suffix> is a space-separated list of factor names combined with your chosen suffix.
The allowed factor names are as follows:
– AZFRADP1
– AZFSIDP1
– AZFSIDP3
– AZFSIDR1
– AZFSFNP1
– AZFLDAP1
– AZFISAM1
– AZFCKCTC
• TOKENTIMEOUT sets the length of time (in seconds) the IBM MFA Out-of-Band token is valid once
generated. The value can be between 1 and 86,400 (the number of seconds in a day). The default is
300 seconds (5 minutes.)
• REUSE determines whether the IBM MFA Out-of-Band token can be reused by an application.
Possible values are Y or N. The default is N.
2. Repeat “1” on page 180 as needed.
4. Enter the following command to display information about a specific policy:
RLIST MFADEF POLICY.POLICY-NAME MFPOLICY
5. Enter the following command to display information about all IBM MFA factors and policies:
RLIST MFADEF *
6. Enter the following command to apply the policy to a user:

7. Repeat “6” on page 180 as needed. If you apply multiple policies to a user, instruct the user which
policy to use.
8. Enter the following command to display IBM MFA information for a user profile, including any applied
policies:
LU <USERID> MFA

---------------------------------------
TOTPONLY
FACTOR = AZFSIDP1<suffix>
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
9. If needed, enter the following command to remove a policy from a user:
ALU <USERID> MFA(DELPOLICY(POLICY-NAME))
10. If needed, enter the following commands to delete a policy and refresh the MFADEF class:
RDEL MFADEF POLICY.POLICY-NAME


Chapter 28. Configuring bulk provisioning users for
IBM MFA
IBM MFA provides programs and UNIX shell scripts that you can use to provision users with policies and
factors. Although you can use the RACF commands for this purpose, the bulk provisioning feature is more
efficient if you have a large number of users.
Before you begin

Important:
• You need to have UPDATE access to the system security manager FACILITY class profile
IRR.RFACTOR.USER to update the user factor data. Use the PERMIT command to grant UPDATE access
to the profile. If the FACILITY class has been RACLISTed, refresh the class for the change to become
effective.
• If the authentication factor you are provisioning requires a PKCS#11 token, ensure that you have
CONTROL access to the SO.token_name profile that protects the token and UPDATE access to the
USER.token_name profile that protects the token, as described in Chapter 9, “Configuring a PKCS#11
• If provisioning AZFCERT1, the user running azfbulk needs read access to the CSFSERV profiles
CSFOWH and CSF1TRD.
• If provisioning AZFFALBK, the user running azfbulk needs READ access to the CSFSERV profiles
CSF1TRC, CSF1TRD, and CSF1HMG. The user also needs READ access to the CLEARKEY.TOKEN-NAME
profile that protects the PKCS#11 token you created in Chapter 9, “Configuring a PKCS#11 token,” on
page 31
About this task

IBM MFA includes the azfbulk program that reads from a user-created text file to provision users. The
azfbulk program reads the contents of the text file, and produces two shell scripts that you then run to
provision the users.
The azfbulk parameters are shown in Table 53 on page 184.
The parameter usage is as follows:
azfbulk input-file (COMMIT)

Table 53. azfbulk Parameters
Parameter Description
input-file A user-created text file of user names, policies,
authentication methods, and authentication
method-specific parameters. The format of this file
must be as follows:
• Each entry starts on a new line.
• Each field is separated by a space.
• The only validation done is on the authentication
method name, and case is sensitive. All other
entries are assumed to be valid.
• The fields are as follows:
– userID. This is required.
– policy name. This is required. The policy
name field must be a policy name of an
existing policy, or *NONE* to not specify a
policy.
– authentication method, including
multiple instance factor names. This is
required.
– Zero or more authentication method-
specific parameters. This is optional. The
parameters are described in Table 54 on page
184.
COMMIT Commits the changes. You can run the azfbulk

program with or without the COMMIT parameter.
It is recommended that you run it the first time
without COMMIT and then examine the output shell
scripts. If the output shell scripts are correct,
run the azfbulk program a second time and
specify the COMMIT parameter. COMMIT must be in
uppercase.
Table 54 on page 184 describes the authentication method parameters. The parameters are positional
and you can omit trailing parameters. However, you must specify all preceding parameters.
Table 54. Input File Authentication-Method-Specific Parameters

Authentication Method Parameters
AZFCERT1 The file specification of the user certificate.
The .cer (DER) and PEM formats are supported.
The azfbulk program performs the certificate
enrollment and approval process described in
“Approve user certificates” on page 89 on your
behalf.
AZFSIDP1, AZFSIDP3, and AZFSIDR1 The associated RSA user ID.
AZFRADP1 and AZFSFNP1 The RADIUS user ID.
AZFPTKT1 The setting for MFAFIRST (Y or N), and the number
of seconds for WINDOW.

Table 54. Input File Authentication-Method-Specific Parameters (continued)
Authentication Method Parameters
AZFTOTP1 Does not accept any parameters. The user is set to
REGSTATE:OPEN.
AZFISAM1 • The IBM Security Verify Access user ID.
• The authentication context.
AZFLDAP1 The user DN.

AZFPASS1 Does not accept any parameters.
AZFYUBI1 The complete string from the .csv file.
AZFCKCTC The user name on the CTC source system.
Note: The AZFCKCTC authentication factor
supports in-band authentication only. If you
activate a user for AZFCKCTC, the user cannot be
associated with a policy name or have any other
active authentication factors.
A sample input file is as follows:
USERA CERTONLY AZFCERT1 /u/usersa/certificates/usera.cer

USERB *NONE* AZFTOTP1
USERC *NONE* AZFRADP1 raduserc
USERD *NONE* AZFSFNP1 raduserd
USERE SIDPONLY AZFSIDP1
USERF *NONE* AZFPTKT1 Y 600
USERG *NONE* AZFSIDR1 rsauserg
USERH *NONE* AZFPASS1
USERI *NONE* AZFCKCTC USERI
USERJ *NONE* AZFCKCTC USERX
USERK *NONE* AZFFALBK 2
The azfbulk program creates two shell scripts, azfprov1.sh and azfprov2.sh from the input file:
• azfprov1.sh associates the users with the policies and factors. The factors are not active.
azfprov1.sh invokes azfbulkcmd.sh, which allows you to make any needed customizations if you
are using an ESM other than RACF. No changes to azfbulkcmd.sh are required if you are using RACF.
• azfprov2.sh calls factor-specific utility programs to set the user factor data. azfaprov2.sh commits
the changes.
Procedure
1. Create your z/OS UNIX input file.
azfbulk input-file
4. Check the resulting azfprov1.sh and azfprov2.sh files.

Chapter 28. Configuring bulk provisioning users for IBM MFA 185

with the COMMIT parameter. COMMIT must be in uppercase.
sh azfprov1.sh
8. Verify sample provisioned users in RACF with the LU command.
LU [Login ID] MFA

---------------------------------------
TOTPONLY
FACTOR = AZFTOTP1
STATUS = INACTIVE
FACTOR TAGS =
REGSTATE:OPEN
sh azfprov2.sh
10. Verify sample user factor data with the LU command.
LU [Login ID] MFA

FACTOR = AZFCERT1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:APPROVED
SUBJECT:CN=Test Cardholder VII,C=US,O=Test Government,OU=Test Departm
ent
ISSUER:CN=Test RSA 2048-bit CA for Test PIV Cards,C=US,O=Test Certifi
cates 2010,OU=Test CA
CERTHASH:B7BF09C7039A43713DFD676237ACC73C699CC7C6
SERIAL:02BF N

Chapter 29. Changing a user password with an
identity token
As of z/OS V2R4, RACF supports identity tokens implemented through the JSON web token assertion
mechanism (JWT). You should enable identity token support whenever possible because it greatly
improves the end-user logon flow for applications that support identity tokens, such as TSO/E, when
the current credential is expired.
Before you begin

Note: See z/OS Security Server RACROUTE Macro Reference for important information about the IDTDATA
class.
About this task

There are some IBM MFA in-band login scenarios, particularly with compound in-band and password
change, that necessitate an authentication requiring multiple RACROUTE calls to complete. In this case,
state information is required so that IBM MFA and RACF perform the appropriate action for each state.
You can use identity tokens to change RACF passwords, change a PIN, or change both during an in-band
logon to TSO.
Consider the following scenario.
• The user is configured for AZFLDAP1 with compound in-band authentication, and their RACF password
has expired. For the purpose of example, further assume that you have configured their account to
require their RACF credential first.
• The user enters their current RACF password, the separator character, and their LDAP password.
• If successful, the user receives the following message
ICH70008I IBM MFA Message:

AZF9853I LDAP AUTHENTICATION SUCCESS
• The user presses Enter to continue.

• The user is then prompted to change their RACF password.
Procedure
RACLIST and activate the IDTDATA class:
SETROPTS RACLIST(IDTDATA) CLASSACT(IDTDATA)
What to do next
You can control the use of identity tokens by defining profiles in the IDTDATA resource class. You use
IDTPARMS to specify information for the IDTDATA class profile. See z/OS Security Server RACF Command
Language Reference for information on IDTPARMS.

Chapter 30. Changing a user password with web
interface
IBM MFA includes a web interface for changing a user's SAF password or passphrase.
About this task

The general purpose IBM MFA password change web interface allows both IBM MFA users and non-IBM
MFA users to change their SAF password or passphrase.
You might find this password change web interface to be particularly useful in the following situations:
• For users of compound in-band authentication, where changing a password can be cumbersome.
• For users of IBM MFA Out-of-Band authentication in strict PCI mode.
Procedure
1. Configure IBM MFA Password Authentication, as described in Chapter 25, “Configuring IBM MFA
Password Authentication,” on page 169.
You do not need to follow the steps in “Activate and deactivate users for IBM MFA Password
Authentication” on page 171 for this workflow.
2. Ensure that Enable Password Change is set to Y, as described in “Configure IBM MFA web services
3. Instruct the user to launch the password change URL:
https://server-name:port/html/pwChange.html
4. The user must provide the following information and click Change Password:
• User Name
• Password
• New Password
• Confirm New Password

Chapter 31. Resetting a user password
IBM MFA includes a web interface that allows users to reset their SAF password or passphrase, even if
they do not remember their current password or passphrase. The user must already have at least one
configured and satisfiable IBM MFA Out-of-Band policy and a valid CTC as verification of a successful
authentication.
About this task

Important: Any policy that allows a user to generate a CTC allows that user to access the system. There is
no way to configure a policy that enables only password reset.
You must configure RACF to allow IBM MFA to generate pass tickets.
Procedure
1. Ensure that the PTKTDATA class is RACLISTed and activated:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
2. Define AZFAPPL profiles in the PTKTDATA class. Store the PassTicket keys as encrypted.
RDEFINE PTKTDATA AZFAPPL SSIGNON(KEYENCRYPTED(0011223344556677))

RDEFINE PTKTDATA IRRPTAUTH.AZFAPPL.* OWNER(userid or group-name) .
PERMIT IRRPTAUTH.AZFAPPL.* ACCESS(UPDATE) CLASS(PTKTDATA) ID(AZFSTC)
SETROPTS RACLIST(PTKTDATA) REFRESH
3. Allow password reset for RACROUTE.

Note: When a user is authenticated using a PassTicket, and a new password or phrase is
specified, RACROUTE REQUEST=VERIFY/X checks a resource in the PTKTDATA class named
IRRPTAUTH.PWCHANGE.APPL.appl-name for UPDATE access, on behalf of the user who is being
verified. The value of appl-name is exactly the same value used during PassTicket evaluation.
RDEFINE PTKTDATA IRRPTAUTH.PWCHANGE.APPL.AZFAPPL UACC(UPDATE)

SETROPTS RACLIST(PTKTDATA) REFRESH
4. Ensure that Enable Password Reset is set to Y, as described in “Configure IBM MFA web services
5. Instruct the user to launch the password change URL:
https://server-name:port/html/pwReset.html
6. The user must provide the following information and click Reset Password:
• User Name
• Their current valid CTC
• New Password
• Confirm New Password

Chapter 32. Configure TOTP for users
You can use TOTP as an alternative to Generic TOTP. You configure TOTP for users to use that
authentication method.
Before you begin

When a user enrolls a new TOTP account using the IBM TouchToken for iOS application, sensitive data
flows to the application running on the user's iOS device. HTTPS is used to protect that data, and the TLS
configuration must be compatible with Application Transport Security policy as enforced by Apple iOS.
The z/OS Communications Server Application Transparent Transport Layer Security (AT- TLS) provides full
transport layer security for all communication between the Apple device and IBM MFA. AT-TLS frees IBM
MFA from having to be aware of the TLS details.
This procedure assumes that you are using a public CA. It is strongly recommended that you use a
certificate issued by a well-known certificate authority (CA). If you are not using a CA that is trusted by
default by Apple iOS, ensure that all IBM TouchToken for iOS devices have a Configuration Profile installed
that allows them to establish TLS connections with the web services server.
Important: If your web services server certificate was not issued by a well-known CA, do not instruct
users to visit the web services server start page until they have a Configuration Profile installed that
allows them to establish TLS connections with the web services server. If users accept the web services
server certificate in Mobile Safari as an SSL exception, the IBM TouchToken for iOS application still cannot
trust the CA that issued the certificate. Users will be able to view the enrollment launch URL, but will not
be able to complete enrollment.
Procedure
1. Make sure that the user's Apple iOS device has network connectivity to the web services server.
2. Instruct users to install the IBM TouchToken for iOS application on their iOS device.
3. Instruct users to open the web services server start page, using either Mobile Safari on their iOS device
or a desktop browser:
https://hostname:6789/AZFTOTP1/start
The page explains some basic information about TOTP to the user, and contains both a QR code and a
link that launch the IBM TouchToken for iOS application on the user's device.
4. Instruct the user to launch the IBM TouchToken for iOS application on the Apple device. Note that after
the TOTP account is set up on the Apple device, the REGSTATE changes to PROVISIONED and the
factor state changes to ACTIVE.
5. Instruct the user to tap the new TOTP account. You might want to have the user rename this account
to remove any system-specific information.
6. When prompted, the user must supply their Apple TouchID fingerprint.
If successful, the TOTP token code is displayed.
7. The user must now use this OTP token code to log on.

Chapter 33. Configuring IBM HTTP Server - Powered
by Apache for IBM MFA
You can configure IBM HTTP Server - Powered by Apache to use IBM MFA for BASIC authentication.
To do this, you must first configure PKCS#11 tokens and modify the configuration file conf/httpd.conf
file to set IBM MFA-specific values. The conf/httpd.conf configuration file contains directives that
customize the HTTP server.
After authentication has succeeded using IBM MFA credentials, a cookie is created that is retrieved on
subsequent requests. If the cookie is still valid, authentication is bypassed and the web resource is
served. The window of validity (MFAExpireSeconds) is defined by the system administrator and can be
specified up to a maximum of 86400 seconds (1 day).
Note: If you are using IBM HTTP Server - Powered by Apache with compound in-band authentication, the
possible separator values are a colon (:) and a vertical bar (|). The forward slash (/) is not supported as a
separator.
Configure a PKCS#11 token

PKCS#11 is a programming interface to create and manipulate cryptographic tokens. PKCS#11 tokens
are containers that hold digital certificates and keys.
Before you begin

ICSF must be installed, configured, and the ICSF started task started, as described in z/OS Cryptographic
Services ICSF System Programmer's Guide.
Table 55 on page 195 summarizes the required resource profile access for IBM HTTP Server - Powered by
Apache.
Table 55. Resource Profiles

Resource Profile Class Web Server User ID
BPX.DAEMON FACILITY UPDATE
BPX.SERVER FACILITY UPDATE
CLEARKEY.TOKEN_NAME CRYPTOZ READ
CSF1HMG CSFSERV READ
CSF1SKD CSFSERV READ
CSF1TRC CSFSERV READ
CSFIQA CSFSERV READ
CSFOWH CSFSERV READ
CSFRNG CSFSERV READ
CSFRNGL CSFSERV READ

Table 55. Resource Profiles (continued)
IRR.DIGTCERT. LISTRING FACILITY READ
UPDATE is needed if TLS is
configured for the web server

Note: If the web server is configured with SSL/TLS, the web server user ID requires access to additional
profiles, such as CSFDSG, CSF1DVK, CSF1GKP, CSF1GAV, CSF1TRD, and CSFPKI. See IBM HTTP
Server Powered by Apache (http://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf) for information on
configuring SSL/TLS for the web server.
For example:
PERMIT CSFRNG CLASS(CSFSERV) ID(user-ID) ACC(READ)

SETROPTS RACLIST(CSFSERV) REFRESH
Note: If you create CSF.CSFSERV.AUTH.CSFOWH.DISABLE or CSF.CSFSERV.AUTH.CSFRNG.DISABLE

profiles in the XFACILIT class, the respective SAF checks are disabled, even if the CSFSERV class profiles
exist.
See Chapter 8, “Configuring CSFSERV Resource Profiles,” on page 29 for additional resource profile
settings when the ICSF CHECKAUTH(YES) parameter is set.
About this task

PKCS #11 tokens and objects are stored in a VSAM data set called the token data set (TKDS). The TKDS
serves as the repository for persistent cryptographic keys and certificates used by PKCS #11 applications.
This procedure summarizes the steps to create a PKCS#11 token for your convenience. See z/OS
Cryptographic Services ICSF Administrator's Guide for complete information.
See the introductory chapter of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for token
access information and guidelines.
Access to PKCS #11 tokens in ICSF is controlled by the CRYPTOZ class, with different access levels as
well as a differentiation between standard users and security officers. For each token, there are two
resources in the CRYPTOZ class for controlling access to tokens:
• The resource USER.token-name controls the access of the User role to the token.
• The resource SO.token-name controls the access of the Security Officer (SO) role to the token.
You create the PKCS#11 token to be used by the IBM HTTP Server - Powered by Apache web server using
RACDCERT ADDTOKEN. The token name you specify in this procedure must match the token name you
subsequently specify in your httpd.conf file and other configuration files included in the configuration.
Note: The PKCS#11 tokens configured for use by IBM HTTP Server - Powered by Apache should not be
used for any other purpose including, being referenced in any of the factor settings configured by running
the AZFEXEC exec.
Important: Troubleshooting IBM MFA CRYPTOZ access problems can be difficult if a governing profile
does not exist. Under some circumstances, such as when the user ID of the web server started task
does not have access to one or more of the profiles in the CRYPTOZ class because the profile does not
exist, ICSF can deny a request without issuing an informative ICHnumber error message, leaving only the
reason code for guidance.

It is recommended that you create a governing CRYPTOZ class profile with a value of ** with a UACC
of NONE. In the absence of a profile that permits access, this restrictive profile causes a message to be
output so that you can determine the missing RACF profile.

Procedure
1. Create the TKDS. A sample job illustrating the definition of the TKDS data set is shipped in
SYS1.SAMPLIB, in member CSFTKDS. Copy, edit, and run the sample job to initialize the TKDS data
set.
2. Edit the ICSF installation options data set in the PARMLIB member for the CSF started task. Set the
TKDSN or SYSPLEXTKDS directives, as appropriate:
Important: You can add a TKDS data set to an existing PKCS#11 configuration. The TKDS data set
must be shared in a SYSPLEX. You can add the TKDS data set one LPAR at a time in a SYSPLEX.
• TKDSN identifies the VSAM data set that contains the token data set.
• SYSPLEXTKDS specifies whether the token data set should have sysplex-wide data consistency.
The SYSPLEXTKDS option is in effect only if the TKDSN option has also been specified.
In a sysplex, the required format of this directive is:
SYSPLEXTKDS(YES,FAIL(YES))
where YES specifies that the system is notified of updates made to the TKDS by other members of
the sysplex that have also specified SYSPLEXTKDS(YES,FAIL(fail-option)), and FAIL (YES)
specifies that ICSF initialization terminates abnormally if there is a failure creating the TKDS latch
set.
3. Create the PKCS#11 token using RACDCERT ADDTOKEN.
4. Activate the CRYPTOZ class with generics and RACLISTs:
SETROPTS CLASSACT(CRYPTOZ) GENERIC(CRYPTOZ) RACLIST(CRYPTOZ)
5. Create generic profiles in the CRYPTOZ class.

6. Create a profile for the IBM HTTP web server's access to the token.
RDEFINE CRYPTOZ SO.TOKEN_NAME UACC(NONE)
7. Create a profile for the standard user's access to the token:
RDEFINE CRYPTOZ USER.TOKEN_NAME UACC(NONE)
8. Give the web server CONTROL access to the profile that protects the token, where web-server-user-ID
is the user ID of the IBM HTTP web server started task.
PERMIT SO.TOKEN_NAME CLASS(CRYPTOZ) ID(web-server-user-ID) ACC(CONTROL)
9. Give the same user UPDATE access to the profile that protects the token, where web-server-user-ID is
the user ID of the IBM HTTP web server started task.
PERMIT USER.TOKEN_NAME CLASS(CRYPTOZ) ID(web-server-user-ID) ACC(UPDATE)
10. Refresh the profile for the CRYPTOZ class, so that the changes take effect:
Chapter 33. Configuring IBM HTTP Server - Powered by Apache for IBM MFA 197
11. Give the same user READ access to the IRR.DIGTCERT.LISTRING profile in the FACILITY class, where
user-ID is the user ID of the IBM HTTP web server started task.
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(user-ID) ACCESS(READ)
Special considerations for sub-requests

All users who need to list directories or perform other IBM HTTP Server - Powered by Apache sub-
requests must have READ access to the profiles described in this section.
About this task

All users who need to list directories or perform other IBM HTTP Server - Powered by Apache sub-
requests must have READ access to the profiles in Table 56 on page 198. This access is required
regardless of whether the users are provisioned with IBM MFA. This access is required because the web
server user ID changes to the user ID prior to processing the sub request.
An example of sub-requests is entering a URL ending in / when Options +Indexes is specified in
httpd.conf to allow directory listings to be returned to the user. In this case, the user ID on the thread
is changed when processing the initial request to that of the user and all sub-requests are processed
using the user's user ID.
Table 56. Required profile access for sub-requests

Class Profile
CRYPTOZ USER.<TOKEN_NAME>
CSFSERV CSF1SKD
CSFSERV CSF1SKE
CSFSERV CSFOWH
CSFSERV CSF1TRL
Configure IBM HTTP Server - Powered by Apache

Edit the IBM HTTP Server - Powered by Apache conf/httpd.conf file to make IBM MFA-specific
changes.
Before you begin

You must satisfy the following prerequisites:
• You must have already installed and configured IBM HTTP Server - Powered by Apache. 64-bit and
31-bit versions of V8R5 and V9R0 are supported.
See IBM HTTP Server Powered by Apache (http://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf) for
installation and configuration information. In particular, see the section "Authenticating with SAF on
IBM HTTP Server (z/OS systems)."
• You must have already configured a PKCS#11 token as described in “Configure a PKCS#11 token” on
page 195.
Procedure
1. For V8R5 only, add (or uncomment) the following directives to the conf/httpd.conf file. SAF
authentication is provided by the mod_authnz_saf module. The mod_saf_mfa85.so module is IBM
MFA specific. The module name is mod_saf_mfa85_31.so for the 31-bit version.

LoadModule headers_module modules/mod_headers.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
LoadModule saf_mfa_module /usr/lpp/IBM/azfv2r2/modules/mod_saf_mfa85.so
Header append Cache-Control max-age=0
2. For V9R0 only, add (or uncomment) the following directives to the conf/httpd.conf file. SAF
authentication is provided by the mod_authnz_saf module. The mod_saf_mfa90.so module is IBM
MFA specific. The module name is mod_saf_mfa90_31.so for the 31-bit version.
LoadModule headers_module modules/mod_headers.so

LoadModule authnz_saf_module modules/mod_authnz_saf.so
LoadModule saf_mfa_module /usr/lpp/IBM/azfv2r2/modules/mod_saf_mfa90.so
Header always merge Cache-Control max-age=0
3. For both V8R5 and V9R0, add all of the following (case sensitive) directives to the httpd.conf file:
<Location location.html>
SAFRunAs %%CLIENT%%
AuthBasicProvider saf
AuthName safmfatest1
AuthType BASIC
Require valid-user
MFADomain cookieName
MFAExpireSeconds num-of-seconds
MFAPKCS#11TokenName PKCS#11 token name
MFAKeyLabel PKCS#11 key label
MFAPath path
SAFAPPLID MFATEST1
AuthSAFExpiration "EXPIRED! oldpw/newpw/newpw"
</Location>
where:
• The scope of the IBM MFA configuration parameters is the current location, but you can set them
outside of a Location definition to set global default values. If set globally, one or more values can
be overridden on a per-location basis.
• The non-IBM MFA-specific statements must use these exact values, with the exception of AuthName
and SAFAPPLID, which are site-specific values.
• MFADomain cookieName has a limit of 32 characters and defaults to MFAToken.
• MFAExpireSeconds is the number of seconds for which the IBM MFA authentication is valid.
Change this value as needed in your environment. Possible values are 0-86400, inclusive. If you
specify a value over the maximum value, it is ignored and the maximum value is used. The default is
86400, 24-hours.
• MFAKeyLabel PKCS#11 key label has a limit of 32 characters and defaults to AZF.IHSA.SESSION
The value you specify for PKCS#11 key label is used if it already exists and is created if it does not
already exist.
• MFAPath path is the authentication path for IBM MFA resources. All requested resources must be
subordinate to this path. If a resource is outside the path, users are prompted to re-authenticate. If
not specified, the default is "/".
• MFAPKCS#11TokenName PKCS#11 token name has a limit of 32 characters and defaults to
AZF.IHSA.TOKEN.
The value you specify for PKCS#11 token name identifies the PKCS#11 token to contain the key
material used to encrypt the cookie. This is the token you created in “Configure a PKCS#11 token”
on page 195.
Note: If you change the values for MFAKeyLabel or MFAPKCS#11TokenName after they have been
used, it may result in unspecified failures.
4. Define the BPX.DAEMON FACILITY class profile if it is not already defined.:
RDEFINE FACILITY BPX.DAEMON UACC(NONE)
Chapter 33. Configuring IBM HTTP Server - Powered by Apache for IBM MFA 199
5. The user ID of the IBM HTTP web server must have UPDATE access to the BPX.DAEMON FACILITY
class profile, where web-server-user-ID is the user ID of the web server started task.
PERMIT BPX.DAEMON CLASS(FACILITY) ID(web-server-user-ID) ACC(UPDATE)
6. Define the BPX.SERVER FACILITY class profile if it is not already defined.:
RDEFINE FACILITY BPX.SERVER UACC(NONE)
7. The user ID of the IBM HTTP web server must have UPDATE access to the BPX.SERVER FACILITY class
profile, where web-server-user-ID is the user ID of the web server started task.
PERMIT BPX.SERVER CLASS(FACILITY) ID(web-server-user-ID) ACC(UPDATE)
9. Start the web server, as described in IBM HTTP Server Powered by Apache (http://
publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf).

Chapter 34. IBM CL/SuperSession for z/OS
IBM CL/SuperSession for z/OS, V2.1 provides efficient management of VTAM®® sessions for mainframe
applications.
You can use IBM MFA to log in to IBM CL/SuperSession for z/OS, V2.1 in the following ways:
• In-band using a passphrase or password. It is recommended that you configure IBM CL/SuperSession
for z/OS, V2.1 to use passphrases if you are using RSA SecurID tokens that require the user to enter a
PIN and a tokencode.
• Via IBM MFA Out-of-Band with a cache token credential.
• You can configure IBM CL/SuperSession for z/OS, V2.1 to use PassTickets to authenticate to
downstream applications after a successful IBM MFA authentication to IBM CL/SuperSession for z/OS,
V2.1. In this case, in addition to the configuration required for IBM CL/SuperSession for z/OS, you must
also configure IBM MFA for PassTickets as described in Chapter 35, “Using IBM MFA with PassTickets,”
on page 203.
See IBM CL/SuperSession for z/OS Version 2 Release 1 for configuration information and other product
documentation.

Chapter 35. Using IBM MFA with PassTickets
The RACF PassTicket is a one-time-only password that is generated by a requesting product or function.
It is an alternative to the RACF password and password phrase that removes the need to send RACF
passwords and password phrases across the network in clear text.
Before you begin

You must have already configured an application to use PassTickets. Every RACF PassTicket must be
generated for the specific application that authenticates using the PassTicket. When an authenticating
application performs a SAF RACROUTE REQUEST=VERIFY request using the PassTicket, it must perform
one of the following actions:
• Explicitly specify the APPL= parameter to provide an application-determined application name to be
used during PassTicket validation.
• Omit the APPL= parameter, which causes a RACF-derived application name to be used during
PassTicket validation, as documented in the z/OS Security Server RACF Messages and Codes in the
section Determining PTKTDATA profile names.
If the application name used to generate the PassTicket does not match the application name used during
RACROUTE REQUEST=VERIFY processing, the PassTicket will fail validation when IBM MFA calls the
R_GenSec service to check if it is a valid. In this case, the PassTicket is treated as an IBM MFA credential.
Note: You should not assume that the VTAM Application ID (APPLID) value used to connect to an
application will also be used as the RACF application name. The RACF application name is determined
solely by the authenticating application. An application may choose to use the VTAM APPLID as the RACF
application name, but it does not have to do so.
About this task

If you are using a "strong" factor such as TOTP, IBM MFA with SecurID, or Certificate Authentication for
a user, you can also specify PassTickets. (There is no practical benefit to specifying PassTickets alone
because IBM MFA would not be involved.)
You can configure IBM MFA to allow the use of a PassTicket only after a recent successful IBM MFA
authentication. A successful IBM MFA authentication can occur in-band by using IBM MFA credentials to
log on to any application, or out-of-band by authenticating using IBM MFA credentials to obtain a CTC. The
time at which the successful IBM MFA authentication occurs is saved in the user's AZFPTKT1 tag data.
Note: An unsuccessful IBM MFA authentication attempt by the user, either in-band or out-of-band, will
cause the IBM MFA PassTicket integration to clear its record of the user's last successful IBM MFA
authentication time. This prevents the user from successfully authenticating with a PassTicket until the
user completes another successful IBM MFA authentication.
In both cases, IBM MFA then calls R_GenSec with the user ID, the 8-character PassTicket, and the
application name to evaluate the PassTicket.
Important: Make sure that you tell the application users when to log on with their PassTicket, and
specifically whether they must first log on with their IBM MFA credentials.
Procedure
1. Use RDEFINE to define an MFADEF class profile named FACTOR.AZFPTKT1.
RDEF MFADEF FACTOR.AZFPTKT1

RLIST MFADEF FACTOR.AZFPTKT1
4. Use RDEFINE to create a FACILITY class profile named IRR.RFACTOR.MFADEF.AZFPTKT1.
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFPTKT1
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFPTKT1
7. Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFPTKT1

profile. Allow the access shown in Table 57 on page 204:

Permission Access
READ Able to view configuration options, but may not update,
create, or delete parameters.
UPDATE, CONTROL, ALTER Able to create, update, delete, and view configuration
options.
For example:
PERMIT IRR.RFACTOR.MFADEF.AZFPTKT1 ACCESS(ALTER) CLASS(FACILITY)

ID(user-id)
8. To allow IBM MFA to accept all PassTickets passed on a RACROUTE REQUEST=VERIFY, you must
create a PTKTDATA class IRRPTAUTH.** profile and allow the user ID of the IBM MFA services
started task AZF#IN00 READ access to the profile.
In addition, because RACF always uses the most specific profile that matches a specified
IRRPTAUTH.<appl>.<tuser> profile value when performing authentication checks, you must also
permit IBM MFA READ access to any additional specific (or less generic) PTKTDATA class
IRRPTAUTH.<appl>.<tuser> profiles that have been defined.
Note: This step assumes that you have previously issued the following command and then defined
the required profiles:
SETROPTS CLASSACT(PTKTDATA) GENCMD(PTKTDATA) GENERIC(PTKTDATA) RACLIST(PTKTDATA)
For example, assume that the following PTKTDATA class profiles exist:
• IRRPTAUTH.<appl3>.<tusera>
• IRRPTAUTH.*.<tuserb>
• IRRPTAUTH.<appl1>.*
To be able to accept all PassTickets passed on a RACROUTE REQUEST=VERIFY, IBM MFA requires
READ access to the following PTKTDATA class profiles:
• IRRPTAUTH.**
• IRRPTAUTH.<appl3>.<tusera>
• IRRPTAUTH.*.<tuserb>

9. Execute AZFEXEC and choose AZFPTKT1.
10. Choose from the following options:
• Whether to require a successful IBM MFA logon prior to the PassTicket being evaluated.
– If Y, the most recent IBM MFA authentication for the user must have occurred within the
PassTicket evaluation window number of seconds. If the most recent IBM MFA logon is inside
this window, IBM MFA calls R_GenSec. If the most recent IBM MFA logon is outside this window,
the authentication is processed as an IBM MFA authentication and might therefore fail.
– If N, IBM MFA calls R_GenSec without first requiring an IBM MFA logon.
• PassTicket evaluation window, as a number of seconds. This is the length of time in seconds that
PassTickets may be used to authenticate after a successful IBM MFA authentication. Valid entries
are integer values between 30 and 86400 (24-hours), inclusive. The default is 600 (10 minutes).
– If "Require MFA Logon prior to PassTicket Evaluation" is set to Y, the most recent IBM MFA
authentication for the user must have occurred within the PassTicket evaluation window.
– If "Require MFA Logon prior to PassTicket Evaluation" is set to N, the PassTicket evaluation
window setting is ignored.
• Trace level used for tracing events within the AZFPTKT1 plug-in. Valid values are 0 through 3,
where the higher number increases the level of verbosity. The default is zero.
11. Save the configuration, even if you did not make any changes, to complete the configuration process.
12. Activate users for PassTickets:
ALU LOGIN ID MFA(FACTOR(AZFPTKT1)

ACTIVE TAGS(WINDOW:numseconds MFAFIRST:Y|N))
Where:
• ACTIVE activates the AZFPTKT1 authenticator for the user ID.
• WINDOW sets the evaluation window, as a number of seconds.
• MFAFIRST specifies whether to require a successful IBM MFA logon prior to the PassTicket being
evaluated. The possible values are Y and N, and uppercase is required.
If you set MFAFIRST or WINDOW for a user, it overrides the default setting.
13. To return a user to the default tag settings:
ALU LOGIN ID MFA(FACTOR(AZFPTKT1) DELTAGS(MFAFIRST

WINDOW))
Chapter 35. Using IBM MFA with PassTickets 205

Chapter 36. Bypassing IBM MFA
You might have a need to bypass IBM MFA authentication for one or more applications for all users or
specific users.
Bypassing IBM MFA for applications

You can bypass IBM MFA for specific applications and specific application users. After you bypass IBM
MFA, the application users must use their RACF password to log on.
You can bypass IBM MFA for specific applications and specific application users, allow IBM MFA access
only for specific applications and specific application users, and set a default IBM MFA bypass profile for
applications that are not otherwise allowed or bypassed.
Important: If you bypass IBM MFA for an application or application users, make sure that you tell the
application users to log on with their RACF password or a valid cache token credential (CTC).
A valid CTC can be used as the credential on any in-band authentication request, even for authentication
requests that are associated with a MFABYPASS profile.
There are three high-level scenarios for bypassing IBM MFA for specific applications or allowing IBM MFA
access for specific applications, as shown in Table 58 on page 207.
Table 58. Bypass Scenarios

Scenario Description
You know the application provides the RACF In this case, IBM MFA generates a profile of
application name in the APPL=applname the name MFABYPASS.APPL.applname and tests
parameter from a RACROUTE REQUEST=VERIFY users' access against this profile in the MFADEF
request and you know the applname value. class. If the access returned is NONE, IBM
MFA authenticates the credentials as IBM MFA
credentials. If the access returned is READ
or better, then IBM MFA authenticates the
credentials as valid RACF credentials (password
or passphrase, as appropriate). No further profile
checks are made.
You know the application does not provide the In this case IBM MFA generates a profile of
RACF application name in the APPL=applname the name MFABYPASS.USERID.STCUSERID and
parameter from a RACROUTE REQUEST=VERIFY tests users' access against this profile in the
request, but the authentication is performed by an MFADEF class. If the access returned is NONE,
existing address space, such as STC, that is running IBM MFA authenticates the credentials as IBM
with a defined user ID. MFA credentials. If the access returned is READ
or better, then IBM MFA authenticates the
checks are made.
You know the application does not provide the In this case IBM MFA generates a profile
RACF application name in the APPL=applname of the name MFABYPASS.DEFAULT and tests
parameter from a RACROUTE REQUEST=VERIFY users' access against this profile in the MFADEF
request and the authentication is performed by an class. If the access returned is NONE, IBM
address space, such as STC, that is not running MFA authenticates the credentials as IBM MFA
with a defined user ID or it is taking place during credentials. If the access returned is READ
address space creation. or better, then IBM MFA authenticates the
checks are made.

Note: It is strongly recommended that you define profiles MFABYPASS.APPL.* and
MFABYPASS.USERID.* with an access level of UACC(NONE) and no access list to ensure that no
unintended bypasses of IBM MFA occur.
Determining relevant authentication information

You can determine the relevant information issued by an authentication request.
To find out the relevant information issued by any particular authentication request made by an IBM MFA
user, issue the operator command and then attempt an authentication:
F <MFA_STC_Job_Name>,STC SET TRACE LEVEL 2
Search the system log for entries beginning with MFAA, similar to the following:
MFAA Version=2, MFAA Length=264, Application=TESTAPP, STC UserID=TSTUSR
The IBM MFA started task’s SYSPRINT will contain lines that show the application name and user ID
values supplied explicitly and implicitly by the issuer of the RACROUTE REQUEST=VERIFY call, which you
can use to guide you in defining profiles.
Additional specificity through ACL and UACC

For all three scenarios, you can further qualify which specific application users are allowed for IBM MFA or
bypassed by using an ACL or UACC.
You can bypass IBM MFA authentication for an application if the user being authenticated has a minimum
of READ access to the profile in the MFADEF class for the application. If the user does not have a
minimum of READ access to the profile in the MFADEF class for the application, IBM MFA is required.
RACF considers ACL's first:
• If the user is on the access list (either explicitly or using the group names in which the user is a
member), return that access.
• If the user is not on the access list, return the access defined by UACC.
Bypassing IBM MFA for applications by application name

You can bypass IBM MFA for specific applications and specific application users. After you bypass IBM
MFA, the application users must use their RACF credentials to log on.
Procedure
1. The following example creates default profiles as a fallback. UACC(NONE) allows IBM MFA
authentication for all applications that are not otherwise bypassed by more specific profiles.
RDEFINE MFADEF MFABYPASS.APPL.* UACC(NONE)

RDEFINE MFADEF MFABYPASS.USERID.* UACC(NONE)
RDEFINE MFADEF MFABYPASS.DEFAULT UACC(NONE)
2. The following example bypasses IBM MFA for the MFATEST application for all users who have at least
READ access to a profile in the MFADEF class for the application.
RDEFINE MFADEF MFABYPASS.APPL.MFATEST UACC(READ)
3. The following example bypasses the MFATEST application only for user JSMITH.
RDEFINE MFADEF MFABYPASS.APPL.MFATEST UACC(NONE)

PERMIT MFABYPASS.APPL.MFATEST CLASS(MFADEF) ID(JSMITH) ACCESS(READ)
4. The following example bypasses IBM MFA for all applications, except the MFATEST application
identified with a profile in the MFADEF class with access NONE:

RDEFINE MFADEF MFABYPASS.APPL.* UACC(READ)
RDEFINE MFADEF MFABYPASS.APPL.MFATEST UACC(NONE)
Bypassing IBM MFA for applications by ID

You can bypass IBM MFA for an application by using the user ID that submits the RACROUTE
REQUEST=VERIFY request for the application. After you bypass IBM MFA, the application users must
use their RACF password to log on.
About this task

Note: You might find it convenient to use SDSF to view the job status and determine the user ID. The
Owner column identifies the user ID. You cannot use an Owner marked as plus signs (+).
Procedure
1. The following example creates default profiles as a fallback. UACC(NONE) allows IBM MFA
authentication for all applications that are not otherwise bypassed by more specific profiles.
RDEFINE MFADEF MFABYPASS.APPL.* UACC(NONE)

RDEFINE MFADEF MFABYPASS.USERID.* UACC(NONE)
RDEFINE MFADEF MFABYPASS.DEFAULT UACC(NONE)
2. The following example bypasses IBM MFA for MFATEST for all users with READ or higher access to the
profile.
RDEFINE MFADEF MFABYPASS.USERID.MFATEST UACC(READ)
3. The following example bypasses IBM MFA for an application identified by the MFATEST user ID only for
user JSMITH.
RDEFINE MFADEF MFABYPASS.USERID.MFATEST UACC(NONE)

PERMIT MFABYPASS.USERID.MFATEST CLASS(MFADEF) ID(JSMITH) ACCESS(READ)
Chapter 36. Bypassing IBM MFA 209

Chapter 37. Translating IBM MFA messages and HTML
IBM MFA allows you to provide translated versions of IBM MFA messages and HTML text that are
displayed in the language specified by the web browser.
Procedure
1. Specify a customer-specific root in Customized Document Root as described in “Configure IBM MFA
web services started task” on page 41. For example, /usr/lpp/local/azfv2r2/NLS.
Note: The user ID of the web services started task must have read access to this directory tree.
2. Create an i18n subdirectory in your document root. For example, /usr/lpp/local/azfv2r2/NLS/
i18n.
3. In the i18n subdirectory, create a language (for example, en or fr) or language-locale (for example,
en-US or fr-BE) translation subdirectory. For example, /usr/lpp/local/azfv2r2/NLS/i18n/fr.
4. Copy htdocs/i18n/translate.json to /usr/lpp/local/azfv2r2/NLS/i18n/fr/
translate.json and edit the strings as needed, using exactly the same value:pair format.
{
"IBM MFA Out of Band Interface": "IBM MFA Out of Band Interface",
"IBM TouchToken Enrollment": "IBM TouchToken Enrollment",
"Certificate Enrollment via Mutually-Authenticated TLS":"Certificate Enrollmen
t via Mutually-Authenticated TLS",
"Authentication Token": "Authentication Token",
"Please wait, request is being processed": "Please wait, request is being proc
essed",
"Please input the policy name": "Please input the policy name",
"INTERACTIVE": "Interactive",
"Policy Name": "Policy Name",
"Enter your SecurID passcode": "Enter your SecurID passcode",
"Passcode": "Passcode",
"RSA SecureID": "RSA SecureID",
"Password Authentication": "Password Authentication",
:
:
5. In the i18n subdirectory, create an HTML subdirectory. For example, /usr/lpp/local/

azfv2r2/NLS/i18n/fr/html.
6. Copy the HTML pages from htdocs/html to /usr/lpp/local/azfv2r2/NLS/i18n/fr/html/
and edit as needed.
7. IBM MFA finds /usr/lpp/local/azfv2r2/NLS/i18n/fr/translate.json and /usr/lpp/
local/azfv2r2/NLS/i18n/fr/html/*.html and serves them as needed.
htdocs/i18n/translate.json is the default file if a client-specific translation file is not available.

Chapter 38. Resource profile authorization reference
Ensure the user ID's of the started tasks and administrators who execute the panels are sufficiently
privileged.
Table 59 on page 213 summarizes the required resource profile access. The resource profiles are
described in the related and factor-specific chapters, and are summarized here for your convenience.
Important: Before you implement the access described in these profiles, review the profiles that are
already in place in your environment. Be mindful of any conflicts and potential security errors with other
interfaces that use these profiles. Adding specific profiles over generic profiles could effectively remove
access required by an existing user or application.
Do not create an access control list on MFADEF FACTOR.** and POLICY.** profiles. For example,
FACTOR.AZFSTC.
Checking and updating access to resource profiles

One way to check the current access to a resource profile is with the RLIST command:
RL <class-name> (profile-name ...) ALL
For example:
RL facility (irr.rfactor.mfadef.azfyubi1) ALL

RL csfserv (csfowh) ALL
If you need to permit access to a resource profile, use the PERMIT command:
PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)
If you change the access to a resource profile, you must refresh the class:
Required user authorization

Note: In the table, AZFSTC is the user ID for AZF#IN00 and AZFWEB is the user ID for AZF#IN01.
Resource Profile/Data Class IBM MFA Services IBM MFA Web Services User ID of Admin Who
Set Started Task User ID Started Task User ID Executes Panel
AZFSTC AZFWEB
SO.TOKEN_NAME CRYPTOZ CONTROL CONTROL for PKCS#11

token
CONTROL for RADIUS
shared secret
USER.TOKEN_NAME CRYPTOZ UPDATE UPDATE CONTROL for PKCS#11

token
UPDATE for RADIUS
shared secret
CLEARKEY.token-name CRYPTOZ READ READ
CSFRNG CSFSERV READ READ
CSF1SKD CSFSERV READ READ
CSF1SKE CSFSERV READ READ

Table 59. Required User Authorization (continued)
Resource Profile/Data Class IBM MFA Services IBM MFA Web Services User ID of Admin Who
Set Started Task User ID Started Task User ID Executes Panel
AZFSTC AZFWEB
CSF1TRC CSFSERV READ READ
CSF1TRL CSFSERV READ READ
CSFOWH CSFSERV READ READ
CSF1GSK CSFSERV READ READ
CSFIQA CSFSERV READ READ
CSFRNGL CSFSERV READ READ
CSF1HMG CSFSERV READ READ
IRR.RFACTOR.MFADEF. FACILITY READ READ, UPDATE,

AZFCERT1 CONTROL, ALTER

AZFSTC CONTROL, ALTER

AZFTOTP1 CONTROL, ALTER
IRR.RFACTOR.MFADEF. FACILITY READ, UPDATE,

AZFSIDP1 CONTROL, ALTER

AZFSIDP3 CONTROL, ALTER

AZFRADP1 CONTROL, ALTER

AZFSFNP1 CONTROL, ALTER

AZFSIDR1 CONTROL, ALTER

AZFYUBI1 CONTROL, ALTER

AZFLDAP1 CONTROL, ALTER

AZFISAM1 CONTROL, ALTER

AZFCKCTC CONTROL, ALTER

AZFPASS1 CONTROL, ALTER

AZFPTKT1 CONTROL, ALTER
IRR.RFACTOR.USER FACILITY UPDATE
IRR.RFACTOR. FACILITY READ

POLICY.POLICY-NAME
IRRPTAUTH. PTKTDATA READ

RACF_APPL_NAME. *
IRRPTAUTH. AZFAPPL.* PTKTDATA UPDATE
IRRPTAUTH. PTKTDATA UPDATE

PWCHANGE.APPL.AZFAPP
L
Node secret data set UPDATE

Special considerations for CHECKAUTH(YES)
Allow access to the CSFSERV resource profiles shown in Table 60 on page 215 when CHECKAUTH is YES.
Table 60. CSFSERV Resource Profiles When CHECKAUTH is YES

AZFSTC
CSFDSG READ
CSFDSV READ
CSFOWH READ
CSFRNG READ READ
CSFRNGL READ READ
CSF1DVK READ
CSF1GAV READ
CSF1GKP READ
CSF1GSK READ
CSF1HMG READ READ
CSF1SKD READ READ READ
CSF1SKE READ
CSF1TRC READ
CSF1TRD READ READ READ
CSF1TRL READ READ
CSFPKI READ
IBM HTTP Server - Powered by Apache for IBM MFA

Table 61 on page 215 summarizes the required resource profile access for IBM HTTP Server - Powered by
Apache.
Table 61. Resource Profiles

BPX.DAEMON FACILITY UPDATE
BPX.SERVER FACILITY UPDATE
CLEARKEY.TOKEN_NAME CRYPTOZ READ
CSF1HMG CSFSERV READ
CSF1SKD CSFSERV READ
CSF1TRC CSFSERV READ
Chapter 38. Resource profile authorization reference 215

Table 61. Resource Profiles (continued)
CSFIQA CSFSERV READ
CSFOWH CSFSERV READ
CSFRNG CSFSERV READ
CSFRNGL CSFSERV READ
UPDATE is needed if TLS is
configured for the web server

Note: If the web server is configured with SSL/TLS, the web server user ID requires access to additional
profiles, such as CSFDSG, CSF1DVK, CSF1GKP, CSF1GAV, CSF1TRD, and CSFPKI. See IBM HTTP
Server Powered by Apache (http://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf) for information on
configuring SSL/TLS for the web server.

Chapter 39. Configuring IBM MFA for high availability
In general use, the IBM MFA web services started task needs to run only on one LPAR in a sysplex.
However, you can start the IBM MFA web services started task on multiple LPARs that share the same
RACF database for high availability.
Before you begin

Before you start the IBM MFA web services started task on multiple LPARs, you must satisfy the following
prerequisites:
• Configure cache token sharing to be C or X so that the cache is shared, as described in “Configure IBM
MFA STC configuration attributes” on page 21.
• If using Certificate Authentication, the client Windows system must have the Internet option "Use HTTP
1.1" checked.
• When ordering server certificates to use with IBM MFA web services, ensure that you specify Subject
Alternate Names that cover all LPAR names that a user may enter into their browser to reach the server,
as described in “Configure an AT-TLS profile” on page 36.
Procedure
1. To start the started task, enter the following operator command:
S <STC Job Name>
For example:
S AZF#IN01
2. Start the started task on the desired LPARs in the sysplex.

3. Verify that the task started. The absence of errors in the SYSLOG indicates success.

Chapter 40. Removing all IBM MFA factors for a user
You can remove all IBM MFA factors for a user. There is no undo for this operation.
About this task

When you remove all IBM MFA factors for a user, all IBM MFA factors and tags are removed, and the users
must use their RACF credentials to log on. Before removing all factors, consider deactivating (NOACTIVE)
the factors instead to preserve the IBM MFA data.
Procedure
1. The following example removes all IBM MFA factors for a user.
ALU [Login ID] NOMFA
2. You might instead enter the following command to deactivate a user for a factor such as TOTP:

NOACTIVE)

Chapter 41. Invalidating a user's CTCs
There may be rare circumstances in which you need to invalidate the existing cache token credentials
(CTCs) for a user. For example, you may need to invalidate a user's CTCs if an unauthorized actor has
somehow gained access to the CTCs, or because you need to prevent the user from using an existing
CTC to authenticate. IBM MFA includes a system operator command to invalidate CTCs associated with
a user. This command is intended for special cases when a potential security exposure exists and is not
recommended for routine use.
About this task

Important: Before you use this operator command, be aware of the following usage considerations:
• Depending on the number of cached CTCs, it may take significant time to read all of the entries in the
cache to identify and delete any CTCs for a specific user, even if the user does not have any CTCs to
delete. While the CTCs are being searched, the IBM MFA service task will be unable to perform any
other authentication requests.
• Because of the time required, the command is intended to be used when a potential security exposure
exists, such as if a user believes a valid CTC has become compromised, and it is more important to
address the exposure than it is to complete new authentications.
• A CTC that is created after the command begins and before it completes may or may not be deleted.
Only CTCs that are created before the command begins are guaranteed to be deleted.
• The caching mode determines how the command functions:
– The command always invalidates CTCs for caching modes N and C.
– For mode X, the command invalidates CTCs only if all members are running version IBM MFA version
2.2 or later. The z/OS system or LPAR where the command is issued warns if all members cannot
accept the command or if they do not report successful completion.
• The enterprise security manager (ESM) does not pass an authentication request to IBM MFA for a
revoked user. If a user is revoked at the ESM, the IBM MFA CTCs are therefore inaccessible and are
explicitly deleted when the CTC expiration time is reached.
• You can issue the command on any z/OS system that is running IBM MFA version 2.2 or later that is part
of the cache group:
– The cache group in mode N is the system where the user obtained the CTC(s).
– The cache group in modes X and C is any system in a sysplex sharing the same cache data.
Procedure
Enter the following Modify command to invalidate a user's CTCs:
F STC_JOBNAME,CLEARCTCS USERID
where:
• STC_JOBNAME is the JOBNAME of the IBM MFA services started task.
• USERID is the user for which you want to invalidate CTCs.

Chapter 42. Modifying component trace levels
The IBM MFA services started task supports modifying trace levels on a per-component basis at runtime.
About this task

You should not set a trace level higher than 2 unless the problem can be reproduced and you receive
specific instructions from IBM support. Lower the trace level to 0 or 1 after the problem has been
reproduced and the data has been collected.
The available trace levels are shown in Table 62 on page 223:
Table 62. IBM MFA Trace Levels

Trace Level Usage
0 Only standard or unconditional message are output.
1 All output from level 0 plus major items of interest.
2 All output from level 1 plus lesser items of interest.
3 All trace information (Verbose).
Procedure
1. To change trace levels on a per-component basis, issue a Modify command of the following form:
F <STC Job Name>,<Component>
SET TRACE LEVEL <Trace Level>
where <STC Job Name> represents the services started task and component can be one of the
following literal values:
• STC represents general STC tracing.
• AZFSIDP1 represents the AZFSIDP1 authenticator providing support for RSA SecurID ACEv5 UDP
• AZFSIDP3 represents the AZFSIDP1 authenticator providing support for RSA SecurID Auth API
(HTTPS).
• AZFTOTP1 represents the AZFTOTP1 authenticator providing support for TOTP.
• AZFCERT1 represents the AZFCERT1 authenticator providing support for Certificate Authentication.
• AZFPTKT1 represents the AZFPTKT1 authenticator providing support for PassTickets.
• AZFPASS1 represents the AZFPASS1 authenticator providing support for passwords.
• AZFRADP1 represents the AZFRADP1 authenticator providing support for generic RADIUS.
• AZFSFNP1 represents the AZFSFNP1 authenticator providing support for SafeNet RADIUS.
• AZFSIDR1 represents the AZFSIDR1 authenticator providing support for RSA SecurID RADIUS.
• AZFYUBI1 represents the AZFYUBI1 authenticator providing support for Yubico OTP.
• AZFISAM1 represents the AZFISAM1 authenticator providing support for IBM Security Verify Access.
• AZFLDAP1 represents the AZFLDAP1 authenticator providing support for LDAP.
For example:
F AZF#IN00,AZFSIDP1 SET TRACE LEVEL 1
2. There is also a trace level command specific to the web services started task. It is the same as the
services started task without the component qualifier:

F <Web Services STC Job Name>,
SET TRACE LEVEL <Trace Level>
For example:
F AZF#IN01,SET TRACE LEVEL 1
3. Verify that the log has the expected output.

Chapter 43. Troubleshooting IBM MFA
The troubleshooting steps you perform depend on which system has caused the error.
General authentication failure troubleshooting tips

If you are unable to successfully authenticate with one or more authentication factors, start your trouble
shooting with these general purpose tips:
1. For in-band authentication, turn off compound authentication for the authentication factor. For IBM
MFA Out-of-Band authentication, set only one authentication factor to be active at a time. This step
simplifies the authentication flow and reduces the possible points of failure.
2. If all authentication factors fail, ensure that both of the IBM MFA started tasks are started.
• To verify that the IBM MFA services started task started, check the SYSLOG for errors. The absence
of errors after the "AZF2110I Started console receiver" message in the SYSLOG indicates success.
• To verify that the IBM MFA web services started tasks started, check the SYSLOG for errors:
20190822122051.560549 AZFWEB:AZF6002I Server base init success

(sts=0, rc=0, rsn=0x0)
20190822122051.560755 AZFWEB:AZF6050I Console listener task starting
up
20190822122052.563303 AZFWEB:AZF6012I IBM Multi-Factor Authentication
Web Services
startup complete
3. The AZF#IN00 started task can fail to start with a return code of 8 or 16. A return code of 8
indicates that AZFSTCMN is not running in Key 2, as described in “Update SCHEDxx PARMLIB program
properties” on page 8. A return code of 16 means that there is another instance of AZFSTCMN running
on this LPAR and the program call linkage cannot be created. If this is not the case, take a full system
dump and submit to IBM.
4. Check the authentication factor ISPF panels for typos or missing fields.
5. Ensure that the PKCS#11 token name specified for the authentication factor exists and is correct.
6. Check the SYSLOG to verify that the authentication factors you configured started without errors. It
is expected that any authentication factors that you did not configure will show notifications in the
SYSLOG.
Consider the following sample successful SYSLOG entries for AZFSIDP1 and AZFTOTP1:
20190828151037.196497 PLUGHOST:AZF2102I Loaded authenticator

(name: AZFSIDP1, entry point: 0x137C9098, status: 0x0)
20190828151037.196977 PLUGS:AZF2108I Authenticator entry point invoked:
status =0x0
20190828151037.197751 PLUGHOST:Successfully retrieved system factor
data:
20190828151037.199566 AZFSIDP:AZF3021I: AZFSIDP1 Initializing....
20190828151037.203474 AZFSIDP:Incoming settings blob length:
213
20190828151037.204742 AZFSIDP:AZF3054I: AZFSIDP1 Settings
follow:
20190828151037.204773 AZFSIDP: Authenticator
settings:
20190828151037.204791 AZFSIDP: Initial trace level:
1
20190828151037.204807 AZFSIDP: Compound mode:
Enabled
20190828151037.204824 AZFSIDP: Compound separator: *
20190828151037.204841 AZFSIDP: Compound order: Password
first

20190828151037.204859 AZFSIDP: SDCONF path:
PATH.AZF.SDCONF.REC
20190828151037.204876 AZFSIDP: Node Secret path:
PATH.AZF.NODESCRT
20190828151037.204893 AZFSIDP: SDOPTS path:
PATH.AZF.SDOPTS.REC
20190828151037.227594 PLUGS:AZF2109I Authenticator initialized :
entry 0x137C9098, name AZFSIDP1 (strong)
:
20190828151037.229049 PLUGHOST:about to load
AZFTOTP1
20190828151037.229765 PLUGHOST:AZF2102I Loaded authenticator (name: AZFTOTP1,
entry point: 0x138C1870, status: 0x0) 20190828151037.233076
PLUGS:AZF2108I Authenticator entry point invoked :
status = 0x0
20190828151037.233189 PLUGHOST:Successfully retrieved system factor
data:
20190828151037.235061 AZFTOTP:AZF4126I AZFTOTP1 settings
follow:
20190828151037.235108 AZFTOTP: Authenticator
settings:
20190828151037.235131 AZFTOTP: Initial trace level:
3
20190828151037.235153 AZFTOTP: Compound mode:
Enabled
20190828151037.235172 AZFTOTP: Compound order: Password
First
20190828151037.235192 AZFTOTP: Compound
separator: :
20190828151037.235212 AZFTOTP: Default ALG:
SHA512
20190828151037.235231 AZFTOTP: Default NUMDIGITS:
8
20190828151037.235247 AZFTOTP: Default PERIOD:
30
20190828151037.235264 AZFTOTP: Default WINDOW:
10
20190828151037.235281 AZFTOTP: Registration services
settings:
20190828151037.235303 AZFTOTP: Initial trace level:
3
20190828151037.235328 AZFTOTP: Realm name:
RS13TOTP
20190828151037.236509 AZFTOTP:AZF4001I AZFTOTP1 Authenticator
init
20190828151037.236574 PLUGS:AZF2109I Authenticator initialized :
entry 0x138C1870, name AZFTOTP1 (strong)
20190828151037.236971 PLUGHOST:about to load
AZFPTKT1
7. Check the SYSLOG for obvious authentication errors. In the following example, the user was denied
access by the AZFLDAP1 authentication factor, possibly because of an incorrect LDAP password:
20190829112522.782214 STCMAIN:AZF2227I User USERB denied access

in-band by factor AZFLDAP1
8. Turn on a higher level of component tracing, as described in Chapter 42, “Modifying component trace
levels,” on page 223. You can turn on tracing on a per-component basis, and independently for each of
the started tasks. Lower the trace level to 0 or 1 after the problem has been reproduced and the data
has been collected.
Troubleshooting RSA SecurID and RADIUS

If the entry in the SYSLOG indicates that an authentication is denied by RSA SecurID or any of the RADIUS
authentication factors, start your trouble shooting with the following steps:
1. If you changed the PKCS#11 token name or label for any of the RADIUS factors, ensure that you also
re-entered the existing shared secret on the ISPF panel.
2. Ensure that there is connectivity between the RSA SecurID or RADIUS server and the IBM MFA system.
You should be able to ping the RSA SecurID or RADIUS server from the IBM MFA system .
3. Check the SYSLOG for connection errors to the RSA SecurID or RADIUS server. In the following
example, there was a typo in the RADIUS server name and the hostname cannot be resolved:

20190829162219.118889 RADPBASE:AZF9215E Failed to resolve
hostname entry: serVver.company.com
20190829162219.118907 RADPBASE:AZF9207E Failed to init RADIUS server
entry (primary, sts=68306)
20190829162219.118923 RADPBASE:AZF9207E Failed to init RADIUS server
entry (no valid servers specified)
20190829162219.118941 AZFSFNP:AZF9130E RADIUS initialization failed
(sts=68321, p11rc=0, p11rsn=0x0)
4. Verify that the RSA SecurID or RADIUS server accepts communications from each z/OS system or
LPAR that is running the IBM MFA services started task.
5. Check the RSA SecurID or RADIUS server authentication log to see if the authentication was
successful or why it was denied
6. Check the status of the RSA SecurID or RADIUS token or the user PIN for an account that is generating
an error. It is possible that a token is inactive, that a user PIN has expired, and so forth.
7. If you made configuration changes to the RSA SecurID AZFSIDP1 authentication factor and
authentications no longer succeed, clear the node secret from each IBM MFA client host and retry.
8. RSA SecurID disaster recovery steps are described in “Disaster recovery for IBM MFA with SecurID” on
page 59.
Troubleshooting IBM MFA Certificate Authentication

If the user receives an "There was an error connecting to the server." error when attempting to log
in with Certificate Authentication, ensure that Enable out of band services and Enable certificate
authentication are both enabled, as described in “Configure IBM MFA web services started task” on page
41.
Troubleshooting TOTP and generic TOTP

Begin your TOTP trouble shooting with the following steps:
1. For TOTP, if your web services server certificate was not issued by a well-known CA, do not instruct
users to visit the web services server start page until they have a Configuration Profile installed that
allows them to establish TLS connections with the web services server. If users accept the web
services server certificate in Mobile Safari as an SSL exception, the IBM TouchToken for iOS application
still cannot trust the CA that issued the certificate. Users will be able to view the enrollment launch
URL, but will not be able to complete enrollment.
Note: The iOS operating system has certificate requirements that are not always satisfied by self-
signed certificates. If you are attempting to use a self-signed certificate with the IBM TouchToken
for iOS application and cannot successfully authenticate, it may be because iOS does not accept
the certificate. This is true even if you successfully create a Configuration Profile for the self-signed
certificate.
2. If the user receives an "There was an error connecting to the server." error when attempting to log in,
ensure that Enable out of band services and Enable TOTP services are both enabled, as described in
“Configure IBM MFA web services started task” on page 41.
3. If the user is unable to enroll their device for generic TOTP, the most likely cause is that the user forgot
to enter the displayed TOTP code on the web page and click Generic TOTP Enrollment.
Ensure that the user performs these steps:
a. Instruct the user to open the generic TOTP start page in a desktop web browser and log in with their
z/OS user name and password: https://hostname:6789/AZFTOTP1/genericStart
A page that contains the AuthURL and the encoded QR code is displayed.
b. Instruct the user to point their device at the generated QR code and scan it with the application.
The application displays the TOTP code.
c. Instruct the user to enter this TOTP code on the web page and click Generic TOTP Enrollment. The
user may have to scroll to see this control, depending on the size of their browser window.
Chapter 43. Troubleshooting IBM MFA 227

Troubleshooting AT-TLS
Be aware that the Policy Agent (PAGENT) task often uses a separate log stream for task-initialization
messages (including success or failure when interpreting and loading TTLSRule definitions) than the
location used for TCP socket behavior messages. (Socket behavior messages include confirmation that
rules are firing when expected, and details of the TLS negotiation process for specific peer connections).
The default location for PAGENT task-level log messages is /tmp/pagent.log. You can change this
location with the -L parameter passed to the PAGENT program in the PAGENT job JCL. Some installations
route these messages to the z/OS UNIX syslog.
Socket behavior log messages are always written to the z/OS UNIX syslog. If syslogd is not running,
or is not configured to route TCP daemon messages to an alternative file location, they will go to the
operator log. If you do not see AT-TLS messages in the operator log, inspect the syslogd configuration
(usually /etc/syslog.conf) and look for a directive that routes TCPIP daemon messages to a specific
file. These logs often contain data sufficient for diagnosing TLS negotiation errors, or at least pointing to
the next indicated step toward success without proceeding to a packet trace. IBM recommends using
syslogd to collect these messages in a separate z/OS UNIX file because this makes them easier to
consume and make available for support.
The user receives an "Error processing MFA request" error

There are several possible causes of this error:
• The authentication methods configured for the user must match the policy. The policy is not satisfiable
if the user is not configured for all of the authentication methods required by the policy.
• No preceding or trailing spaces must exist in the IBM MFA configuration. For example, if an extraneous
space exists in the Radius Primary Server field, IBM MFA will not be able to resolve the host name or IP
address.
Browser shows incorrect or stale data

If your web browser shows incorrect or stale data, refresh the browser window. The browser cache might
be out-of-sync with the IBM MFA server.
Helpful information to provide when requesting support

When requesting support or opening a PMR for IBM MFA, it is most helpful if you:
• Provide a detailed problem description.
• Turn on the highest level of component tracing, as described in Chapter 42, “Modifying component trace
levels,” on page 223. You can turn on tracing on a per-component basis, and independently for each of
the started tasks. Lower the trace level to 0 or 1 after the problem has been reproduced and the data
has been collected.
• Provide the SYSLOG for both started tasks.
• Indicate which external security manager (for example, RACF) is being used.
• Provide the system dump (SVC dump), if one was generated by a failure.
• Provide details on the type and version of the external authentication server, if there is a communication
or authentication issue involving it.
• Indicate which client browser and OS are being used, and their levels, if the problem involves a problem
with IBM MFA Out-of-Band authentication or registration.
• Provide the browser HTTP ARchive format (HAR) file data for the failing scenario if the problem involves
a problem with IBM MFA Out-of-Band authentication or registration and can be reproduced. The steps
to produce a HAR file are browser specific.
• For RADIUS authentication, provide the RADIUS server authentication log, if available.
• For IBM Verify Gateway for RADIUS, also provide both the Windows Event log and the trace-file
specified in the IbmRadiusConfig.json file.

Chapter 44. Using a specific TCP/IP stack
If you require IBM MFA to have affinity with the TCP/IP stack of your choice, establish affinity using
BPXTCAFF.
About this task

A program can associate a socket with a specifically-named transport. This is called transport affinity.
If you require IBM MFA to have affinity with the TCP/IP stack of your choice, establish affinity using
BPXTCAFF. (See z/OS UNIX System Services Planning for a description of BPXTCAFF.)
The BPXTCAFF program must run prior to the programs that initialize the IBM MFA address spaces. Both
started tasks must use the same transport.
Note: You copied AZF#IN00 and AZF#IN01 to the PROCLIB from which you run started tasks in “Copy
SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01)” on page 7.
Procedure
1. Edit AZF#IN00 and uncomment the job step that invokes BPXTCAFF before AZFSTCMN. Specify the
desired transport with the PARM= keyword, which must be 1 to 8 uppercase characters.
//STEP0 EXEC PGM=BPXTCAFF,

// PARM=TCPIP2
//AZF130 EXEC PGM=AZFSTCMN,
2. If you configured the web services configuration attributes as described in Chapter 10, “Configuring
IBM MFA web services configuration attributes,” on page 35, edit AZF#IN01 and uncomment the job
step that invokes BPXTCAFF before AZFSTCWS. Specify the same transport you used in Step “1” on
page 229.
//STEP0 EXEC PGM=BPXTCAFF,

// PARM=TCPIP2
//AZF130 EXEC PGM=AZFSTCWS,

4. Ensure that the AT-TLS profile you create in “Configure an AT-TLS profile” on page 36 reflects this
TCP/IP stack.
5. Restart the edited tasks, as described in “Start the IBM MFA services started task” on page 55 and
“Start the IBM MFA web services started task” on page 44, respectively.

Chapter 45. Migrating from Version 1 Release 3 to
Version 2 Release 0
If you are using Version 1 Release 3 of IBM MFA, you might need to perform several steps to migrate to
Version 2 Release 0.
Procedure
1. Check all of the ISPF panels to ensure you are satisfied with the default settings of the new features.
2. Add the load library to the link list.
a) Add the following line to your SYS1.PARMLIB(PROGxx) member:
HLQ.SAZFLOAD,
b) Update your system link list dynamically.
c) In the your existing AZF#IN00 and AZF#IN01 started task procedures, remove the STEPLIB DD
statement for HLQ.SAZFLOAD.

Chapter 46. Migrating from Version 1 Release 2 to
Version 1 Release 3
If you are using Version 1 Release 2 of IBM MFA, you might need to perform several steps to migrate to
Version 1 Release 3.
About this task

In support of Strict PCI Compliance Mode, Version 1 Release 3 of IBM MFA no longer requires a password
in the IBM MFA Out-of-Band web user interface. However, if your local security policy requires a password
to access the IBM MFA Out-of-Band web user interface, you can configure the AZFPASS1 factor and add it
to the appropriate policies and users.
Although you can use the RACF commands for this purpose, the bulk provisioning feature is more efficient
if you have a large number of policies or users. This section assumes that you prefer to use the bulk
provisioning feature. See Chapter 28, “Configuring bulk provisioning users for IBM MFA,” on page 183 for
a description of the bulk provisioning feature.
Note: If for site-specific reasons you need to revert from Version 1 Release 3 to Version 1 Release 2, be
aware that the SHA-1 hash algorithm is not supported by AZFTOTP1 in Version 1 Release 2. Consider the
following requirements:
• If you have set SHA-1 to be the default algorithm, specify a different default hash algorithm from the
Version 1 Release 3 AZFTOTP1 panel, as described in “Configure AZFTOTP1” on page 70.
• If you have set SHA-1 for a user, use the ALTUSER or ALU command to specify a different hash
algorithm, as described in “Configure a TOTP profile for users” on page 76.
Procedure
1. Use the RALTER command to add the AZFPASS1 factor to the needed policies. For example:
RALTER MFADEF POLICY.POLICY-NAME MFPOLICY(ADDFACTORS(AZFPASS1))
2. Configure IBM MFA Password Authentication as described in Chapter 25, “Configuring IBM MFA
Password Authentication,” on page 169.
3. Create an input file to azfbulk of the following form:
USERA YOUR-POLICY-NAME AZFPASS1

USERB YOUR-POLICY-NAME AZFPASS1
USERC YOUR-POLICY-NAME AZFPASS1
USERD YOUR-POLICY-NAME AZFPASS1
USERE YOUR-POLICY-NAME AZFPASS1

Note: You need to have UPDATE access to the system security manager FACILITY class profile
IRR.RFACTOR.USER to update the user factor data. Use the PERMIT command to grant UPDATE
access to the profile. If the FACILITY class has been RACLISTed, refresh the class for the change to
become effective.
If provisioning AZFCERT1, the user running azfbulk needs read access to the CSFSERV profiles
CSFOWH and CSF1TRD.
azfbulk input-file
6. Check the resulting azfprov1.sh and azfprov2.sh files.

with the COMMIT parameter.
sh azfprov1.sh
10. Verify sample provisioned users in RACF with the LU command.
LU [Login ID] MFA

---------------------------------------
SIDPPASS
FACTOR = AZFSIDP1
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
FACTOR = AZFPASS1
STATUS = INACTIVE
sh azfprov2.sh
12. Verify sample user factor data with the LU command.
LU [Login ID] MFA

---------------------------------------
SIDPPASS
FACTOR = AZFSIDP1
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
FACTOR = AZFPASS1
STATUS = ACTIVE

Chapter 47. Multi-Factor Authentication messages
This topic explains the messages that IBM MFA issues to the terminal or console.
Messages with AZF message numbers

This section describes messages issued with IBM MFA message numbers.
A letter following the message number indicates the severity of the message:
I
Information.
W
Warning.
E
Error.
S
Severe
AZF1010E Supported tags: SIDUSERID AZF1102I AZFTOTP1 USER IS SUSPENDED -
NOTIFY ADMINISTRATOR
Explanation:
Invalid tag name specified. Supported tag names are Explanation:
SIDUSERID. The user account is suspended.
User response User response

Retry with valid tag. Notify your system administrator of the error.
AZF1011E SIDUSERID length must be <= 50 AZF1103I TOTP PASSCODE REJECTED
Explanation: Explanation:
SIDUSERID must be fewer than 50 characters long. This is an informational message generated as part of
IBM MFA processing.
User response
User response
Retry with valid length.
No response is required.
AZF1100E TOTP PROVISIONING ERROR -
NOTIFY ADMINISTRATOR AZF1103W TOTP REPLAY DENIED
Your account is not correctly configured for TOTP. Your TOTP OTP token cannot be reused. This message
indicates that someone attempted to reuse the OTP
User response token.
Notify your system administrator of the error.

User response
AZF1101E TOTP CRYPTO ERROR - NOTIFY Notify your system administrator of the error.
ADMINISTRATOR
AZF1104I TOTP PASSCODE REJECTED
Explanation:
Your account is not correctly configured for TOTP. Explanation:
This is an informational message generated as part of
User response IBM MFA processing.
Notify your system administrator of the error.

No response is required. Specify a valid number of seconds.
AZF1110I Various Messages AZF1300E Valid tag names are REGSTATE,
SUBJECT, and ISSUER
Explanation
Explanation
This is a multiple-purpose message for configuration
issues. You specified an invalid tag name.

Refer to the message text, and see the related chapter Specify valid tag names, as described in “Approve user
for configuration information. certificates” on page 89.
AZF1112I Valid REGSTATE changes: unset to AZF1301I Certificate validation succeeded
OPEN; REVIEW to APPROVED
Explanation
Explanation
This is an informational message.
You specified an invalid tag name.
User response
User response
Specify valid tag names, as described in “Approve user
AZF1302E Certificate validation failed
certificates” on page 89.
AZF1200E Supported tags: MFAFIRST, Explanation
WINDOW
The certificate validation failed. The certificate must
Explanation:
be valid. The root CA certificate of the client certificate
You can set only the MFAFIRST and WINDOW tags
chain must be present as a CERTAUTH in the z/OS
when you configure PassTickets, as described in
server keyring. The user certificate must match the
Chapter 35, “Using IBM MFA with PassTickets,” on
Subject DN and Issuer DN of the root CA certificate.
page 203.
User response
User response
Import the root CA certificate, as described in “Import
Specify only the valid tags.
root CA certificate of client certificate chain” on page
AZF1201E Valid MFAFIRST values are Y and 82.
N
AZF1303E Your AZFCERT1 factor data is
Explanation: improperly configured, or missing
The possible MFAFIRST values are Y and N and tag data required for enrollment or
uppercase is required, as described in Chapter 35, certificate authentication
“Using IBM MFA with PassTickets,” on page 203.
Explanation
User response
Your AZFCERT1 factor data is improperly configured.
Specify only Y or N.
AZF1202E Valid WINDOW values are 30 to User response
86400 Configure Certificate Authentication as described
Explanation: in Chapter 15, “Configuring IBM MFA certificate
The possible evaluation WINDOWS values are 30 to authentication,” on page 81. Configure user tag data
86400, in seconds, as described in Chapter 35, “Using as described in “Approve user certificates” on page 89.
IBM MFA with PassTickets,” on page 203. AZF2100I AZF main task started

Explanation User response
The main task started. This is an informational No response is required.
message generated as part of IBM MFA processing.
AZF2106I Tag validation request
User response
Explanation
Tag validation request. This is an informational
AZF2101I Initialized recovery routine message generated as part of IBM MFA processing.

The recovery routine was initialized. This is an No response is required.
informational message generated as part of IBM MFA
AZF2107I Web request
processing.
User response Explanation

The web services server received a request.
AZF2102I Loaded authenticator User response
Explanation
The authenticator was loaded. This is an informational AZF2108I Authenticator entry point invoked
Explanation
User response The authenticator entry point was invoked. This is an
No response is required. informational message generated as part of IBM MFA
processing.
AZF2103I Initialized PC routine
User response
Explanation
The PC routine was initialized. This is an informational
message generated as part of IBM MFA processing. AZF2109I Authenticator initialized

No response is required. The authenticator is initialized. This is an informational
AZF2104I Started web server
User response
Explanation
The web server started.
AZF2110I Started console receiver
User response
Explanation
The console receiver started. This is an informational
AZF2105I Authentication request (PC) message generated as part of IBM MFA processing.

This message contains the PC of the authentication No response is required.
request. This is an informational message generated
as part of IBM MFA processing. AZF2111I Console received stop request
Chapter 47. Multi-Factor Authentication messages 237

Explanation Explanation
The console received a stop request. This is an The user entered an invalid command.
processing. User response
Correct the command and retry.
User response
No response is required. AZF2117E Invalid trace level specified (valid
levels are 0-3)
AZF2112I Console received modify command
Explanation
Explanation
You specified an invalid trace level.
The console received a modify command. This is an
informational message generated as part of IBM MFA User response
processing.
Valid trace levels are 0-3. See Chapter 42, “Modifying
component trace levels,” on page 223 for additional
User response
information.
AZF2118I AZF main task startup complete
AZF2113I Console command action
Explanation
Explanation
The main task startup is complete. This is an
The console received a command action. This is an informational message generated as part of IBM MFA
informational message generated as part of IBM MFA processing.
processing.
User response
User response
AZF2119I Strict PCI compliant mode is
AZF2114E Unrecognized command enabled
The user entered an unrecognized command. IBM MFA supports the Payment Card Industry Data
Security Standard (PCI DSS) standard through the
User response Enable Strict PCI Compliance Mode setting. It is
recommended that you do not enable this setting
Correct the command and retry. unless you are fully aware of the ramifications.
AZF2115I Authenticator command This is an informational message generated as part of
IBM MFA processing.
Explanation
User response
An authenticator command was entered. This is an
informational message generated as part of IBM MFA No response is required.
processing.
AZF2120I Auth continuation requested
(network)
User response
No response is required. Explanation
AZF2116E Command processing failed The authentication continuation was requested at
network. This is an informational message generated
as part of IBM MFA processing.

No response is required. No response is required.
AZF2121I Auth continuation requested (PC) AZF2131I AuthTxn pruned from PCTable
The authentication continuation was requested at PC. An auth transaction was pruned, typically because a
This is an informational message generated as part of timeout occurred. This is an informational message
IBM MFA processing. generated as part of IBM MFA processing.

AZF2122I AuthTxn Socket timeout AZF2132I WorkElement pruned
The authentication request timed out. This could be A work element was pruned, typically because a
caused by load conditions. timeout occurred. This is an informational message
generated as part of IBM MFA processing.
User response
User response
AZF2123I Auth continued (network)
AZF2133E Entered purgeRequest
Explanation
Explanation
The authentication continues at network. This is an
informational message generated as part of IBM MFA A request was pruned, typically because a timeout
processing. occurred.

AZF2124I Auth continued (PC) AZF2134I Invoked sweep of expired Cache
Token Credentials
Explanation
Explanation
The authentication continues at PC. This is an
informational message generated as part of IBM MFA This is an informational message generated as part of
processing. IBM MFA processing.

AZF2130I AuthTxn pruned from SocketTable AZF2201I In-band auth success
An auth transaction was pruned, typically because a The authentication is successful. This is an
timeout occurred. This is an informational message informational message generated as part of IBM MFA
generated as part of IBM MFA processing. processing.

No response is required. Authentication evaluation failed.
AZF2202W In-band auth failed
User response
Explanation Contact IBM support.
The authentication request failed. AZF2209E Auth eval failed (user has no active
factors)
User response
Explanation
Correct your credentials and retry the authentication
request. The factor may have been deleted from the user
after the authentication started, but before the server
AZF2203E Auth eval failed (missing processed it.
authenticator)
User response
Explanation
Make sure that the authentication factors are present.
The authentication evaluation failed.
AZF2210S Authenticator returned an invalid
User response code
Contact IBM support.

Explanation
AZF2204E Auth eval failed (error from Authenticator returned an invalid code
authenticator)
User response
Explanation
Authentication evaluation failed.
AZF2211E Auth preparation failed, cannot
User response evaluate

Explanation
AZF2205E Auth eval failed (R_Factor error) The factor may have been deleted from the user
after the authentication started, but before the server
Explanation processed it.
Authentication evaluation failed.
User response
User response Make sure that the authentication factors are present.
Contact IBM support. AZF2212E Return from safVerify
ENVIR=CREATE = %d, racfReturn
AZF2207E Auth eval failed (User MFA parse)
= %d, racfReason = %d, ACEE =
0x%p
Explanation
Authentication evaluation failed. Explanation
This message contains the return code from safVerify.
User response
Contact IBM support. User response
AZF2208E Auth eval failed (socket read) Contact IBM support.
AZF2213E Return from safVerify
ENVIR=DELETE = %d, racfReturn

= %d, racfReason = %d, ACEE = Explanation
0x%p
If you apply a policy to a user, the user must have
all the factors defined in the policy, and those factors
Explanation must be active for the user.
This message contains the return code from safVerify.
User response
User response Activate the user for IBM MFA Out-of-Band, as
Contact IBM support. described in “Activate and deactivate users for IBM
MFA Out-of-Band authentication” on page 50.
AZF2214E A user with multiple active Strong
factors cannot authenticate in- AZF2218E The user has an active factor that
band does not support in-band auth
You must create a multi-factor authentication policy if The specified factor supports IBM MFA Out-of-Band
you activate a user for two or more strong factors. only. For example, Certificate Authentication.

Activate the user for IBM MFA Out-of-Band, as Activate the user for IBM MFA Out-of-Band, as
described in “Activate and deactivate users for IBM described in “Activate and deactivate users for IBM
MFA Out-of-Band authentication” on page 50. MFA Out-of-Band authentication” on page 50.
AZF2215E The specified factor does AZF2219E Your account cannot login in-band
not support out-of-band
authentication Explanation
Your account has a policy attached and you must log in
Explanation via IBM MFA Out-of-Band only.
The specified factor supports in-band only. For
example, PassTicket AZFPTKT1. User response
Log in via IBM MFA Out-of-Band, as described in
User response “Activate and deactivate users for IBM MFA Out-of-
Activate the user for in-band authentication. Band authentication” on page 50.
AZF2216E Factor data or plugin not found for AZF2221I Out-of-band factor auth success
specified out-of-band factor
Explanation
Explanation The authentication was successful.
all the factors defined in the policy, and those factors User response
must be active for the user.
User response AZF2222W Out-of-band factor auth failed

Activate the user for IBM MFA Out-of-Band, as
described in “Activate and deactivate users for IBM Explanation
MFA Out-of-Band authentication” on page 50. The authentication was unsuccessful.
AZF2217E Out-of-band factor inactive for
user User response
Log in via IBM MFA Out-of-Band, as described in
“Activate and deactivate users for IBM MFA Out-of-
Band authentication” on page 50.

AZF2223I Out-of-band factor auth User response
continuation requested (NMI)
Explanation AZF2229W AUTHENTICATION FAILED
"Need more information" messages indicate that

additional information is needed after a successful Explanation
authentication, such as the next token in next token The user authentication failed.
mode. This is an informational message generated as
part of IBM MFA processing.
User response
User response Verify the user credentials and retry the operation.
No response is required. AZF2301I Tag validation: valid
AZF2225I Out-of-band factor auth continued

(NMI) Explanation
The tag validation is valid. This is an informational
Explanation message generated as part of IBM MFA processing.
"Need more information" messages indicate that

additional information is needed after a successful User response
authentication, such as the next token in next token No response is required.
mode. This is an informational message generated as
part of IBM MFA processing. AZF2302W Tag validation: not-valid

No response is required. The tags defined in the ALU command are not valid.
AZF2226I User %s authenticated in-band

with factor %s
User response
Correct the tags defined in the ALU command.
Explanation AZF2303E Tag eval failed (missing
The in-band authentication was successful. authenticator)

No response is required. The tag evaluation failed.
AZF2227I User %s denied access in-band by

factor %s
User response
Explanation AZF2304E Tag eval failed (error from
The in-band authentication was unsuccessful. authenticator)

Verify whether the user requires IBM MFA Out-of- Tag evaluation failed.
Band, as described in “Activate and deactivate users
for IBM MFA Out-of-Band authentication” on page 50. User response
AZF2228I AUTHENTICATION SUCCESSFUL Contact IBM support.
AZF2305E Tag eval failed (R_Factor error)
Explanation
The user was successfully authenticated.

Explanation AZF2401S Failed to initialize recovery routine
Tag evaluation failed.
Explanation
User response The recovery routine initialization failed.
User response
AZF2306E Tag eval failed (TMFA parse)
Explanation AZF2402S Failed to initialize PC routine
Tag evaluation failed.
Explanation
User response The PC routine failed to initialize.
User response
AZF2307E Tag eval failed (User MFA parse)
There are two significant return codes:
Explanation • return code = 8 An instance of the STC is already
running. The started task exits. Check for other
Tag evaluation failed. instances of the started task.
• return code = 16 The STC is not running in Key 2.
User response The started task exits. Ensure the load library you
Contact IBM support. are running from is APF-authorized and the Program
Properties Table has been correctly updated.
AZF2308E Tag eval: Unexpected MFAR
function code AZF2403E Failed to load authenticator
An internal error occurred. The authenticator failed to load.

Contact IBM support. Contact IBM support.
AZF2309E Tag validation init failed in STC AZF2404E Failed to start web server
An internal error occurred. The web server failed to start.

Examine the preceding messages in the log for Configure the web services started task, as described
additional details. Contact IBM support. in Chapter 10, “Configuring IBM MFA web services
AZF2310E Tag validation detected duplicate
tag names AZF2405E Authenticator initialize failed
You entered duplicate tags. The authenticator failed to initialize.

Correct the tags and re-enter. Contact IBM support.

AZF2406E Error from R_factor User response
Configure the STC as described in “Configure IBM MFA
Explanation STC configuration attributes” on page 21.
Error from R_factor. AZF2415E Error initializing Out-of-band
backend services
User response
Contact IBM support. Explanation
AZF2407S Error from SELECTX The IBM MFA Out-of-Band services could not be
initialized.
Explanation
User response
Error from SELECTX.
See any preceding error messages for additional
context for this error.
User response
AZF2416S No Multi-Factor authenticators
Contact IBM support. were initialized
AZF2408I Authenticator not defined
(MFADEF profile not defined) Explanation
No strong factors were initialized.
Explanation
A supported plug-in is not enabled. User response
User response
AZF2419E Program installation error
No response is required. (<reason>)
AZF2409S No authenticators were initialized
Explanation
Explanation The possible reasons for this message are as follows:
No authenticators were initialized. • Not APF authorized
• getProgramProperty failed, rc=N
User response • Program Property has wrong KEY
Factor profiles must be defined, settings created, and • Program Property must have NOSWAP option
IBM MFA authorized to access the factor profiles
before IBM MFA can successfully initialize them. This • Program Property must have CANCEL option
message may occur when the proper setup has been
performed, dynamic instance names are enabled, and User response
the security manager does not support RACROUTE
Refer to and complete the system programming steps
REQUEST=EXTRACT for class MFADEF profiles. When
described in Chapter 4, “System programming steps,”
the RACROUTE request is not supported, you must
on page 7.
disable dynamic instance names in the STC settings,
as described in “Configure IBM MFA STC configuration AZF2420W Factor instance name is not valid
attributes” on page 21, and IBM MFA will use a fixed
list of factor instance names during initialization.
Explanation
AZF2411S STC Settings could not be loaded
A security manager profile has been defined with a
from RACF
factor instance name that exceeds 20 characters. The
profile will be ignored.
Explanation
The STC settings could not be determined. User response
Delete the invalid profile.

AZF2421I Using security manager <name> Explanation
There is an issue with the internal structure of IBM
Explanation MFA.
IBM MFA processing. User response
User response
AZF2504S Hashtable write error
AZF2430E Socket registration error Explanation
There is an issue with the internal structure of IBM
Explanation MFA.
An internal error prevented the plug-in from
registering a network socket. User response
User response
AZF2505S Hashtable remove error (item not
Contact IBM support. present)
AZF2431W Socket registration warning
Explanation
Explanation There is an issue with the internal structure of IBM
An internal error prevented the plug-in from MFA.
registering a network socket.
User response
User response Contact IBM support.
Contact IBM support. AZF2506S Unexpected route
AZF2501S Entered recovery routine
Explanation
Explanation There is an issue with the internal structure of IBM
Informational message for the recovery routine. MFA.

Capture output information and contact IBM support. Contact IBM support.
AZF2502S Out of memory AZF2601S Started task not running in Key 2
This is a general memory error. This message is displayed with AZF2402S.

Increase the region size for the started task and See AZF2402S.
restart the IBM MFA server. If the problem persists, AZF2601E No factors are active for the
contact IBM support. specified User ID
AZF2503S Internal structure integrity

Explanation AZF2608E Cannot respond without internal
txnid
must be active. Explanation
An internal error occurred that prevented the plug-in
User response from processing the transaction.
Configure the user as described in “Activate
and deactivate users for IBM MFA Out-of-Band User response
authentication” on page 50. Contact IBM support.
AZF2603I User %s authenticated to factor AZF2609E Failed to generate CTC
%s
Explanation
Explanation
The authentication was successful. from generating a CTC.

No response is required. Contact IBM support.
AZF2604I User %s denied by factor %s AZF2610E Policy %s contains unusable factor
%s
Explanation
The authentication was unsuccessful. Explanation
Your factor data is improperly configured.
User response
Verify whether the user requires IBM MFA Out-of- User response
Band, as described in “Activate and deactivate users Correct or clear the factor data for the affected user.
for IBM MFA Out-of-Band authentication” on page 50.
AZF3001E Error communicating with RSA
AZF2606E Failed to listen on loopback Server
address
Explanation
Explanation
Unable to send or receive messages to the RSA
A return code of 1115 indicates that the port is already Authentication Manager and its replicas.
in use by another application.
User response
User response
Ensure that the RSA Authentication Manager is running
Assign either the application or the IBM MFA web and is reachable from the z/OS system. For example,
services started task a different port number. try pinging the Authentication Manager from the z/OS
AZF2607I Listening on loopback address system. If there are firewalls present, ensure the rules
do not block traffic. If using VIPA (Virtual IP Address),
make any necessary network configuration changes.
Explanation
AZF3002W User must provide next tokencode
IBM MFA processing.
Explanation
User response After n number of failed login attempts followed by a
successful login, where n is determined by your local
No response is required. RSA Authentication Manager security policy, the user
may be prompted to also enter the next displayed
token code for extra security. By successfully entering

the next token code, the RSA Authentication Manager Note: Not all login applications display the new
is able to verify that the user has possession of the system-generated PIN. The user may not know that
assigned token. this specific system-generated PIN is required.
Next token code mode requires the user to enter the
next token code (or passcode) that is displayed. That User response
is, the user must enter two successive codes to log
The user must enter and confirm the new system-
in. If the user does not enter the next displayed token
generated PIN. The user must then log in again.
code or passcode, the login fails.
AZF3005W User must create new PIN (user or
Note: Not all login applications indicate when the RSA
system generated)
SecurID "next token" mode is in effect. Because the
number of unsuccessful login attempts that trigger
"next token" mode can vary, the user may not know Explanation
that the next token is also required.
The RSA Authentication Manager is in "new PIN
required" mode. The user must enter either a new
User response user-generated or system-generated PIN.
1. Wait for the token code you just used to change. If Note: Not all login applications indicate when the RSA
you are using a hardware token with a PINpad or a SecurID "new PIN required" mode is in effect. The
soft token, wait for the passcode you just used to user may not know that a new PIN is required, or see
change. the system-generated PIN.
2. Get the 6- to 8-digit token code (or passcode)
displayed by the SecurID token. User response
3. Enter the token code (or passcode) where The user should either use the system-generated PIN
prompted. or follow the locally established rules for creating a
4. Press Enter. valid PIN, including the number of characters, the
reuse policy, and so forth. The PIN typically must be
AZF3003W User must create new PIN (user between four and eight characters.
generated only)
The user must enter and confirm the new PIN. The
user must then log in again.
Explanation
AZF3006W New PIN rejected
The RSA Authentication Manager is in "new PIN
required" mode. The user must enter a new user-
generated PIN. Explanation
Note: Not all login applications indicate when the RSA The new PIN the user entered was rejected.
SecurID "new PIN required" mode is in effect. The
user may not know that a new PIN is required. User response
The user must follow the locally established rules
User response
for creating a valid PIN, including the number of
The user should follow the locally established rules characters, the reuse policy, and so forth. The PIN
for creating a valid PIN, including the number of typically must be between four and eight characters.
characters, the reuse policy, and so forth. The PIN
AZF3007I New PIN canceled
typically must be between four and eight characters.
After the user enters and confirms the new PIN, the
Explanation
user must log in again.
The new PIN operation was canceled.
AZF3004W User must create new PIN (system
generated only)
User response
Explanation No response is required.
The RSA Authentication Manager is in "new PIN AZF3008I New PIN accepted
required" mode and is set to require a system-
generated PIN. The user must enter the system-
generated PIN that is displayed.

The new PIN the user entered was accepted. The RSA Authentication Manager has denied the
authentication request.
User response
User response
Because the user changed the PIN, the user must log
in again. The user should wait for the token code or Verify the user credentials and retry the operation.
passcode) displayed by the SecurID token to change.
AZF3015E Tag validation error - Invalid tag
AZF3012I Authentication successful name
The user was successfully authenticated. Invalid tag name specified in ALTUSER command.
Supported tag names are SIDUSERID.
User response
User response
Retry with valid tag.
AZF3013W Authentication successful (next
tokencode) AZF3016E Tag validation error - Invalid tag
value
Explanation
Explanation
After n number of failed login attempts followed by
a successful login, where n is determined by your Invalid tag value specified in ALTUSER command.
local RSA Authentication Manager security policy, the SIDUSERID must be fewer than 50 characters long.
user was prompted to also enter the next displayed
token code for extra security. By successfully entering User response
the next token code, the RSA Authentication Manager
is able to verify that the user has possession of the Retry with valid tag.
assigned token.
AZF3017I Need new node secret
Next token code mode requires the user to enter the
next token code (or passcode) that is displayed. That
Explanation
is, the user must enter two successive codes to log
in. If the user does not enter the next displayed token No node secret was found for this system. A new
code or passcode, the login fails. node secret will be created automatically after the first
successful authentication.
Note: Not all login applications indicate when the RSA
SecurID "next token" mode is in effect. Because the
number of unsuccessful login attempts that trigger User response
"next token" mode can vary, the user may not know
that the next token is also required.
AZF3018S Failed to read SDCONF file
User response
Explanation
1. Wait for the token code to change. If using a
hardware token with a PINpad or a soft token, wait Unable to read the SDCONF.REC file specified.
for the passcode to change.
2. Get the 6- to 8-digit token code (or passcode) User response
displayed by the SecurID token.
Make sure that a valid SDCONF.REC file has been
3. Enter the token code (or passcode) where transferred to the z/OS system in binary mode, and
prompted. that it is present in the location specified in the
4. Press Enter. AZFEXEC. It must be readable by the AZF started task
user.
AZF3014W Authentication denied
AZF3019I Successfully parsed SDCONF file

The AZF started task successfully parsed the Restart the AZF started task.
SDCONF.REC file specified.
AZF3025E Internal error, bad authTxn data
User response
Explanation
An internal error occurred while processing the
AZF3020S Failed to parse SDCONF file authentication.

Unable to parse the SDCONF.REC file specified. Restart the AZF started task.
AZF3026I Node secret was cleared
User response
Make sure that a valid SDCONF.REC file has been Explanation
transferred to the z/OS system in binary mode, that
The RSA node secret was cleared as described in
it is present in the location specified in the AZFEXEC,
“Clear the node secret” on page 59 using a command
and that it is readable by the AZF started task user.
such as the following:
AZF3021I AZFSIDP1 Initializing
/F <STC Job Name>,AZFSIDP1 CLEAR NODE SECRET
Explanation The RSA node secret is a shared secret known to

The AZFSIDP1 profile is initializing. IBM MFA and the RSA Authentication Manager. If this
secret must be established (or re-established), your
RSA Authentication Manager administrator will request
User response that the node secret be cleared from each z/OS client
No response is required. host.
AZF3022E New PIN protocol states

mismatch, access denied User response
Explanation AZF3027W Potential node secret mismatch
Internal error during new PIN processing. with server

Retry authentication. There is a potential node secret mismatch with the
RSA Authentication Manager.
AZF3023I Canceling authentication
transaction
User response
Explanation Clear the node secret for this agent host in
Authentication Manager, and issue the AZFSIDP1
The user canceled the authentication transaction. CLEAR NODE SECRET console command to the AZF
started task:
User response
/F <STC Job Name>,AZFSIDP1 CLEAR NODE SECRET
AZF3028S Failed to read SDOPTS file
AZF3024E Internal error, bad plugin data
Explanation
Explanation
Unable to read the SDOPTS.REC file specified.
authentication.

Make sure that a valid SDOPTS.REC file has been See “Configure SecurID parameters” on page 54.
transferred to the z/OS system in binary mode, and
that it is present in the location specified in the AZF3034S No Node Secret file specified in
AZFEXEC. It must be readable by the AZF started task settings
user.
Explanation
AZF3029I Successfully parsed SDOPTS file
No Node Secret file specified in settings
Explanation
User response
The AZF started task successfully parsed the
SDOPTS.REC file specified. See “Configure SecurID parameters” on page 54.
AZF3035S AZFSIDP1 failed to initialize
User response
AZF3030S Failed to parse SDOPTS file Internal error.

Unable to parse the SDOPTS.REC file specified. Contact IBM support.
AZF3036S Failed to initialize Node Secret
User response
Make sure that a valid SDOPTS.REC file has been Explanation
transferred to the z/OS system in binary mode, that
The Node Secret was not initialized.
it is present in the location specified in the AZFEXEC,
and that it is readable by the AZF started task user.
User response
AZF3031S Unexpected transition from
SEND_INIT Make sure the Node Secret file is specified in settings.
See “Configure SecurID parameters” on page 54.
Explanation AZF3037E Settings required by AZFSIDP1 are
missing
Internal error.

Settings required by AZFSIDP1 are missing. One of the
settings was not set correctly in the configuration.
AZF3032S Time packet synchronization
failed User response
Configure IBM MFA for SecurID, as described in
Explanation
“Additional system programming steps for SecurID” on
Internal error. page 52.
AZF3038E Internal error, missing plugin state
User response
AZF3033S No SDCONF.REC file specified in An internal error occurred that prevented the plug-in
settings from processing the transaction.

No SDCONF.REC file specified in settings. Contact IBM support.

AZF3039E Failed to build txn-specific state User response
Explanation
AZF3044E CheckResponse returned FALSE
from processing the transaction.
Explanation
User response The response from the Authentication Manager was
not correctly formatted. Refer to the message for more
Contact IBM support. details.
AZF3040E Internal error, missing txn-specific
state User response
Ensure that the Authentication Manager is correctly
Explanation configured, and that the node secret state is the same
An internal error occurred that prevented the plug-in in both the plug-in and on the Authentication Manager.
from processing the transaction. AZF3045E Internal error, state mismatch

Contact IBM support. An internal error occurred that prevented the plug-
AZF3041E Failed to restart network flow in in from processing the transaction. Refer to the
response to a timeout messages for more details.

The plug-in was unable to communicate with the RSA Contact IBM support.
Authentication Manager server. AZF3046E Failed to retry a network send

Check your network configuration, and ensure there The plug-in was unable to communicate with the
is a viable network path between the host machine Authentication Manager. Refer to the message for
and the RSA Authentication Manager. Ensure that the more details.
RSA Authentication Manager is properly configured
and available.
User response
AZF3042E Denying access due to a socket
error Check your network configuration, and ensure there
is a viable network path between the host machine
and the Authentication Manager. Ensure that the
Explanation Authentication Manager is properly configured and
An internal error occurred that prevented the plug-in available.
from processing the transaction. AZF3047E AZFSIDP1 statistics unavailable

Contact IBM support. Statistics are available only if at least one
AZF3043E Failed to get network data or authentication request has been processed.
sender info
User response
Explanation Perform at least one authentication before requesting
An internal error occurred that prevented the plug-in statistics.
from correctly reading network data. AZF3048E Suspect or invalid credential
syntax

An internal error occurred that caused the plug-in to The user must authenticate in-band with a
create an invalid authentication request. combination of a SecurID token, and a passphrase or
password.
User response
User response
Instruct the user to enter their SecurID token, the
AZF3049E Unable to register transaction required separator, and their passphrase or password
socket in the password field.
Explanation AZF3054I AZFSIDP1 settings follow
An internal error prevented the plug-in from creating a

Explanation
new network socket.
The AZFSIDP1 factor-wide settings are printed when
User response the AZFSIDP1 factor is initialized during AZF started
task startup, and are preceded by this message.
AZF3050I No node secret found for this User response
system No response is required.
Explanation AZF3059I Invalid compound credential

without PWFALLBACK; denying
No node secret was found for this system. A new access
node secret will be created automatically after the first
successful authentication.
Explanation
User response The required AZFSIDP1 compound separator is
missing or invalid and the user is not configured for
No response is required. PWFALLBACK.
AZF3051S Unable to determine local IP
Address, no SDOPTS override User response
present Specify a valid compound separator, as described in
“Configure IBM MFA Compound In-Band” on page 56.
Explanation
AZF3209E Error communicating with server
The AZFSIDP1 factor cannot determine the IP address
of the local system and is unable to read the
Explanation
IP address from the SDOPTS.REC file. In certain
situations, such as a multi-homed LPAR, or a VIPA, The IBM MFA server cannot establish a connection to
it is possible that the host IP address that is auto- the authentication server.
detected by the AZFSIDP1 plug-in does not match the
IP address actually used for outgoing traffic. In such User response
cases, use the CLIENT_IP override to manually specify
the IP address that AZFSIDP1 should use. Verify the authentication method settings.
AZF3219E No TLS active on connection
User response
Make sure that a valid SDOPTS.REC file has been Explanation
transferred to the z/OS system in binary mode, and
The IBM MFA server cannot establish a connection to
that it is present in the location specified in the
the authentication server.
AZFEXEC. It must be readable by the AZF started task
user.
User response
AZF3053E Compound auth mode requires
Passphrase input Verify the authentication method settings.

AZF3239I Invalid compound credential Explanation
access This message indicates incorrect message routing
inside the AZF started task and is not seen in normal
circumstances.
Explanation
The required AZFSIDP3 compound separator is User response
PWFALLBACK. Shut down and restart the AZF started task.
AZF4101S Structure integrity check failed
User response
Specify a valid compound separator, as described in Explanation
“Configure IBM MFA Compound In-Band” on page 65. This message indicates memory corruption inside the
AZF4001I AZFTOTP1 Authenticator init AZF started task.

The AZFTOTP1 plug-in is initializing. Shut down and restart the AZF started task.
AZF4102I Starting TOTP auth processing
User response
AZF4002I AZFTOTP1 Authenticator This is an informational message that AZFTOTP1
deactivated authentication is starting.

The AZFTOTP1 plug-in is stopped. No response is required.
AZF4104I Finished TOTP auth processing
User response
AZF4003I AZFTOTP1 Entry point This is an informational message that AZFTOTP1
authentication is finished.
Explanation
User response
This progress message is intended for use by support
in the event of a problem. No response is required.
AZF4105E Failed to create TOTP User object
User response
AZF4004E AZFTOTP1 Authenticator The AZFTOTP1 factor data for a particular user ID is
initialization failed invalid.

The AZFTOTP1 plug-in could not initialize. Correct or clear the AZFTOTP1 factor data for the
affected user.
User response AZF4107I TOTP Passcode Rejected

AZF4100E TOTP AuthTransactions cannot be
canceled or continued

Explanation when an TOTP account is created for the user on the
iOS device.
The TOTP passcode the user entered was rejected,
most likely because the passcode was entered
incorrectly or was outside of the Window skew User response
interval, as described in “Configure a TOTP profile for Specify a valid registration state.
users” on page 76.
AZF4112E TOTP User object is missing
KEYLABEL
User response
The user should wait for the TOTP passcode to change Explanation
and try again.
When TOTP changes the registration state to
AZF4108W TOTP Replay prevention PROVISIONED, a keylabel is created automatically.
This message can occur if you deactivated the user
Explanation forTOTP and cleared all tags for that user.
The AZFTOTP1 plug-in prevented a previously-used

TOTP passcode from being reused. User response
Re-register the user as described in “Re-registering a
User response user for TOTP” on page 79.
Ensure that the passcode reuse was a user error and AZF4113E TOTP User object has invalid ALG
not the result of a replay attack.
AZF4109E Error evaluating TOTP User object Explanation
changes When you configure a user for TOTP, you can set
the digest algorithm used to generate the one-time
Explanation password. Valid options include SHA256, SHA384, and
SHA512. (Case is sensitive.) This overrides the default
An ALTUSER command to change AZFTOTP1 factor settings.
data resulted in an error.
User response
User response
Set a valid digest algorithm, as described in “Configure
See additional log messages or the ALTUSER a TOTP profile for users” on page 76.
command output for details.
AZF4114E TOTP User object has invalid
AZF4110E TOTP User object validation failed NUMDIGITS
The AZFTOTP1 factor data for a particular user ID is When you configure a user for TOTP, you can set
invalid. the number of digits used to generate the one-time
password. Valid options are 6 - 8 digits. This overrides
User response the default settings.
Clear and re-provision the AZFTOTP1 factor data for
the affected user, as described in “Re-registering a User response
user for TOTP” on page 79. Set a valid number of digits, as described in “Configure
AZF4111E TOTP User object has invalid a TOTP profile for users” on page 76.
REGSTATE AZF4115E TOTP User object has invalid
PERIOD
Explanation
When you register a user for TOTP, you set the Explanation
registration state to OPEN. (Case is sensitive.) TOTP When you configure a user for TOTP, you can set
then changes the registration state to PROVISIONED the number of seconds an interval lasts. This number
determines how long a one-time password is active

before the next one-time password generates. Valid AZF4121I Defaulting TOTP digits
values are 15 seconds, 30 seconds, and 60 seconds.
This overrides the default settings.
Explanation
User response When you configure a user for TOTP, you can set
the number of digits used to generate the one-time
Set a valid period, as described in “Configure a TOTP password. If you do not set the number of digits, the
profile for users” on page 76. default setting is used.
AZF4116E Error validating TOTP passcode
User response
A user’s TOTP passcode could not be validated due to AZF4122I Defaulting TOTP period
an underlying library error. This message will include
the relevant PKCS#11 return and reason codes, if
Explanation
applicable.
When you configure a user for TOTP, you can set
User response the number of seconds an interval lasts. This number
See the PKCS#11 return and reason codes. before the next one-time password generates. If you
do not set the period, the default setting is used.
AZF4117I TOTP Passcode Accepted

The TOTP passcode the user entered was accepted.
AZF4123I Defaulting TOTP window
User response
Explanation
When you configure a user for TOTP, you can set the
AZF4118W User's tags are now invalid; verify
window skew interval. If you do not set the window,
AZFTOTP1 is INACTIVE
the default setting is used.

User response AZF4124E AZFTOTP1 factor-wide settings

are missing or invalid
Set AZFTOTP1 to INACTIVE for the user until you
specify valid tag names, as described in “Configure a
TOTP profile for users” on page 76.
Explanation
The AZFTOTP1 factor-wide settings are missing or
AZF4120I Defaulting TOTP algorithm
invalid.
Explanation
User response
Configure the AZFTOTP1 factor-wide settings, as
described in “Configure AZFTOTP1” on page 70.
password. Valid options include SHA256, SHA384, and
SHA512. (Case is sensitive.) This overrides the default AZF4125W Failed to update user's CVALUE,
settings. If you do not set the digest algorithm, the replay protection inop
default setting is used.
Explanation
User response
After validating a user’s TOTP passcode, AZFTOTP1
No response is required. failed to update the user’s factor data to indicate their

latest CVALUE. This value is updated to prevent a Explanation
passcode from being reused by an attacker.
The user was validated.
User response
User response
Verify the AZF started task's permissions to the
FACTOR.AZFTOTP1 profile. No response is required.
AZF4126I AZFTOTP1 settings follow AZF4132I Matched TOTP counter value
The AZFTOTP1 factor-wide settings are printed when This is an informational message.
the AZFTOTP1 factor is initialized during AZF started
task startup, and are preceded by this message. User response
User response
AZF4140E PKCS#11 token name is missing
No response is required. from AZFTOTP1 settings
AZF4127E Failed to read AZFTOTP1 settings
Explanation
Explanation The PKCS#11 token name is missing from the
AZFTOTP1 settings could not be retrieved from RACF. AZFTOTP1 factor-wide settings.

Verify the AZF started task's permissions to the Configure the AZFTOTP1 factor-wide settings, as
FACTOR.AZFTOTP1 profile. described in “Configure AZFTOTP1” on page 70.
AZF4128W Runtime settings were not AZF4141E Failed to get PKCS#11

changed environment info
Explanation:
Explanation The PKCS#11 environment could not be obtained.
If it is determined during REFRESH command User response:

processing that incoming AZFTOTP1 settings are Configure the PKCS#11 token, as described in Chapter
invalid, those settings will not be applied. 9, “Configuring a PKCS#11 token,” on page 31.
AZF4142E The named PKCS#11 token was
User response not accessible
Correct the invalid settings.

Explanation
AZF4129E AZFTOTP1 failed to read AZFSTC
settings The PKCS#11 token name specified in the AZFTOTP1
factor-wide settings is not accessible.
Explanation
User response
The STC settings could not be determined.
User response
AZF4143I Description of accessible PKCS#11
Configure the STC as described in “Configure IBM MFA environment follows:
STC configuration attributes” on page 21.
AZF4131I Validated TOTP User Explanation
normal processing.

No response is required. Re-register the user, as described in “Re-registering a
user for TOTP” on page 79.
AZF4144E A user's TOTP key object was not
found AZF4150W Tag eval failed to translate a local
status to PC return/reason pair
Explanation
Explanation
When TOTP changes the registration state to
PROVISIONED, a keylabel is created automatically. The local error cannot be translated to be more
This message can occur if you deactivated the user for meaningful to ALTUSER.
TOTP and cleared all tags for that user.
User response
User response
Check your inputs to ALTUSER to make sure you
Re-register the user, as described in “Re-registering a specified tags and values as documented.
AZF4160I Suspending TOTP user for
AZF4145E Multiple TOTP key objects were consecutive failures
found for the same KEYLABEL
Explanation
Explanation
The user has exceeded the revoke count that you
When TOTP changes the registration state to configured.
PROVISIONED, a keylabel is created automatically.
User response
User response
The user is unable to authenticate with TOTP until you
Re-register the user, as described in “Re-registering a reset them to REGSTATE:PROVISIONED.
AZF4161E Failed to update TOTP user data;
AZF4146W Failed to delete a key object from brute-force protection inoperative
the PKCS#11 token
Explanation
Explanation
The revoke count could not be configured.
A user’s factor data contained a label tag value, and
multiple PKCS#11 key records were returned for the User response
specified label value.
Ensure that the IBM MFA services started task is
started. Configure the revoke count, as described in
User response
“Configure AZFTOTP1” on page 70.
Clear the user’s factor data, return them to
AZF5001I IBM TouchToken Registration Web
REGSTATE:OPEN state, and instruct them to re-enroll
Services
their IBM TouchToken for iOS account, as described in
“Re-registering a user for TOTP” on page 79.
Explanation
AZF4147I Deleted tags include KEYLABEL
IBM MFA processing.
Explanation
When TOTP changes the registration state to User response
This message can occur if you deactivated the user for No response is required.
TOTP and cleared all tags for that user.
AZF5002I Server base init success

The web services server is successfully initializing. Configure PKCS#11 as described in Chapter 9,
“Configuring a PKCS#11 token,” on page 31. Configure
User response the AZFSTC settings, as described in “Configure IBM
MFA STC configuration attributes” on page 21.
AZF5008S Failed to initialize one or more
AZF5003E Server base init error web services
The web services server did not successfully initialize. Fatal error on startup, possibly due to missing or
invalid AZFTOTP1 settings.
User response
User response
Configure TOTP as described in “Configure AZFTOTP1”
AZF5004S Failed to initialize the services
on page 70.
shared context
AZF5009I AZFTOTP1 settings follow:
Explanation
Explanation
Fatal error on startup, possibly due to missing or
invalid AZFTOTP1 settings. This is an informational message generated as part of
IBM MFA processing.
User response
User response
Configure TOTP as described in “Configure AZFTOTP1”
on page 70. No response is required.
AZF5006S AZFTOTP1 or AZFSTC settings AZF5010E Web services hostname is missing
could not be read; Cannot start from AZFSTC settings
Registration Services
Explanation
Explanation
This message is obsolete.
The AZFTOTP1 or STC web services server settings are
missing or invalid.
User response
User response No response is required.
Configure the started task settings, as described in AZF5011E Server-auth TLS port number is
“Configure IBM MFA web services started task” on missing from AZFSTC settings
page 41. Configure the AZFTOTP1 factor-wide web
services server settings, as described in “Configure Explanation
AZFTOTP1” on page 70.
The server authentication port setting is missing.
AZF5007S A required parameter is missing
from the AZFSTC settings, or User response
PKCS#11 init failed
Configure the server authentication port, as described
in “Configure IBM MFA web services started task” on
Explanation
page 41.
An AZFSTC factor-wide server setting is missing or is
invalid, or the PKCS#11 initialization failed. AZF5012E PKCS#11 token name is missing
from AZFSTC settings

The PKCS#11 token name is missing. A request was made to a valid registration web
server URL, but the body of the request was invalid
User response because it was empty. Either a connection to a valid
client was dropped by the network infrastructure, or
Enter the PKCS#11 token name, as described in an unexpected client is issuing requests to the web
“Configure AZFTOTP1” on page 70. services server.
AZF5014I Will declare the following Realm
name to clients User response
Make sure that the user's Apple iOS device has
Explanation network connectivity to the web services server, as
AZFTOTP1 will use this realm name for your web
services server. This is an arbitrary name of your AZF5022I Results of safVerify
choosing.
Explanation
User response
This informational message will be followed by return
No response is required. and reason codes associated with an underlying
RACROUTE REQUEST=VERIFY call.
AZF5015I web services server using trace
level
User response
The web services server is using the trace level. Valid AZF5023E Enrollment check returning Not
values are 0 through 3, where the higher number Authorized
increases the level of verbosity.
Explanation
User response
A client contacted the web services server to
No response is required. determine whether a user may enroll a new account,
but the client provided an invalid combination of User
AZF5020E The enrollCheck service saw a
ID and Password or Passphrase.
request with zero content length
User response
Explanation
Instruct users to open the web services server start
A request was made to a valid registration web
page using Mobile Safari on their iOS device and log in
server URL, but the body of the request was invalid
with their z/OS user name and password.
because it was empty. Either a connection to a valid
client was dropped by the network infrastructure, or AZF5024E Enrollment check responding with
an unexpected client is issuing requests to the web following error
services server.
Explanation
User response
Make sure that the user's Apple iOS device has determine whether a user may enroll a new
network connectivity to the web services server, as TouchToken Account, and the web services server is
described in “Configure AZFTOTP1” on page 70. responding as described.
AZF5021E Received an enrollCheck request
that was malformed or missing User response
parameters See the accompanying error for more information.
AZF5025I Enrollment check responding
success

A client contacted the web services server to No response is required.
determine whether a user may enroll a new account,
AZF5031I Generated candidate keylabel
and the web services server is responding that the
user in question may proceed with enrollment.
Explanation
User response This message displays the label to be applied to
No response is required. the PKCS#11 key record for a user’s newly-enrolled
account.
AZF5026I Found existing invitation
User response
Explanation
AZF5032E Base64 encoding failed
retrieve TOTP token details, and the server located a
preexisting internal structure describing a partial token
for the given user. Explanation
This is unlikely to occur unless there is an out of
User response memory issue. If the task it still up and emitting this
message, restart it.
AZF5027I Created new invitation User response
Restart the task.
Explanation
A client contacted the web services server to retrieve AZF5033E Invitation not found
TOTP token details, and the server created a new
internal structure describing a partial token for the Explanation
given user.
A client tried to retrieve an account specification from
the server, but specified an account identifier that
User response did not match any specification pending output in the
No response is required. server. Something other than the IBM TouchToken for
iOS application may be issuing requests to the server
AZF5028E Failed to retrieve AZFTOTP user URL space.
object
User response
Explanation
Determine which application is trying to connect to the
A client contacted the web services server to web services server.
determine whether a user may enroll a new account,
and the web services server failed to locate valid AZF5034I Retrieved an invitation and will
AZFTOTP1 configuration for that user. promote it

Configure the user account, as described in “Configure This is a progress message to aid in support in the
event of a problem.
a TOTP profile for users” on page 76.
AZF5029I Invite code User response
Explanation
This is an internal progress message to aid support in AZF5035E Invitation in invalid state will
the event that a problem requires diagnosis. be destroyed; user must restart
enrollment

A previous error caused an account specification to A client attempted to contact the preflight service
become unusable, so it will not be used. URL space, but provided no valid short-lived account
identifier. An internal error has occurred, a network
User response error has occurred, or a client other than the IBM
TouchToken for iOS application may be contacting the
The user attempting to enroll a new IBM TouchToken registration server.
for iOS account should restart the enrollment process
in the application.
User response
AZF5036E Invitation promotion failed Contact IBM support.
Explanation AZF5042E Preflight saw invalid account

metadata
The server failed to infuse a IBM TouchToken for iOS
account specification with required data.
Explanation
User response A client attempted to contact the preflight service
URL space, but provided no valid short-lived account
See other errors in the log. identifier. An internal error has occurred, a network
error has occurred, or a client other than the IBM
AZF5037E JSON encoding failed
TouchToken for iOS application may be contacting the
registration server.
Explanation
Unlikely to occur unless out of memory. User response
User response
AZF5043E Preflight failed to match the
If the task it still up and emitting this message, restart provided token code
it.
AZF5038I Tokenspec retrieval responding Explanation
success
The TOTP value provided by the client did not match
any of the allowed values, possible due to clock skew
Explanation between the client application and the server.
Progress message to aid in support in the event of a
problem. User response
Consider increasing the default Window value in the
User response AZFTOTP1 factor, then instruct the affected user to re-
attempt IBM TouchToken for iOS account enrollment.
AZF5043I If using a short PERIOD value,
AZF5040I Entered preflight
try increasing WINDOW to reduce
clock skew effects
Explanation
Progress message to aid in support in the event of a Explanation
problem.
Token Period is the time (in seconds) between changes
in value for the token. This number determines how
User response long a one-time password is active before the next
one-time password generates. The Window skew
interval considers any possible synchronization delay
AZF5041E Preflight account metadata not between the server and the client that generates the
found one-time password. If Token Period and Window are
both short, the user may not have sufficient time to
enter the passcode.

Increase the Window value if needed. No response is required.
AZF5044I Preflight will commit and activate AZF5053E Modify command was not
AZFTOTP1 recognized
A user has completed IBM TouchToken for iOS account The Modify command was not recognized.
enrollment and should begin using this account to
access MFA-protected systems that use the same User response
RACF database as the server.
See Chapter 42, “Modifying component trace levels,”
on page 223 for the format of the Modify command..
User response
No response is required. AZF5054E Invalid trace level specified (valid
levels are 0-3)
AZF5046E Failed to convert user secret to
session HMAC key (rc=, rsn=) Explanation
Explanation
The hash message authentication code (HMAC) key User response
could not be created.
Enter a valid trace level.
User response AZF5055E Modify command processing failed
Configure the PKCS#11 token, as described in Chapter
9, “Configuring a PKCS#11 token,” on page 31. Explanation
AZF5050I Console listener task starting up The Modify command processing failed.

The console listener task is starting up. This is an See Chapter 42, “Modifying component trace levels,”
informational message generated as part of IBM MFA on page 223 for the format of the Modify command..
processing.
AZF5056I Modify command action
User response
Explanation
AZF5051I Stop command received IBM MFA processing.

This is an informational message generated as part of No response is required.
IBM MFA processing.
AZF5101S Structure integrity check failed
User response
Explanation
A serious internal error has occurred.
AZF5052I Modify command received
User response
Explanation
Restart the web services server.
AZF5105E Failed to create AZFTOTP User
IBM MFA processing.
object

Explanation when an TOTP account is created for the user on the
iOS device.
A user’s AZFTOTP1 factor data was not present, or
contained values that prevented the creation of a
validated user object. User response
Specify a valid registration state.
User response AZF5112E TOTP User object is missing
Clear the user’s AZFTOTP1 factor data and set KEYLABEL
their REGSTATE tag to OPEN, as described in “Re-
registering a user for TOTP” on page 79. Explanation
AZF5107I TOTP Passcode Rejected When TOTP changes the registration state to
Explanation This message can occur if you deactivated the user
forTOTP and cleared all tags for that user.
The TOTP passcode the user entered was rejected,
most likely because the passcode was entered
incorrectly or was outside of the Window skew User response
interval, as described in “Configure a TOTP profile for Re-register the user as described in “Re-registering a
users” on page 76. user for TOTP” on page 79.
AZF5113E TOTP User object has invalid ALG
User response
The user should wait for the TOTP passcode to change Explanation
and try again.
AZF5108W TOTP Replay prevention the digest algorithm used to generate the one-time
password. Valid options include SHA256, SHA384, and
Explanation SHA512. (Case is sensitive.) This overrides the default
settings.
The AZFTOTP1 plug-in prevented a previously-used
TOTP passcode from being reused.
User response
User response Set a valid digest algorithm, as described in “Configure
a TOTP profile for users” on page 76.
Ensure that the passcode reuse was a user error and
not the result of a replay attack. AZF5116E Error validating TOTP passcode
AZF5110E TOTP User object validation failed

Explanation
Explanation A client accessed the preflight service, but the server
was unable to verify whether the supplied TOTP
A user’s AZFTOTP1 factor data contained values that passcode was matched by one of the allowed values.
prevented the creation of a validated user object. This indicates a configuration problem or a serious
error in an underlying service.
User response
Clear the user’s AZFTOTP1 factor data and set User response
their REGSTATE tag to OPEN, as described in “Re- Check the AZFTOTP1 configuration, restart the server,
registering a user for TOTP” on page 79. and contact IBM support if the problem persists.
AZF5111E TOTP User object has invalid AZF5117I TOTP Passcode Accepted
REGSTATE
Explanation
Explanation
The TOTP passcode the user entered was accepted.
When you register a user for TOTP, you set the
registration state to OPEN. (Case is sensitive.) TOTP
then changes the registration state to PROVISIONED

No response is required. The AZFTOTP1 factor-wide settings are missing or
invalid.
AZF5120I Defaulting TOTP algorithm
User response
Explanation
When you configure a user for TOTP, you can set described in “Configure AZFTOTP1” on page 70.
password. Valid options include SHA256, SHA384, and AZF5125W Failed to update user's CVALUE,
SHA512. (Case is sensitive.) This overrides the default replay protection inop
settings. If you do not set the digest algorithm, the
default setting is used. Explanation
The web services server invoked the R_factor callable
User response
service to modify the user’s AZFTOTP1 factor data,
No response is required. but was unable to update the CVALUE tag value. The
next TOTP passcode check for this user account will
AZF5121I Defaulting TOTP digits therefore be unable to accurately determine whether
the supplied value, if otherwise matching an allowed
Explanation value, represents a passcode replay event.
the number of digits used to generate the one-time User response
password. If you do not set the number of digits, the
Check the AZFTOTP1 configuration, restart the server,
default setting is used.
and contact IBM support if the problem persists.
User response AZF5141E Failed to get PKCS#11

environment info
AZF5122I Defaulting TOTP period Explanation
This is a serious error that will prevent the web
Explanation services server from functioning.
the number of seconds an interval lasts. This number User response
Check the AZFTOTP1 configuration, the permissions of
before the next one-time password generates. If you
the web services server started-task user, and restart
do not set the period, the default setting is used.
the web services server.
User response AZF5142E The named PKCS#11 token was

not accessible
AZF5123I Defaulting TOTP window Explanation
The named PKCS#11 token is not accessible.
Explanation
When you configure a user for TOTP, you can set the User response
window skew interval. If you do not set the window,
Check the token name configured in the web services
the default setting is used.
started task settings.
User response AZF5143I Description of accessible PKCS#11

environment follows:
AZF5124E AZFTOTP1 factor-wide settings

Explanation their IBM TouchToken for iOS account, as described in
Subsequent messages in the log describe which
PKCS#11 tokens were accessible by the registration AZF5150I Attempting to create PKCS#11
server. token

See the following messages in the log for a description You can provide a valid token name and IBM MFA will
of which PKCS#11 tokens were accessible by the web create it if it does not already exist.
services server. If the displayed list does not contain
the configured PKCS#11 token name, the web services User response
server will not function.
AZF5144E A required PKCS#11 key object
was not found AZF5151I Created PKCS#11 token
successfully
Explanation
Explanation
A user’s factor data contained a label tag value, but
a PKCS#11 key record with that label was not found. You can provide a valid token name and IBM MFA will
The PKCS#11 token name in the settings may have create it if it does not already exist.
recently been changed to an invalid value.
User response
Configure the PKCS#11 token name in the web
AZF5152E Failed to create PKCS#11 token
services started task settings.
AZF5145E Multiple TOTP key objects were Explanation
found for the same label
You can provide a valid token name and IBM MFA will
create it if it does not already exist.
Explanation
A user’s factor data contained a label tag value, and User response
multiple PKCS#11 key records were returned for the
specified label value. Enter a valid PKCS#11 token name.
AZF5153E Failed to generate random bytes
User response
Clear the user’s factor data, return them to Explanation
REGSTATE:OPEN state, and instruct them to re-enroll The PKCS#11 token was deleted after the task
their IBM TouchToken for iOS account, as described in successfully started.
AZF5146W Failed to delete a key object from User response
the PKCS#11 token
Configure a PKCS#11 token, as described in Chapter 9,
“Configuring a PKCS#11 token,” on page 31.
Explanation
AZF5154E Failed to create a PKCS#11 HMAC
A user’s factor data contained a label tag value, and key from raw bytes
Explanation
User response The hash message authentication code (HMAC) key
could not be created.
Clear the user’s factor data, return them to
REGSTATE:OPEN state, and instruct them to re-enroll

Configure the PKCS#11 token, as described in Chapter Contact IBM support.
9, “Configuring a PKCS#11 token,” on page 31.
AZF5161I Committed AZFTOTP1 user factor
AZF5155E Error checking token code data, and set ACTIVE
The PKCS#11 AES key could not be created. TOTP committed the user's factor data and set the
factor to active. This is an informational message
User response generated as part of IBM MFA processing.

User response
AZF5156I Created PKCS#11 AES key
successfully AZF5161E Service unavailable
The PKCS#11 AES key was created. This is an You might have entered an invalid user ID on the IBM
informational message generated as part of IBM MFA MFA Out-of-Band login page.
processing.
User response
User response
Verify the user ID and retry.
AZF5170E Required data was missing from
AZF5157I Found PKCS#11 token the request
The PKCS#11 token was found. This is an The user is not correctly configured for TOTP.
processing. User response
See “Configure a TOTP profile for users” on page 76
User response
for the steps to follow to register a user. See “Re-
No response is required. registering a user for TOTP” on page 79 for the steps
to follow to re-register a user.
AZF5158I Found PKCS#11 AES key
AZF5171E Authentication failed
Explanation
Explanation
The PKCS#11 AES key was found. This is an
informational message generated as part of IBM MFA The AZFTOTP1 factor must be marked NOACTIVE
processing. for registration. The web services server does a
RACROUTE REQUEST=VERIFY to check the user's
User response password. If AZFTOTP1 is active at the time the
password check occurs, it will fail.
AZF5160E Failed to commit a user's User response
AZFTOTP1 factor data
Explanation registering a user for TOTP” on page 79 for the steps
TOTP was unable to commit the user's factor data.

AZF5172E An internal error prevented User response
the server from verifying user
eligibility You typically do not need to re-register a user for
TOTP. If you do need to do so, follow the steps
described in “Re-registering a user for TOTP” on page
Explanation 79.
An internal error occurred. AZF5176E The specified User ID is eligible
for TouchToken enrollment, but
User response an internal server error prevented
enrollment from proceeding
AZF5173E The specified User ID is not Explanation
currently eligible for TouchToken
Account enrollment An internal server error prevented the user account
from being enrolled.
Explanation
User response
The specified user ID cannot currently be enrolled due
to a configuration error. Contact IBM support.
AZF5177E An internal server error
User response prevented enrollment of your new
TouchToken Account
registering a user for TOTP” on page 79 for the steps Explanation
to follow to re-register a user. An internal server error prevented the user account
AZF5174E Existing AZFTOTP1 factor data from being enrolled.
for the specified User ID failed
validation User response
Explanation
AZF5178E The token code sent to the server
The specified user ID failed validation, possibly due to was invalid or out of range,
a configuration error. retry enrollment and contact an
administrator if this problem
User response persists

for the steps to follow to register a user. See “Re- Explanation
registering a user for TOTP” on page 79 for the steps The token code provided by the user is invalid,
to follow to re-register a user. possibly due to a configuration error.
AZF5175I The specified User ID has already
enrolled a TouchToken Account; User response
existing Account details must be
cleared by a RACF administrator See “Configure a TOTP profile for users” on page 76
before a new Account may be for the steps to follow to register a user. See “Re-
enrolled registering a user for TOTP” on page 79 for the steps
Explanation AZF6001I IBM Multi-Factor Authentication

Web Services
The user attempted to create a TOTP account and one
already exists.
Explanation
IBM MFA processing.

No response is required. Configure PKCS#11 as described in Chapter 9,
“Configuring a PKCS#11 token,” on page 31. Configure
AZF6002I Server base init success the started task settings, as described in “Configure
IBM MFA web services started task” on page 41.
Explanation
AZF6008S Failed to initialize one or more
The web services server is successfully initializing. web services

No response is required. Fatal error on startup, possibly due to missing or
invalid settings.
AZF6003E Server base init error
User response
Explanation
Configure the started task settings, as described in
The server did not successfully initialize.
“Configure IBM MFA web services started task” on
page 41.
User response
AZF6009I Settings follow:
AZF6004S Failed to initialize the services Explanation
shared context
IBM MFA processing.
Explanation
Fatal error on startup, possibly due to missing or User response
invalid settings.
User response AZF6010E Failed to read AZF settings
Configure IBM MFA web services, as described in

Explanation
Chapter 10, “Configuring IBM MFA web services
configuration attributes,” on page 35. The web service settings are missing.
AZF6006S AZFTOTP1 token registration
services disabled User response
Configure web services as described in Chapter 10,
Explanation “Configuring IBM MFA web services configuration
attributes,” on page 35.
The AZFTOTP1 factor-wide web services server
settings are missing or invalid. AZF6011E No web services are enabled in the
AZF settings; shutting down
User response
Explanation
Configure the AZFTOTP1 factor-wide web services
server settings, as described in “Configure AZFTOTP1” The web service settings are missing.
on page 70.
AZF6007S A required parameter is missing User response
from the settings, or PKCS#11 init
Configure web services as described in Chapter 10,
failed
“Configuring IBM MFA web services configuration
attributes,” on page 35.
Explanation
AZF6012I IBM Multi-Factor Authentication
A factor-wide setting is missing or is invalid, or the Web Services startup complete
PKCS#11 initialization failed.

Explanation AZF6025E Web services task closing IPC
connection due to error
The main web services task startup is complete. This
is an informational message generated as part of IBM
MFA processing. Explanation
This message is issued by the IBM MFA web services
User response started task (AZF#IN01) whenever there is an error
condition on the socket connection to the IBM MFA
No response is required. services started task (AZF#IN00).
AZF6012E PKCS#11 token name is missing
from AZFSTC settings User response
You can disregard spurious instances of this message.
Explanation Multiple instances of this message likely indicate that
The PKCS#11 token name is missing. AT-TLS is misconfigured. In that case, ensure that AT-
TLS is configured as described in “Configure an AT-TLS
profile” on page 36.
User response
Note: The Server Port Number is referred to in related
Enter the PKCS#11 token name, as described in log messages as "IPC Services Port."
“Configure AZFTOTP1” on page 70.
AZF6026E Program installation error
AZF6015I web services server using trace (<reason>)
level
Explanation
Explanation
The possible reasons for this message are as follows:
The web services server is using the trace level. Valid
values are 0 through 3, where the higher number • Not APF authorized
increases the level of verbosity.
User response
User response Refer to and complete the system programming steps
No response is required. described in Chapter 4, “System programming steps,”
on page 7.
AZF6020E Failed to initialize OOBSvcsClient
AZF6030I Console listener task starting up
Explanation
Explanation
The IBM MFA Out-of-Band services failed to initialize.
IBM MFA processing.
User response
Make sure that IBM MFA Out-of-Band is configured as User response
described in Chapter 11, “Configuring IBM MFA Out-
of-Band authentication,” on page 45. No response is required.
AZF6024E One or more required files in the AZF 6031I Stop command received
document root are not accessible
Explanation
Explanation This is an informational message generated as part of
The document root for the IBM MFA web services IBM MFA processing.
started task contains required files. One or more of
these required files is not available. User response
User response
AZF 6032I Modify command received
Configure the document root as described in Table 9
on page 41.

This is an informational message generated as part of No response is required.
IBM MFA processing.
AZF6050I Console listener task starting up
User response
Explanation
The console listener task is starting up. This is an
AZF 6033E Modify command was not informational message generated as part of IBM MFA
recognized processing.

The Modify command was not recognized. No response is required.
AZF6051I Stop command received
User response
Use the server configuration settings to set the trace Explanation
level.
AZF6034E Invalid trace level specified (valid IBM MFA processing.
levels are 0-3)
User response
Explanation
AZF6052I Modify command received
User response
Explanation
AZF6035E Modify command processing failed IBM MFA processing.

The Modify command processing failed. No response is required.
AZF6053E Modify command was not
User response recognized
Correct the format of the Modify command.
Explanation
AZF6036I Modify command action
The Modify command was not recognized.
Explanation
User response
IBM MFA processing. See Chapter 42, “Modifying component trace levels,”
User response AZF6054E Invalid trace level specified (valid
No response is required. levels are 0-3)
AZF6037I Using security manager <name>

Explanation
Explanation You specified an invalid trace level.

User response
IBM MFA processing.

AZF6055E Modify command processing failed User response
See the following messages in the log for a description
Explanation of which PKCS#11 tokens were accessible by the web
The Modify command processing failed. services server. If the displayed list does not contain
the configured PKCS#11 token name, the web services
server will not function.
User response
AZF6144E A required PKCS#11 key object
See Chapter 42, “Modifying component trace levels,” was not found
AZF6056I Modify command action Explanation
A user’s factor data contained a label tag value, but
Explanation a PKCS#11 key record with that label was not found.
This is an informational message generated as part of The PKCS#11 token name in the settings may have
IBM MFA processing. recently been changed to an invalid value.

No response is required. Configure the PKCS#11 token name in the web
services started task settings.
AZF6141E Failed to get PKCS#11
environment info AZF6145E Multiple PKCS#11 key objects
were found for the same label
Explanation
Explanation
This is a serious error that will prevent the web
services server from functioning. A user’s factor data contained a label tag value, and
User response
Check the web services started task configuration, the User response
permissions of the web services server started-task
user, and restart the web services server. Check the configured key label in the associated factor.
AZF6142E The named PKCS#11 token was AZF6146W Failed to delete a key object from
not accessible the PKCS#11 token
The named PKCS#11 token is not accessible. A user’s factor data contained a label tag value, and
User response
Check the token name configured in the web services User response
Clear the user's factor data for the affected factor.
AZF6143I Description of accessible PKCS#11 For TOTP, clear the user's factor data for the affected
environment follows: factor, return them to REGSTATE:OPEN state, and
instruct them to re-enroll their IBM TouchToken for
Explanation iOS account, as described in “Re-registering a user for
TOTP” on page 79.
Subsequent messages in the log describe which
PKCS#11 tokens were accessible by the registration AZF6150I Attempting to create PKCS#11
server. token

You can provide a valid token name and IBM MFA will Configure the PKCS#11 token, as described in Chapter
create it if it does not already exist. 9, “Configuring a PKCS#11 token,” on page 31.
AZF6155E Failed to create a PKCS#11 AES
User response key
Explanation
AZF6151I Created PKCS#11 token
successfully The PKCS#11 AES key could not be created.

You can provide a valid token name and IBM MFA will Configure the PKCS#11 token, as described in Chapter
create it if it does not already exist. 9, “Configuring a PKCS#11 token,” on page 31.
AZF6156I Created PKCS#11 AES key
User response successfully
Explanation
The PKCS#11 AES key was created. This is an
Explanation informational message generated as part of IBM MFA
processing.
You can provide a valid token name and IBM MFA
will create it if it does not already exist. The token
User response
name you specify with AZFEXEC must match the token
name you have configured in Chapter 9, “Configuring a No response is required.
PKCS#11 token,” on page 31.
AZF6157I Found PKCS#11 token
User response
Explanation
Configure the PKCS#11 token as described in Chapter
9, “Configuring a PKCS#11 token,” on page 31 and The PKCS#11 token was found. This is an
enter the valid PKCS#11 token name. informational message generated as part of IBM MFA
processing.
AZF6153E Failed to generate random bytes
User response
Explanation
The PKCS#11 token was deleted after the task
successfully started. AZF6158I Found PKCS#11 AES key

Configure a PKCS#11 token, as described in Chapter 9, The PKCS#11 AES key was found. This is an
“Configuring a PKCS#11 token,” on page 31.
processing.
AZF6154E Failed to create a PKCS#11 HMAC
key User response
Explanation
The hash message authentication code (HMAC) key AZF6160E SAF error while authenticating
could not be created. user
Explanation
IBM MFA was unable to authenticate the user.

Contact IBM support. Configure the user as described in “Activate
and deactivate users for IBM MFA Out-of-Band
AZF6161E Service unavailable authentication” on page 50.
Explanation AZF6171E Session expired or otherwise not

found
You might have entered an invalid user ID on the IBM
MFA Out-of-Band login page.
Explanation
User response The user exceeded the amount of time allowed to
satisfy all authentication factors.
AZF6162E Failed to authentication user via User response
PAM The user must begin the logon process again.
Explanation AZF6172E The specified policy name is

invalid
You might have entered an invalid user ID on the IBM
MFA Out-of-Band login page.
Explanation
User response The policy name associated with the user ID is invalid.

User response
AZF6165I Yubikey enrollment services Specify the policy name as described in “Activate
initialized and deactivate users for IBM MFA Out-of-Band
authentication” on page 50.
Explanation
AZF6173E Failed to create a Cache Token
This is an informational message generated as part of Credential
processing.
Explanation
User response
A cache token credential is created every time a user
No response is required. successfully logs on with IBM MFA Out-of-Band. IBM
MFA Out-of-Band could not create the cache token
AZF6166W Yubikey enrollment services init
credential.
failed
User response
Explanation
Make sure you have configured IBM MFA Out-of-Band
AZFYUBI1 plug-in could not initialize.
as described in Chapter 11, “Configuring IBM MFA
Out-of-Band authentication,” on page 45.
User response
AZF6174E No policies are bound to the
Contact IBM support. specified user or session
AZF6170E No factors are active for the
specified User ID Explanation
A policy name is not associated with the user ID.
Explanation
If you apply a policy to a user, the user must have User response
Associate a policy name with the user ID as described
must be active.
in “Activate and deactivate users for IBM MFA Out-of-
Band authentication” on page 50.

AZF6175I None of the user's policies are Explanation
satisfiable
authentication.
Explanation
If you apply a policy to a user, the user must have User response
must be active. Restart the AZF started task.
User response
Configure the user as described in “Activate Explanation
and deactivate users for IBM MFA Out-of-Band An internal error occurred while processing the
authentication” on page 50. authentication.
AZF6176E An internal error occurred
User response
Explanation Restart the AZF started task.
An internal server error prevented the user account AZF7003E Internal error, missing plugin state
from authenticating.
Explanation
User response
An internal error occurred while initializing the plug-in.
AZF6177E Your account is not provisioned for User response
MFA
Explanation AZF7004E Logon window not specified
The user account is not provisioned for IBM MFA Out-

of-Band. Explanation
The PassTicket evaluation window is not specified.
User response
Configure the user as described in “Activate User response
and deactivate users for IBM MFA Out-of-Band Set the PassTicket evaluation window, as described
authentication” on page 50. in Chapter 35, “Using IBM MFA with PassTickets,” on
page 203.
AZF6180E Mutual Authentication port
must be different from Server AZF7005I Result of PassTicket eval
Authentication port
Explanation
Explanation
The PassTicket evaluation result is shown.
The mutual authentication port you configure must be
different from the server authentication port.
User response
Configure the IBM MFA web services started task, as AZF7006E Invalid tag name
described in “Configure IBM MFA web services started
task” on page 41. Explanation
AZF7001E Internal error, bad plugin data You specified an invalid tag name. The possible tags
are WINDOW and MFAFIRST.

Specify valid tag names, as described in Chapter 35, The user-specific settings are different than the
“Using IBM MFA with PassTickets,” on page 203. defaults.
AZF7007E Invalid tag value
User response
You specified an invalid tag value. The possible tags AZF7013I Policy prevented PassTicket eval
values are WINDOW numseconds and MFAFIRST Y|N.
Explanation
User response
The policy may require a successful IBM MFA logon
Specify valid tag values, as described in Chapter 35, prior to the PassTicket being evaluated, or the
“Using IBM MFA with PassTickets,” on page 203. evaluation window may have been exceeded.
AZF7008I AZFPTKT1 Initializing
User response
Explanation Satisfy the policy requirements.
The AZFPTKT1 plug-in is initializing. AZF7014E Failed to read AZFPTKT1 settings

No response is required. AZFPTKT1 settings could not be retrieved from RACF.
AZF7009E Bad settings data
User response
Explanation Verify the AZF started task's permissions to the
FACTOR.AZFPTKT1 profile.
AZF7015W Runtime settings were not
User response changed

Explanation
AZF7010I Txn is not a candidate for If it is determined during REFRESH command
PassTicket eval processing that incoming AZFPTKT1 settings are
invalid, those settings will not be applied.
Explanation
The PassTicket is not 8 characters. User response
Correct the invalid settings.
User response
AZF7016I AZFPTKT1 settings follow
AZF7011I Txn is a candidate for PassTicket Explanation
eval The AZFPTKT1 factor-wide settings are printed when
the AZFPTKT1 factor is initialized during AZF started
Explanation task startup, and are preceded by this message.
The PassTicket is 8 characters.
User response
No response is required. AZF8001E Internal error, bad plugin data
AZF7012I Applying user-specific eval policy

An internal error occurred while processing the No response is required.
authentication.
AZF8007E Invalid tag name
User response
Explanation
Restart the AZF started task.
User response
Explanation
Enter a valid AZFCERT1 tag name, as described in
An internal error occurred while processing the “Approve user certificates” on page 89.
authentication.
AZF8008E Failed to read AZFCERT1 settings
User response
Explanation
AZFCERT1 settings could not be retrieved from RACF.
User response
Explanation
Verify the AZF started task's permissions to the
An internal error occurred that prevented the plug-in FACTOR.AZFCERT1 profile.
AZF8009W Runtime settings were not
changed
User response
AZF8004E Invalid AZFCERT1 settings data If it is determined during REFRESH command
processing that incoming AZFCERT11 settings are
Explanation invalid, those settings will not be applied.

User response
User response Correct the invalid settings.
Contact IBM support. AZF8010I AZFCERT1 settings follow
AZF8005I AZFCERT1 Initializing

Explanation
Explanation The AZFCERT1 factor-wide settings are printed when
the AZFCERT1 factor is initialized during AZF started
The AZFCERT1 plug-in is initializing. task startup, and are preceded by this message.

AZF8006I Result of certificate evaluation AZF8020I Authenticator initialized
This is an informational message generated as part of The authenticator is initialized. This is an informational
IBM MFA processing. message generated as part of IBM MFA processing.

No response is required. Clear the user’s AZFCERT1 factor data and set their
REGSTATE tag to OPEN, as described in “Approve user
AZF8021E Authenticator init failed certificates” on page 89.
Explanation AZF8032E Error evaluating AZFCERT1 User

object changes
AZFCERT1 plug-in could not initialize.
Explanation
User response
An ALTUSER command to change AZFCERT1 factor
Contact IBM support. data resulted in an error.
AZF8022I Authenticator teardown invoked
User response
Explanation See additional log messages or the ALTUSER
command output for details.
IBM MFA processing. AZF8033E Tag eval failed to translate local
status to PC rc/reason pair
User response
Explanation
The local error cannot be translated to be more
AZF8023E Unsupported API invoked
meaningful to ALTUSER.

An internal error occurred.
Check your inputs to ALTUSER to make sure you
specified tags and values as documented.
User response
AZF9001I factor-name Authenticator
Contact IBM support. initialized
AZF8030E A Base64 decode operation failed Explanation:
Explanation IBM MFA processing.
This is unlikely to occur unless there is an out of

User response
memory issue. If the task it still up and emitting this
message, restart it. No response is required.
AZF9002I factor-name Authenticator
User response deactivated
Restart the task. Explanation:
AZF8031E Failed to create AZFCERT1 User
IBM MFA processing.
object

A user’s AZFCERT1 factor data was not present, or
contained values that prevented the creation of a AZF9004E factor-name Authenticator init
validated user object. failed
Explanation
The plug-in could not initialize.

User response AZF9010E Error communicating with RADIUS
Server
AZF9005E Internal error, bad plugin data Explanation
Unable to send or receive messages to the RADIUS
Explanation server and its replicas.
authentication. User response
Ensure that the RADIUS server is running and is
User response reachable from the z/OS system. For example, try
Restart the AZF started task. pinging the RADIUS server from the z/OS system. If
there are firewalls present, ensure the rules do not
AZF9006E Internal error, bad authTxn data block traffic. If using VIPA (Virtual IP Address), make
any necessary network configuration changes.
Explanation AZF9011E Failed to send RADIUS packet
authentication. Explanation
This is a socket error. This is typically followed by a
User response retry, or a "could not evaluate" error. Additional errors
Restart the AZF started task. will follow. Returns a BPX return and reason codes.

User response
Explanation Verify connectivity between the RADIUS server and
IBM MFA.
from processing the transaction. AZF9012E Denying access due to a socket
error
User response
Explanation
AZF9008E Failed to build txn-specific state from processing the transaction.

An internal error occurred that prevented the plug-in Contact IBM support.
AZF9013E Failed to get network data or
sender info
User response
AZF9009E Internal error, missing txn-specific An internal error occurred that prevented the plug-in
state from correctly reading network data.

An internal error occurred that prevented the plug-in Contact IBM support.
AZF9015I Canceling authentication in flight
User response Explanation:
Contact IBM support. IBM MFA processing.

User response AZF9124E AZFRADP1 factor-wide settings
AZF9017I Retrying RADIUS communication Explanation
The AZFRADP1 factor-wide settings are missing or
Explanation invalid.
IBM MFA processing. User response
Configure the AZFRADP1 factor-wide settings, as
User response described in Chapter 16, “Configuring IBM MFA for
No response is required. generic RADIUS,” on page 91.
AZF9016E Unable to retry sending RADIUS AZF9126I AZFRADP1 settings follow

packet
Explanation
Explanation The AZFRADP1 factor-wide settings are printed when
No RADIUS servers are available, or the specified the AZFRADP1 factor is initialized during AZF started
number of retries has been reached. task startup, and are preceded by this message.

Add additional RADIUS servers or increase the number No response is required.
of retries. Verify connectivity to the RADIUS servers. AZF9129E AZFRADP1 failed to read AZFSTC
AZF9018I factor-name Initializing settings
The factor-name plug-in is initializing. The STC settings could not be determined.

No response is required. Configure the STC as described in “Configure IBM MFA
STC configuration attributes” on page 21.
name AZF9130E RADIUS initialization failed
Invalid tag name specified in ALTUSER command. The RADIUS plug-in could not initialize.

Retry with valid tag. Contact IBM support.
AZF9021E Tag validation error - Invalid tag AZF9131E Session initialization failed
value
Explanation
Explanation The attempt to use the RADIUS factor was
Invalid tag value specified in ALTUSER command. unsuccessful because the factor was not initialized
successfully.
User response
User response

AZF9132E RADIUS packet preparation failed Explanation
Explanation normal processing.
RADIUS packet preparation failed.
User response
Verify that the PKCS#11 token name still exists and AZF9202E Required PKCS#11 token key not
that the started task still has access to the profile that found
protects the token.
AZF9133E Failed to receive or validate Explanation
RADIUS response
The PKCS#11 token key is not found.
Explanation
User response
An unexpected response was received from the
RADIUS server. This could be the result of a protocol Check the token name configured in the web services
error or there could be a mismatch in the shared started task settings.
secret. IBM MFA supports Password Authentication AZF9203E Failed to create PKCS#11 token
Protocol (PAP) only. AES key

Verify the shared secret. Verify that the RADIUS server The PKCS#11 AES key could not be created.
supports Password Authentication Protocol (PAP).
AZF9134I Invalid compound credential User response
access
Explanation AZF9204E Settings do not contain shared

secret ciphertext
The required compound separator is missing or invalid
and the user is not configured for PWFALLBACK.
Explanation
User response The shared secret (case-sensitive password) is used
by the RADIUS server to recognize the IBM MFA
Specify a valid compound separator. RADIUS client. The RADIUS client uses the same
AZF9200E Failed to access PKCS#11 token shared secret when communicating with the RADIUS
primary server or RADIUS replica servers.
Explanation
User response
The PKCS#11 token name specified in the web
services started task settings is not accessible. Configure the shared secret for the authentication
factor.
User response AZF9205E Failed to decrypt the shared secret
Configure the web services started task settings, as

described in “Configure IBM MFA web services started Explanation
task” on page 41. The shared secret (case-sensitive password) is used
AZF9201I Accessible PKCS#11 environment by the RADIUS server to recognize the IBM MFA
description follows: RADIUS client. The RADIUS client uses the same
shared secret when communicating with the RADIUS
primary server or RADIUS replica servers.

Configure the shared secret for the authentication There is a problem obtaining the local host name and
factor. its IP address.
AZF9206E One or more required RADIUS
settings is missing User response
Verify that TCP/IP is started before IBM MFA.
Explanation
AZF9212E Failed to get local address
Settings required by RADIUS are missing. One of the
settings was not set correctly in the configuration. Explanation
Failed to get local address
User response
Configure the RADIUS authentication factor. User response
AZF9207E Failed to initialize RADIUS server Start the started tasks after TCP/IP, AT-TLS, and
entry ICSF have started successfully and all TCP/IP-related
services such as the resolver are running.
Explanation
AZF9213E Failed to send complete RADIUS
This message follows AZF9215E, and additional packet
server-specific messages follow. One possible reason
for this error is that the RADIUS server entry address Explanation
can't be resolved.
This is a socket error. This is typically followed by a
retry, or a "could not evaluate" error. Additional errors
User response
will follow. Returns a BPX return and reason codes.
Verify connectivity to the RADIUS servers.
AZF9208E Failed to connect to TCP server User response
Verify connectivity between the RADIUS server and
Explanation IBM MFA. Ensure that the IBM MFA server has a valid
local host IP address. Check the IBM MFA server log
The generic RADIUS factor failed to connect to the TCP file and verify that the AZF9216I Resolved local IP
server. Generic RADIUS supports both User Datagram address message displays the correct local host IP
Protocol (UDP) and Transmission Control Protocol address.
(TCP).
AZF9214E Error validating received RADIUS
User response packet
Configure the generic RADIUS factor, as described in

Explanation
“Configure generic RADIUS” on page 93.
An unexpected response was received from the
AZF9209E Failed to get UDP peer socket RADIUS server. This could be the result of a protocol
error or there could be a mismatch in the shared
Explanation secret. IBM MFA supports Password Authentication
Protocol (PAP) only.
The generic RADIUS factor failed to get the UDP peer
socket. Generic RADIUS supports both User Datagram
Protocol (UDP) and Transmission Control Protocol User response
(TCP). Verify the shared secret. Verify that the RADIUS server
supports Password Authentication Protocol (PAP).
User response
AZF9215E Failed to resolve hostname entry
Configure the generic RADIUS factor, as described in
“Configure generic RADIUS” on page 93.
AZF9211E Failed to get local hostname

The hostname for the RADIUS server cannot be Restart the AZF started task.
resolved. The hostname must be sufficiently qualified
for web clients to resolve the hostname. AZF9307E Internal error, bad authTxn data

Configure the RADIUS server hostname. An internal error occurred while processing the
authentication.
AZF9301I AZFISAM1 Authenticator
initialized User response
Explanation
The authenticator is initialized. This is an informational AZF9308E Failed to build txn-specific state
Explanation
User response An internal error occurred that prevented the plug-in
No response is required. from processing the transaction.
AZF9302I AZFISAM1 Authenticator User response

deactivated
Explanation:
This is an informational message generated as part of AZF9309E Internal error, missing txn-specific
IBM MFA processing. stat

No response is required. An internal error occurred that prevented the plug-in
AZF9304E AZFISAM1 Authenticator init
failed
User response
The AZFISAM1 plug-in could not initialize. AZF9310E Error communicating with HTTP
server
User response
Explanation
Unable to send or receive messages to the HTTP
server.

Ensure that the HTTP server is running and is
authentication.
reachable from the z/OS system. For example, try
pinging the HTTP server from the z/OS system. If there
User response are firewalls present, ensure the rules do not block
traffic. If using VIPA (Virtual IP Address), make any
necessary network configuration changes.
AZF9311E Failed to send HTTP request
Explanation
authentication.

Unable to send or receive messages to the HTTP No response is required.
server.
AZF9316E Failed to interpret HTTP response
(denying access)
User response
Ensure that the HTTP server is running and is Explanation
pinging the HTTP server from the z/OS system. If there An unsupported response was received from the
are firewalls present, ensure the rules do not block remote server, and the user was not authenticated.
traffic. If using VIPA (Virtual IP Address), make any
necessary network configuration changes. User response
AZF9312E Denying access due to a socket Set trace level 3 for the AZFISAM1 factor and retry the
error failing operation. Ensure that the AZFISAM1 settings
configuration contains the correct Access Token URL
and One-time Passcode Validation URL. Check for
Explanation
errors on the remote server.
name
User response
Explanation
Invalid tag name specified in ALTUSER command.
AZF9313E Failed to get network data or
sender info User response
Explanation
value
from correctly reading network data.

Invalid tag value specified in ALTUSER command.
AZF9314E HTTP response validation failed User response
Explanation
AZF9324E AZFISAM1 settings are missing or
An invalid HTTP response was received from the
invalid
remote server.

The AZFISAM1 factor-wide settings are missing or
Set trace level 3 in the AZFISAM1 plug-in and repeat
invalid.
the failing operation. Ensure that the AZFISAM1
settings configuration contains the correct Access
Token URL and One-time Passcode Validation URL. User response
Check for errors on the remote server.
Configure the AZFISAM1 factor-wide settings.
AZF9315I Canceling authentication in flight
AZF9326I AZFISAM1 settings follow
Explanation:
IBM MFA processing.

The AZFISAM1 factor-wide settings are printed when The AZFISAM1 factor attempted to build an Access
the AZFISAM1 factor is initialized during AZF started Token request or One-time Password Validation
task startup, and are preceded by this message. request, but was unable to do so completely.

No response is required. Set trace level 3 for the AZFISAM1 factor and retry
the failing operation. Check the AZFISAM1 settings
AZF9329E AZFISAM1 failed to read AZFSTC to ensure that valid PKCS#11 Token Name, Key
settings Label, Client Id, and Authentication Context values are
specified. If the task log indicates an error reading the
Explanation Client Secret, ensure that the Client Secret is set.
The STC settings could not be determined. AZF9335E failed to parse Access token URL
setting
User response
Explanation
Configure the STC settings.
The Access Token URL in the AZFISAM1 factor settings
AZF9330E HTTP client initialization failed
cannot be parsed.

The AZFISAM1 factor failed to initialize an HTTP client
Verify the AZFISAM1 factor settings.
context, and will be unable to authenticate users.
AZF9336E failed to parse OTP validation URL
User response setting
Set trace level 3 in the AZFISAM1 settings and restart

Explanation
the AZF#IN00 started task to view any additional error
context. Check the AZFISAM1 settings to ensure that The One-time Passcode Validation URL in the
valid URLs are specified for the Access Token URL and AZFISAM1 factor settings cannot be parsed.
the One-time Passcode Validation URL
AZF9330I AZFISAM1 Initializing User response
Explanation
AZF9340E Missing or unsupported ISAM
The factor-name plug-in is initializing. AUTHMECH setting

No response is required. The Authentication Context in the AZFISAM1 factor
settings cannot be parsed.
AZF9331E HTTP session initialization failed
User response
Explanation
The attempt to use the AZFISAM1 factor was
unsuccessful because the factor was not initialized AZF9341E Failed to access PKCS#11 token
successfully.
Explanation
User response
The PKCS#11 token name specified in the web
Contact IBM support. services started task settings is not accessible.
AZF9332E HTTP session failed to stage
request

Verify the web services started task settings. Verify the Client Secret setting on the AZFISAM1
factor panel.
AZF9342I Accessible PKCS#11 environment
description follows: AZF9351E ACCESS DENIED
This is an informational message generated as part of This is a general authentication failed error.
normal processing.
User response
User response
See the SYSLOG for additional errors.
AZF9353I ISAM AUTHENTICATION
AZF9343E Required PKCS#11 token key not SUCCESSFUL
found
Explanation
Explanation
The PKCS#11 token key is not found.
User response
User response
Check the token name configured in the web services
started task settings. AZF9360E Supported tags: ISAMUSERID,
AUTHMECH
AES key Explanation
Explanation
The PKCS#11 AES key could not be created. User response
User response
Configure the PKCS#11 token. AZF9361E ISAMUSERID length must be <=
128
AZF9345E Settings do not contain client
secret ciphertext Explanation
ISAMUSERID must be less than or equal to 128
Explanation
characters.
The Client Secret setting is not configured.
User response
User response
Retry with valid length.
Configure the Client Secret setting on the AZFISAM1
factor panel. AZF9365I Suspending ISAM user for
consecutive failures
AZF9346E Failed to decrypt the client secret
Explanation
Explanation
The user consecutively failed to provide a valid token
The Client Secret setting is not configured or does not code. The suspension threshold limits the number of
match that of the client. times. If the user fails more than this number of times,
their SUSPENDED tag is set to YES.

Reactivate the user for IBM Security Verify Access. This is an informational message generated as part of
IBM MFA processing.
AZF9366E Failed to update ISAM user data;
brute-force protection inoperative
User response
The Suspension Threshold count could not be AZF9502I AZFYUBI1 Authenticator
configured. deactivated

Ensure that the IBM MFA services started task is The AZFYUBI1 plug-in is stopped.
started. Configure the Suspension Threshold count for
the user. User response
AZF9367I Rejecting ISAM login for No response is required.
suspended user
AZF9503I AZFYUBI1 Authenticator
deactivated
Explanation
The user consecutively failed to provide a valid token Explanation
code. The suspension threshold limits the number of
times. If the user fails more than this number of times, This progress message is intended for use by support
their SUSPENDED tag is set to YES. in the event of a problem.

Reactivate the user for IBM Security Verify Access if No response is required.
appropriate.
AZF9504E AZFYUBI1 Authenticator init failed
AZF9368I Invalid compound credential
without PWFALLBACK; denying Explanation
access
AZFYUBI1 plug-in could not initialize.
Explanation
User response
The required AZFRADP1 compound separator is
missing or invalid and the user is not configured for Contact IBM support.
PWFALLBACK.

Specify a valid compound separator.
AZF9370I AZFISAM1 USER IS SUSPENDED - authentication.
NOTIFY ADMINISTRATOR
Explanation: User response
The user account is suspended. Restart the AZF started task.
User response
Notify your system administrator of the error. Explanation
AZF9501I AZFYUBI1 Authenticator An internal error occurred while processing the
initialized authentication.

Restart the AZF started task. Correct or clear the AZFYUBI1 factor data for the
affected user.
AZF9513E Error validating Yubico OTP
Explanation
Explanation
from processing the transaction. A user’s OTP passcode could not be validated due to
an underlying library error. This message will include
User response the relevant PKCS#11 return and reason codes, if
applicable.
AZF9508E Failed to build txn-specific state User response
See the PKCS#11 return and reason codes.
Explanation
AZF9514I Yubico OTP accepted
Explanation
User response This is an informational message generated as part of
IBM MFA processing.
AZF9509E Internal error, missing txn-specific User response
state
Explanation AZF9515E Yubico OTP replay detected

Explanation
The AZFYUBI1 plug-in prevented a previously-used
User response OTP passcode from being reused.

User response
AZF9511E AZFYUBI1 AuthTransactions
Ensure that the passcode reuse was a user error and
cannot be canceled or continued
not the result of a replay attack.
Explanation AZF9520E Tag validation error - Invalid tag

name
This message indicates incorrect message routing
inside the AZF started task and is not seen in normal
Explanation
circumstances.
User response
User response
Shut down and restart the AZF started task.
AZF9512E Failed to create AZFYUBI1 User
object AZF9521E Tag validation error - Invalid tag
value
Explanation
Explanation
The AZFYUBI1 factor data for a particular user ID is
invalid. Invalid tag value specified in ALTUSER command.

Retry with valid tag. The PKCS#11 token name specified in the web
services started task settings is not accessible.
AZF9524E AZFYUBI1 settings are missing or
invalid
User response
Explanation Configure the web services started task settings.
The AZFYUBI1 factor-wide settings are missing or AZF9542I Description of accessible PKCS#11
invalid. environment follows:

Configure the AZFYUBI1 factor-wide settings. This is an informational message generated as part of
normal processing.
AZF9526I AZFYUBI1 settings follow
User response
Explanation
The AZFYUBI1 factor-wide settings are printed when
the AZFYUBI1 factor is initialized during AZF started AZF9543E Required PKCS#11 token key not
task startup, and are preceded by this message. found

No response is required. The PKCS#11 token key is not found.
AZF9530E AZFYUBI1 User secret missing
User response
Explanation Check the token name configured in the web services
The user's AZFYUBI1 settings are missing or invalid.
User response AES key
Configure the user's AZFYUBI1 settings.

Explanation
AZF9530I AZFYUBI1 Initializing The PKCS#11 AES key could not be created.

This is an informational message generated as part of Configure the PKCS#11 token.
IBM MFA processing.
AZF9546E Failed to decrypt sensitive
User response AZFYUBI data
Explanation
AZF9531E AZFYUBI1 User secret decode Indicates that you do not have sufficient access to a
error required CSFSERV or CRYPTOZ resource profile.

The user's AZFYUBI1 settings are invalid. Perform the steps described in Chapter 9, “Configuring
a PKCS#11 token,” on page 31 and, if appropriate,
User response Chapter 28, “Configuring bulk provisioning users for
IBM MFA,” on page 183, for the required CSFSERV and
Configure the user's AZFYUBI1 settings.
CRYPTOZ class resources. Check the system log for
AZF9541E Failed to access PKCS#11 token ICH408I messages that describe the needed profile

access. For CRYPTOZ class resources, the message is AZF9555E ALTUSER may only set REGSTATE
issued only if a matching resource profile exists that to OPEN
specifies UACC(NONE).
AZF9547E Failed to encrypt sensitive Explanation
AZFYUBI data
The AZFYUBI factor data for a user is generated from
the .csv data for the YubiKey token, and you cannot
Explanation change it.
Indicates that you do not have sufficient access to a
required CSFSERV or CRYPTOZ resource profile. User response
If you need to change the confirmed AZFYUBI1 factor
User response data for a user, set the REGSTATE to open and have the
user re-enroll their YubiKey.
Perform the steps described in Chapter 9, “Configuring
a PKCS#11 token,” on page 31 and, if appropriate, AZF9706E One or more required LDAP client
Chapter 28, “Configuring bulk provisioning users for settings is missing
IBM MFA,” on page 183, for the required CSFSERV and
CRYPTOZ class resources. Check the system log for
Explanation
ICH408I messages that describe the needed profile
access. For CRYPTOZ class resources, the message is Settings required by LDAP are missing. One of the
issued only if a matching resource profile exists that settings was not set correctly in the configuration.
specifies UACC(NONE).
AZF9551E ACCESS DENIED User response
Configure the LDAP authentication factor.
Explanation
AZF9707E Failed to address at least one
The authentication failed. configured LDAP server

Check the system log for additional reasons for the Settings required by LDAP are missing. At least one
failure. LDAP server must be set correctly in the configuration.
AZF9553I YUBICO OTP AUTHENTICATION
SUCCESS User response
Explanation
AZF9708E Failed to connect to LDAP server
Explanation
User response
Settings required by LDAP are missing. At least one
No response is required. configured LDAP server must be reachable.
AZF9554E REGSTATE is the only editable tag
User response
Explanation Configure the LDAP authentication factor.
The AZFYUBI factor data for a user is generated from AZF9710E Failed to make LDAP client session
the .csv data for the YubiKey token, and you cannot
change it.
Explanation
User response Settings required by LDAP are missing or are incorrect.
At least one configured LDAP server must be
If you need to change the AZFYUBI1 factor data for reachable.
a user, set the REGSTATE to open and have the user
re-enroll their YubiKey.

User response AZF9804E AZFLDAP1 Authenticator init
failed
AZF9713E Failed to send complete LDAP Explanation
request
The AZFLDAP1 plug-in could not initialize.
Explanation
User response
At least one LDAP server must be correctly configured
and reachable. Contact IBM support.
User response
Configure the LDAP authentication factor. Explanation
AZF9714E Session attempts exhausted An internal error occurred while processing the
authentication.
Explanation
User response
The session attempts were exhausted within the
configured timeout setting. At least one LDAP server Restart the AZF started task.
must be correctly configured and available. AZF9806E Internal error, bad authTxn data

Configure the LDAP authentication factor. An internal error occurred while processing the
AZF9801I AZFLDAP1 Authenticator authentication.
initialized
User response
Explanation Restart the AZF started task.
The authenticator is initialized. This is an informational AZF9807E Internal error, missing plugin state
Explanation
User response
No response is required. from processing the transaction.
AZF9802I AZFLDAP1 Authenticator
deactivated User response
Explanation: Restart the AZF started task.
IBM MFA processing. AZF9808E Failed to build txn-specific state

No response is required. An internal error occurred that prevented the plug-in
AZF9803I AZFLDAP1 Entry point
User response
Explanation
This progress message is intended for use by support
in the event of a problem. AZF9809E Internal error, missing txn-specific
stat
User response

An internal error occurred that prevented the plug-in Set trace level 3 in the AZFLDAP1 factor and retry the
from processing the transaction. failing operation. Check the AZFLDAP1 settings and
ensure all specified Server Host Name and Server Port
User response entries are valid and point to LDAP servers. Check for
errors on the LDAP server.
AZF9814I Canceling auth transaction
AZF9810E Failed to create AZFLDAP1 User
Explanation:
object
IBM MFA processing.
Explanation
A user’s AZFLDAP1 factor data was not present, or User response
contained values that prevented the creation of a
validated user object.
AZF9815E Failed to retry bind attempt
User response
Verify the user's AZFLDAP1 configuration.
Explanation
The AZFLDAP1 factor issued a simple bind request to a
AZF9811E Failed to stage LDAP bind request
remote LDAP server, and the request timed out. Upon
attempting to retry the request against another server,
Explanation no additional servers were available or the AZFLDAP1
The AZFLDAP1 factor attempted to build an LDAP factor failed to open a connection to the next server.
simple bind request packet, but was unable to do so
completely. User response
Set trace level 3 in the AZFLDAP1 factor and retry the
User response failing operation. Check the AZFLDAP1 settings and
Set trace level 3 in the AZFLDAP1 factor and retry the ensure all specified Server Host Name and Server Port
failing operation. Check the AZFLDAP1 user factor data entries are valid and point to LDAP servers.
of the user ID, and ensure that the value in the DN tag AZF9816I Retrying bind request
is a valid DN string.
AZF9812E Error communicating with LDAP Explanation
server
The AZFLDAP1 factor retried a simple bind request to
a remote LDAP server.
Explanation
Unable to send or receive messages to the LDAP User response
server.
This is an informational message and no response is
required.
User response
AZF9817E Failed to stage LDAP unbind
Ensure that the LDAP server is running and is request
pinging the LDAP server from the z/OS system.
Explanation
AZF9813E Error receiving or parsing BER
The AZFLDAP1 factor issued a simple bind request,
response
the server responded, and user authentication
succeeded or failed based on the server’s response.
Explanation The AZFLDAP1 factor then attempted to issue a
The AZFLDAP1 factor issued a simple bind request to standard unbind request, but was unable to do so
the remote LDAP server, and received no response or completely.
an invalid response.

User response AZF9831I Invalid compound credential
Set trace level 3 in the AZFLDAP1 factor and retry the access
failing operation.
AZF9820E Tag validation error - Invalid tag Explanation
name
The required AZFLDAP1 compound separator is
Explanation PWFALLBACK.
User response
User response Specify a valid compound separator, as described in
Retry with valid tag. “Configure IBM MFA Compound In-Band” on page
135.
value AZF9830E Connection reinitialization failed
Invalid tag value specified in ALTUSER command. None of the configured LDAP servers could be reached
on the network, or the maximum number of allowed
retries was exceeded. The related authentication
User response attempt fails with Could Not Evaluate.
Retry with valid tag value.
AZF9824E AZFLDAP1 settings are missing or User response
invalid Ensure that the configured LDAP servers are available
and reachable.
Explanation AZF9851E ACCESS DENIED
The AZFLDAP1 factor-wide settings are missing or
invalid. Explanation
The authentication failed.
User response
Configure the AZFLDAP1 factor-wide settings. User response
AZF9826I AZFLDAP1 settings follow Check the system log for additional reasons for the
failure.
Explanation AZF9853I LDAP AUTHENTICATION
The AZFLDAP1 factor-wide settings are printed when SUCCESSFUL
the AZFLDAP1 factor is initialized during AZF started
task startup, and are preceded by this message. Explanation
User response
No response is required. User response
AZF9830I factor-name Initializing No response is required.
AZF9854E DN is the only supported tag
Explanation
The factor-name plug-in is initializing. Explanation
Invalid tag name specified. DN is the only supported
User response tag.

User response This is an internal error. The request function value
was received from another system, and is not one of
Retry with valid tag. the expected values.
AZF9855E Invalid tag value
User response
Invalid tag value specified in ALTUSER command. You AZFC004E Notepad used for MFA cache is too
need the fully-qualified domain name for each user small. Name=notepad-name
you want to authenticate. Note that the fully-qualified
domain name for each user is enclosed in single Explanation:
quotation marks. The number of IBM MFA cache entries is too small.
ALU [Login ID] MFA(FACTOR(AZFLDAP1) ACTIVE

PWFALLBACK TAGS(’DN:CN=J User,OU=Users, User response
OU=Company Offices,DC=companyname,DC=com’))
Increase the number of cache entries, as described in
Table 6 on page 21. The allowed numeric value in the
User response range of 1024 - 1048576.
Retry with valid tag value. AZFC005I IXCSRVR task for MFA terminated
and will be restarted.
AZFC001I MFA cache change. Name:
Old=cache-name New=cache- Explanation:
name Mode: Old=mode-type The IBM MFA cache task terminated and will be
New=mode-type restarted.
Explanation:
Possible mode values are Sing (N), Mult (X), and CF (C), User response
as described in “Configure IBM MFA STC configuration No response is required.
attributes” on page 21.
AZFW001I Name of MFA Domain
User response Explanation:
The MFADomain cookieName.
AZFC002I Error in service macro function User response
RC=xx RSN=xxxxxxxx
Explanation:
There was an error in the service. The message AZFW002I Number of seconds an MFA token
identifies the XCF service macro that was issued and is valid
the general function, such as CREATE or CONNECT, Explanation:
being performed. The number of seconds a token is valid.

There are several potential causes of this error. No response is required.
Examine the macro and function for context. Some
errors may be caused by an incorrect configuration AZFW003I Name of PKCS#11 Token
setup, such as not setting up the structure for XCF Explanation:
Note Pad Services. Some errors may be caused by an The name of the PKCS#11 token.
environmental issue, such as a system in the sysplex
failing. Some errors may be internal errors. Contact
IBM support. User response
AZFC003I Unexpected function on IXCSRVR No response is required.
request: function-value AZFW004I Name of PKCS#11 Key Label
The name of the PKCS#11 key label.

User response AZFW201S Return for PKCS11 decrypt = code,
rc = rc, reason= reason
Explanation:
AZFW005I Name of Cookie Path The most likely cause of this message is that ICSF has
Explanation: not been configured for PKCS#11, or the web server
The name of the cookie path. does not have the appropriate RACF authorities in the
CRYPTOZ class. The return and reason codes are those
returned by ICSF.
User response
No response is required. User response
AZFW101E Invalid MFADomain - too long Configure PKCS#11 or the CRYPTOZ class.
Explanation: AZFW202S Return for PKCS11 enable = code,
The MFADomain cookieName has a limit of 32 rc = rc, reason= reason
characters and defaults to MFAToken.
Explanation:
The most likely cause of this message is that ICSF has
User response not been configured for PKCS#11, or the web server
Correct the MFADomain cookieName. does not have the appropriate RACF authorities in the
AZFW102E Invalid MFAExpireSeconds returned by ICSF.
Explanation:
MFAExpireSeconds is the number of seconds for which User response
the IBM MFA authentication is valid. Possible values
are 0-86400, inclusive. Configure PKCS#11 or the CRYPTOZ class.
AZFW203S Return for PKCS11 encrypt = code,
User response rc = rc, reason= reason
Correct the MFAExpireSeconds value. Explanation:
The most likely cause of this message is that ICSF has
AZFW103E Invalid MFAPKCS#11TokenName - not been configured for PKCS#11, or the web server
too long does not have the appropriate RACF authorities in the
Explanation: CRYPTOZ class. The return and reason codes are those
MFAPKCS#11TokenName PKCS#11 token name has a returned by ICSF.
limit of 32 characters.
User response
User response Configure PKCS#11 or the CRYPTOZ class.
Correct the MFAPKCS#11TokenName PKCS#11 token AZFW301I Return for PKCS11 decrypt = code,
name. rc = rc, reason= reason
AZFW104E Invalid MFAKeyLabel - too long
Explanation: Explanation
MFAKeyLabel PKCS#11 key label has a limit of 32 The most likely cause of this message is that ICSF has
characters. not been configured for PKCS#11, or the web server
does not have the appropriate RACF authorities in the
User response returned by ICSF.
Correct the MFAKeyLabel PKCS#11 key label. This message is output only if you have the
AZFW105E Invalid MFAPath - too long appropriate LogLevel value set in your httpd.conf file.
The values are debug for V8.5.5.x and trace1 for V9.0.
Explanation:
MFAPath has a limit of 255 characters.
User response
User response Configure PKCS#11 or the CRYPTOZ class.
Correct the MFAPath.

AZFW302I Return for PKCS11 enable = code, AZFW303I Return for PKCS11 encrypt = code,
rc = rc, reason= reason rc = rc, reason= reason
The most likely cause of this message is that ICSF has The most likely cause of this message is that ICSF has
not been configured for PKCS#11, or the web server not been configured for PKCS#11, or the web server
does not have the appropriate RACF authorities in the does not have the appropriate RACF authorities in the
CRYPTOZ class. The return and reason codes are those CRYPTOZ class. The return and reason codes are those
returned by ICSF. returned by ICSF.
This message is output only if you have the This message is output only if you have the
appropriate LogLevel value set in your httpd.conf file. appropriate LogLevel value set in your httpd.conf file.
The values are debug for V8.5.5.x and trace1 for V9.0. The values are debug for V8.5.5.x and trace1 for V9.0.

Configure PKCS#11 or the CRYPTOZ class. Configure PKCS#11 or the CRYPTOZ class.

Appendix A. AT-TLS policy example
The following example shows a sample AT-TLS policy. This policy is included for information purposes
only, and will require modification for your environment. See SYS1.SAZFSAMP(AZFTTLSX) for sample
AT-TLS rule definitions for IBM MFA.
TTLSRule AZFSrvAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?serverAuthPort?
Direction Inbound
Priority 255
TTLSEnvironmentActionRef AZFEnvAction1
}
TTLSRule AZFMutAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?mutualAuthPort?
Direction Inbound
Priority 255
TTLSEnvironmentActionRef AZFEnvActionMutual
TTLSConnectionActionRef AZFConnActionMutual
}
{
Jobname AZF*
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort?
Direction Outbound
Priority 255
}
TTLSKeyringParms AZFKeyringParms
{
Keyring ?keyringName?
}
TTLSKeyringParms AZFClientKeyringParms
{
Keyring ?clientRingName?
}
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction AZFEnvAction1
{
HandshakeRole Server
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvServer
Trace 255
}
TTLSEnvironmentAction AZFEnvActionMutual
{
HandshakeRole ServerWithClientAuth
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvMutual

Trace 255
}
TTLSEnvironmentAction eActAZFClient
{
HandshakeRole Client
TTLSKeyringParmsRef AZFClientKeyringParms
Trace 255
TTLSEnvironmentAdvancedParmsRef eAdvAZFClient
}
{
CtraceClearText Off
Trace 255
}
TTLSConnectionAction AZFConnActionMutual
{
TTLSConnectionAdvancedParmsRef AZFConnAdvParmsMutual
CtraceClearText Off
Trace 255
}
TTLSEnvironmentAdvancedParms AZFEnvAdvServer
{
ClientAuthType PassThru
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
TTLSEnvironmentAdvancedParms AZFEnvAdvMutual
{
ClientAuthType Required
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
TTLSEnvironmentAdvancedParms eAdvAZFClient
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
{
SecondaryMap Off
}
TTLSConnectionAdvancedParms AZFConnAdvParmsMutual
{
HandshakeTimeout 120
SecondaryMap Off
}
TTLSCipherParms AZFCipherParms
{

}
Appendix A. AT-TLS policy example 299

Appendix B. IBM MFA SMF Record type 83 subtype 7
records
This section describes the IBM MFA system management facilities (SMF) Record type 83 subtype 7
records.
As described in RACF Audit Record For Data Sets, Record type 83 is a RACF processing record. For
complete information about Record type 83 records, see Record type 83: Security events.
Record type 83 subtype 7 security section

Table 63. Record type 83 subtype 7 security section
Offsets
Dec. Hex. Name Length Format Description
0 0 SMF83LNK 4 Binary Value used to link several SMF 83 records to a single

event.
4 4 SMF83DES 2 Binary Descriptor flags

Bit
Meaning when set
0
The event is a violation
1
User is not defined to RACF
2
Reserved
3
The event is a warning
4
Record contains a version, release, and
modification level number (see SMF83VRM)
5
The caller of the R_auditx service indicated
always log
6-15
Reserved
6 6 SMF83EVT 1 Binary Event code. Possible values are as follows:

• 01 in-band
• 02 out-of-band
• 03 get CTC
7 7 SMF83EVQ 1 Binary Event code qualifier. Possible values are as follows:

• 00 Success
• 01 Out-of-band token issued
• 08 invalid credential
• 09 could not evaluate
• 10 expired credential
• 11 new credential not valid
• 12 re-authenticate
• 13 bypassed (In band only)
8 8 SMF83USR 8 EBCDIC Identifier of the user associated with this event (job
name is used if the user is not defined to RACF).

Table 63. Record type 83 subtype 7 security section (continued)
Offsets
16 10 SMF83GRP 8 EBCDIC Group to which the user was connected (step name is
used if the user is not defined to RACF).
24 18 SMF83REL 2 Binary Reserved
26 1A SMF83CNT 2 Binary Reserved
28 1C SMF83ATH 1 Binary Authorities used for processing commands or

accessing resources
Bit
Meaning when set
0-7
Reserved
29 1D SMF83REA 1 Binary Reason for logging. These flags indicate the reason
RACF produced the SMF record
Bit
Meaning when set
0
SETROPTS AUDIT(class) changes to this class of
profile are being audited.
1
User being audited
2
SPECIAL users being audited
3
Access to the resource is being audited because
of the AUDIT option (specified when profile
created or altered by a RACF command),
a logging request from the RACROUTE
REQUEST=AUTH exit routine, or because
the operator granted access during failsoft
processing.
4
RACROUTE REQUEST=VERIFY or initACEE
failure.
Bit
Meaning when set
5
This command is always audited
6
Violation detected in command and CMDVIOL is
in effect
7
Access to entity being audited because of
GLOBALAUDIT option.
30 1E SMF83TLV 1 Binary Terminal level number of foreground user (zero if not

available).

Offsets
31 1F SMF83ERR 1 Binary Command processing error flag

Bit
Meaning when set
0
Command had error and RACF could not back
out some changes
1
No profile updates were made because of error
in RACF processing
2-7
Reserved
32 20 SMF83TRM 8 EBCDIC Terminal ID of foreground user (zero if not available).
40 28 SMF83JBN 8 EBCDIC Job name. For RACROUTE REQUEST=VERIFY and

RACROUTE REQUEST=VERIFYX records for batch
jobs, this field can be zero.
48 30 SMF83RST 4 Binary Time, in hundredths of a second that the

reader recognized the JOB statement for this job
for RACROUTE REQUEST=VERIFY and RACROUTE
REQUEST=VERIFYX records for batch jobs, this field
can be zero.
52 34 SMF83RSD 4 Packed Date the reader recognized the JOB statement for
this job in the form 0cyydddF (where F is the sign)
for RACROUTE REQUEST=VERIFY and RACROUTE
REQUEST=VERIFYX records for batch jobs, this field
can be zero.
56 38 SMF83UID 8 EBCDIC User identification field from the SMF common exit
parameter area. For RACROUTE REQUEST=VERIFY
and RACROUTE REQUEST=VERIFYX records for batch
jobs, this field can be zero.
64 40 SMF83VER 1 Binary Version indicator 8 = Version 1, Release 8 or later. As

of RACF 1.8.1, SMF83VRM is used instead.
65 41 SMF83RE2 1 Binary Additional reasons for logging

Bit
Meaning when set
0
Security level control for auditing
1
Auditing by LOGOPTIONS
2
Class being audited because of SETROPTS
SECLABELAUDIT
3
Class being audited because of SETROPTS
COMPATMODE
4
Audited because of SETROPTS APPLAUDIT
5
Audited because user not defined to z/OS UNIX
6
Audited because user does not have appropriate
authority for z/OS UNIX
7
Reserved
66 42 SMF83VRM 4 EBCDIC FMID for RACF
Appendix B. IBM MFA SMF Record type 83 subtype 7 records 303

Offsets
70 46 SMF83SEC 8 EBCDIC Security Label of the User.
78 4E SMF83AU2 1 Binary Authority used continued

Bit
Meaning when set
0
z/OS UNIX superuser
1
z/OS UNIX system function
2-7
Reserved
79 4F SMF83RSV 4 Binary Reserved
80 50 SMF83US2 8 EBCDIC Identifier of the address space user associated with

this event.
88 58 SMF83GR2 8 EBCDIC Group to which the address space user was

connected.
Table 64. Table 2. RACF SMF record relocate section format

Offsets
0 0 SMF83TP 2 Binary Data type. See Table 65 on page 304.
2
2 2 SMF83DL 2 Binary Length of data that follows.
2
4 4 SMF83DA variable EBCDIC Data
2
Table 65. Table 3. RACF SMF type 83 subtype 2 and above relocates
Data type (SMF83TP2) Max data length (SMF83DL2) Format Audited by Description
event code
Dec. Hex. Dec. Hex.
1 1 255 FF EBCDIC All subtype 2 Subject's
and above distinguished
name from
the current
ACEE
2 2 255 FF EBCDIC All subtype 2 Issuers
and above distinguished
name from
current ACEE
3 3 246 F6 EBCDIC All subtype 2 Resource
and above name
4 4 8 8 EBCDIC All subtype 2 Class name
and above
5 5 246 F6 EBCDIC All subtype 2 Profile name
and above

Table 65. Table 3. RACF SMF type 83 subtype 2 and above relocates (continued)
Data type (SMF83TP2) Max data length (SMF83DL2) Format Audited by Description
event code
Dec. Hex. Dec. Hex.
6 6 7 7 EBCDIC All subtype 2 FMID of the
and above product
requesting
event logging
7 7 255 FF EBCDIC All subtype 2 Name of the
and above product
requesting
event logging
8 8 255 FF EBCDIC All subtype 2 Log string
and above
9 9 8 8 Binary All subtype 2 Link value
and above
10 A 510 1FE EBCDIC All subtype 2 Authenticated
and above user name
11 B 255 FF EBCDIC All subtype 2 Authenticated
and above user registry
name
12 C 128 80 EBCDIC All subtype 2 Authenticated
and above user host
name
13 D 16 10 EBCDIC All subtype 2 Authenticated
and above user
authenticatio
n mechanism
object
identifier
(OID)
14 E 246 F6 UTF-8 All, except 68, Authenticated
71, 79, 81, distributed
identity user
82, and 85 name
15 F 255 FF UTF-8 All, except 68, Authenticated
71, 79, 81, distributed
identity user
82, and 85 registry
100 64 8 8 EBCDIC Subtype 7 User ID
101 65 20 14 EBCDIC Subtype 7 Factor name
102 66 255 FF EBCDIC Subtype 7 Policy name
Audit records for successful IBM MFA authentications

The creation of audit records for unsuccessful IBM MFA authentications cannot be controlled and will
unconditionally occur. However, you can selectively control the creation of audit records for successful
IBM MFA authentications by defining the following class MFADEF AUDIT profiles, as appropriate, with
AUDIT(SUCCESSES) specified for the profile:
Appendix B. IBM MFA SMF Record type 83 subtype 7 records 305

Table 66. MFADEF AUDIT profiles
Profile Description
AUDIT.RACROUTE.<userid> RACROUTE authentication using a password or passphrase.
AUDIT.WEB.<userid> IBM MFA web server authentication.
AUDIT.IDT.<userid> RACROUTE authentication using an identity token.
AUDIT.GETCTC.<userid> Callable service R_factor function GetCTC authentication
You can define a generic resource, such as AUDIT.RACROUTE.* or AUDIT.WEB.A*, to enable audit record
creation for successful IBM MFA authentications. If multiple AUDIT profiles exist that are a match for the
request resource name, then standard RACF rules determine which profile is used.
To stop audit record creation for successful authentications, delete or alter the MFADEF AUDIT profile
with AUDIT(FAILURES) specified. After any addition, modification, or deletion of the MFADEF AUDIT
profiles, perform an IPL or issue a SETROPTS RACLIST(MFADEF) REFRESH command to make the
change effective.

Appendix C. IBM MFA web API request/response
formats
This section describes the IBM MFA web API.
General information
• All requests must be received by the IBM MFA web server through a secure TLS connection.
• Requests to the mutual authentication port must provide a valid client certificate when the secure TLS
connection is established.
• The contents of JSON objects sent and received for some IBM MFA requests are dependent on the
installation-specific IBM MFA policy definition that is used for the request. To see installation-specific
examples, you can enable web browser tracing of network requests, perform an IBM MFA web
authentication using the installation-specific IBM MFA policy, and then view the JSON objects that
were sent and received for the authentication based on that policy.
• All JSON objects are encoded in UTF-8. However, the encoding of specific request and prompt field
values may be further constrained to ISO-646, which is a proper single-byte subset of UTF-8.
• The URL path specification that follows the port value in the URL is case sensitive and must be specified
as shown.
• Percent encoding values are not supported in the URL path specification.
• The following HTTP status response codes apply to all service requests:
– 200 – “Request completed”
– 400 – “Bad request”
– 403 – “Forbidden”
– 404 – “Not found”
– 405 – “Method Not Allowed”
– 413 – “Payload Too Large”
– 500 – “Internal server error”
Type and Attribute Values

Table 67 on page 307 contains the common type and attribute values for the IBM MFA web API JSON
request and response objects.
Table 67. Type and Attribute Values

Types • O – object
• A – array
• S – string
• I – integer
Attributes • O – optional
• C – conditional on a key value
• Z – code set restricted based on serverCharset

apiInfo – API information service
The API information service returns a JSON document that describes the server and the service classes,
services, and service versions that are supported for application use as an intended external interface.
apiInfo request
Table 68. apiInfo request
Method: GET
URL: https://host:port/apiInfo
Version: HTTP/1.1
Headers required: none
Body: none
apiInfo successful response

Table 69. apiInfo successful response
Status: 200 – Normal completion
Headers returned: Content-Type:application/json
Body: JSON apiInfoResponse object
apiInfo JSON response objects

Note: See Table 67 on page 307 for the type and attribute values for the IBM MFA web API JSON
Table 70. apiInfo JSON response objects

Key Name Type Attr Description
apiInfoResponse object
serverProduct S The IBM MFA web server product name.
This is for diagnostic use and should be
used for reporting purposes only.
serverBuild S The IBM MFA web server build version.
This is for diagnostic use and should be
used for reporting purposes only.
apiVersions O A list of named apiClassResponse objects.
serverCharset S The character set that object keys with
the Z attribute must be encoded in. The
defined values are UTF-8 and ISO-646,
which is a proper single-byte subset of
UTF-8.
apiClassResponse object
<apiClass> O A named apiClassResponse object
containing a list of named
apiServiceResponse objects.
apiServiceResponse object

Table 70. apiInfo JSON response objects (continued)
<apiService> AI A named apiService with an array
supported integer API versions for the
service.
apiInfo request/response examples

API information query
Request
https://host:port/apiInfo/
Response
{
"serverProduct": "AZF",
"serverBuild": "2.2.0",
"serverCharset": "ISO-646",
"apiVersions": {
"auth": {
"policyPrompt": [2],
"policyAuth": [2],
"checkCTC": [2]
}
}
policyPrompt – Policy information prompt service

The policy information prompt service returns a JSON document that describes the text and fields to use
when prompting an end-user for a specified policy. It identifies the factors in the policy, and for each
factor describes the output text, prompt fields, and field names associated with the prompt fields in a
subsequent initial policyAuth service request. The request URL must specify a defined IBM MFA policy
name.
Important: The policy name in the URL is not case sensitive.
policyPrompt Request
Table 71. policyPrompt request
Method: GET
URL: https://host:port/policy_name
Version: HTTP/1.1
Headers required: none
Body: none
policyPrompt successful response

Table 72. policyPrompt successful response
Body: JSON policyPromptResponse object
Appendix C. IBM MFA web API request/response formats 309

policyPrompt JSON response objects
Table 73. policyPrompt JSON response objects

policyPromptResponse object
resptype I Deprecated – not intended for
application use.
type S The response type. The possible
values are as follows:
prompt
Prompting information has been
returned.
error
Prompting information can not be
returned.
When type is “prompt”

payload O C A policyPromptPolicyResponse
object.
When type is “error”
rc I C Request return code.
rsn I C Request reason code.
sts I Deprecated – not intended for
application use.
output A Deprecated – not intended for
application use.
policyPromptPolicyResponse object
policyName S The name of the policy being
described. This will match the policy
name specified in the request URL.
The length is from 1 to 20 characters.
policyFactor AO An array of
policyPromptFactorResponse
objects, one for each factor defined
in the policy.
submitURL S The URL to use when performing
a subsequent policyAuth service
request based on the policyPrompt
response.
policyPromptFactorResponse object

Table 73. policyPrompt JSON response objects (continued)
factorName S The name of the factor being
described. The length is from 1 to
20 characters. The value to use in a
factorResponse object for this factor
when performing a subsequent
policyAuth service request.
factorDescription S A short description of the factor. The
length is from 1 to 128 characters.
promptSpec O A promptFactorFieldsResponse
object which describes the text and
prompt fields for the factor.
Shared policyPrompt and policyAuth JSON response objects

Table 74. Shared policyPrompt and policyAuth JSON response objects

promptFactorFieldsResponse object
factorName S Deprecated – not intended for
application use. When composing
a factorResponse object use the
factorName value specified in
the policyPromptFactorResponse
object to identify the factor the
response object is for.
promptType S The type of prompt to perform. The
possible values are as follows:
submitURL
No prompt data is required
for this factor. The digital
certificate associated with the
secure TLS connection is used
to perform the authentication.
Interactive
The prompt fields must be
returned to perform the
authentication for this factor.
promptHeading S Text to use as a heading for the

prompt fields for the factor. The
length is from 1 to 512 characters.
This may be a response string
generated by an external server
which can contain formatting
control characters such as a new-
line.

Table 74. Shared policyPrompt and policyAuth JSON response objects (continued)
promptFields AO An array of
promptFactorFieldResponse
objects for the factor.
promptFactorFieldResponse object
fieldLabel S Text to use as a label for the
field. The length is from 1 to 64
characters.
fieldType S The field type. The possible values
are as follows:
textField
Text entered by the user in the
prompt field should appear as
clear text.
secureTextField
Text entered by the user in
the prompt field should appear
masked.
fieldname S The value to use in

a factorResponseFieldRequest
object for this factor when
performing a subsequent
policyAuth service request.
maxLength I The maximum character length of
the prompt field.
isOptional I O The possible values are as follows:
0
Data in the field is required.
1
Data in the field is optional.
The default if the key name not
specified is 0, data in the field is
required.
policyPromptResponse return/reason codes

Table 75. policyPromptResponse return/reason codes
Rc Rsn Description
40 2 Some factors in the policy are not usable or no
factors are defined in the policy.
40 5 The policy does not exist.
48 n An internal error occurred. The reason codes are
not documented.

Request/Response examples
Example – Single factor policy with prompt type submitURL
Request
https://host:port/policyPrompt/CERTONLY/
Response
{
"resptype": 10,
"type": "prompt",
"payload": {
"policyName": "CERTONLY",
"policyFactors": [
{
"factorName": "AZFCERT1",
"factorDescription": "Certificate-based Authentication",
"promptSpec": {
"factorName": "AZFCERT1",
"promptType": "submitURL",
"promptHeading": "Policy Authentication will require mutual TLS
authentication with your enrolled certificate."
}
}
],
"submitURL": "https://host:port/policyAuth/"
}
Example – Single factor policy with prompt type Interactive

Request
https://host:port/policyPrompt/SIDPONLY/
Response
{
"resptype": 10,
"type": "prompt",
"payload": {
"policyName": "SIDPONLY",
"policyFactors": [
{
"factorName": "AZFSIDP1",
"factorDescription": "RSA SecurID",
"promptSpec": {
"promptType": "Interactive",
"promptHeading": "Enter your
SecurID passcode",
"promptFields": [
{
"fieldLabel": "Passcode",
"fieldType": "secureTextField",
"fieldName": "passCode",
"maxLength": 16
}
]
}
}
],
"submitURL":
"https://host:port/policyAuth/"
}
}
Example – Two factor policy

Request
https://host:port/policyPrompt/passsidp/

Response
{
"resptype": 10,
"type": "prompt",
"payload": {
"policyName": "PASSSIDP",
"policyFactors": [
{
"factorName": "AZFPASS1",
"factorDescription": "Password Authentication",
"promptSpec": {
"factorName": "AZFPASS1",
"promptHeading": "To
authenticate, enter your SAF password or passphrase. If you want to change it, also
enter
and confirm a valid replacement.",
"promptFields": [
{
"fieldLabel": "Password",
"fieldName": "password",
"maxLength": 100
},
{
"fieldLabel": "New Password",
"fieldName": "newPassword",
"maxLength": 100
},
{
"fieldLabel": "Confirm
New Password",
"fieldName": "newPass2",
"maxLength": 100
}
]
}
},
{
"factorDescription": "RSA SecurID",
"promptSpec": {
"promptHeading": "Enter your SecurID passcode",
"promptFields": [
{
"fieldLabel": "Passcode",
"maxLength": 16
}
]
}
}
],
"submitURL": "https://host:port/policyAuth/"
}
Example – Invalid policy

Request
https://host:port/policyPrompt/INVALIDPOLICY/
Response
{
"resptype": 4,
"type": "error",
"sts": 1200054,
"rc": 40,
"rsn": 5,
"output": [

{
"outputType": 1,
"msg": "Error processing specified policy name."
}
]
policyAuth – Policy authentication service

The policy authentication service sends user credentials for authentication and returns a JSON document
that describes the results of the authentication. The request is made with a JSON document containing
the credential information, the format of which is specified by the policy prompt service request response.
The format of the request is also dependent on if it is the initial authentication request or a continuation of
an authentication request which requested additional information be provided.
policyAuth Request
Table 76. policyAuth request
Method: POST
URL: https://host:port/policyAuth/
Version: HTTP/1.1
Headers required:
Content-length:<length>
Content-Type: Either application/json or text/plain may be specified. You must specify text/plain when
using Javascript fetch().
Body: JSON policyAuthRequest object to start an authentication request or a JSON policyAuthContinue
request object to continue a “needs more information” policyAuth response.
policyAuth successful response

Table 77. policyAuth successful response
Headers returned:
• Content-Length:<length>
• Content-Type:application/json
Body: JSON policyAuthResponse object
policyAuth JSON request objects

Table 78. policyAuth JSON request objects

policyAuthRequest object
userid S Z The userid to use for the
request.

Table 78. policyAuth JSON request objects (continued)
apiVersion I The request format. Specify a
value of 2.
policyName S Z The policyName value returned
in a policyPromptPayload
object.
factors AO An array of
policyAuthFactorRequest
objects.
policyAuthContinue object
resumeID S The resumeID returned in a
preceeding policyAuthResponse
response that required more
information to complete.
value of 2.
policyAuthFactorRequest
objects.
policyAuthFactorRequest object
factorName S One of the names returned
in the promptSpec object
returned by a policyPrompt or a
policyAuth request.
credentialObject O O Required for interactive, must
be omitted for promptURL.
policyAuthFactorCredential object
<fieldname> S Field value - user input in
response to promptFields of
promptSpec object.
policyAuth JSON response objects

Table 79. policyAuth JSON response objects

policyAuthResponse object

Table 79. policyAuth JSON response objects (continued)
type S The response type. The possible
values are as follows:
ctc
Authentication completed
for all factors and an
authentication token has been
generated.
Note: Receiving an
authentication token should
not be treated as a
“successful authentication”,
as an authentication token
will be returned for an
unsuccessful authentication
when PCI mode is enabled.
The “Check cached token
validity” service must be used
to determine if the returned
authentication token is valid
or not.
nmi
Authentication for one or
more factors needs additional
information to complete.
error
Authentication failed for one
or more factors in the policy.
When type is “ctc”

ctc S A generated authentication token
which can be used as an
authentication credential.
factors AO C An array of
policyAuthFactorResponse
objects.
When type is “nmi”
resumeID S A generated identifier to
use on a subsequent policy
authentation request containing
the value returned in a
policyPromptPayload object.
objects.
When type is “error”
rc I Request return code.
rsn I Request reason code.

Table 79. policyAuth JSON response objects (continued)
factors AO C An array of
objects.
policyAuthFactorResponse object
factorName S The factor which generated the
object.
When type is “nmi”
promptSpec O C A promptFactorFields object
(described in policyPrompt)
which describes the text and
prompt fields for the additional
information required by the factor.
When type is “error” or “ctc” (optional)
rc I C Factor return code.
rsn I C Factor reason code.
msg S C Factor completion message.
policyAuthResponse return/reason codes

Table 80. policyAuthResponse return/reason codes
Rc Rsn Description
40 0 The user is not defined to the security manager.
40 1 The user has no active policies.
40 5 The user is not authorized for the specified policy.
44 0 The authentication failed for one or more factors
in the policy.
not documented.
policyAuthFactorResponse return/reason codes

Table 81. policyAuthFactorResponse return/reason codes
Rc Rsn Description
0 N/A The supplied credential was successfully
authenticated.
8 0 The supplied credential was not successfully
authenticated.
8 1 The supplied credential could not be
authenticated.
Request/Response Examples
Completed authentication request

Request
https://host:port/policyAuth/
{
"apiVersion": 2,
"userid": "testuser",
"factors": [
{
"credentialObject": {
"passCode": "156816837473"
}
}
]
Response
{
"type": "ctc",
"ctc": "td36ZsMq"
}
Unsuccessful authentication request

Request
{
"apiVersion": 2,
"policyName":"SIDPONLY",
"factors": [
{
"passCode": "156816837473"
}
}
]
Response
{
"type": "error",
"rc": 44,
"rsn": 0,
"factors": [
{
"rc": 8,
"rsn": 0,
"msg": "AZF1006E: ACCESS DENIED"
}
]
}
Needs more information authentication request

Request
code
{
"apiVersion": 2,

"factors":
[
{
"passCode": "156816837473"
}
}
]
Response
{
"type": "nmi",
"resumeID": "yUoPzqnEir2QdLk7Nvo+5O12_7EK2Kl",
"factors": [
{
"promptSpec": {
"promptHeading": "AZF1001I: ENTER
NEXT TOKENCODE",
"promptFields": [
{
"fieldLabel": "Next Token Code",
"maxLength": 16
}
]
}
}
]
}
Return more information authentication request

Request
{
"apiVersion": 2,
"resumeID": "yUoPzqnEir2QdLk7Nvo+5O12_7EK2Kl",
"factors": [
{
"passCode": "156816005719"
}
}
]
}
Response
{
"type": "ctc",
"ctc": "td36ZsMq"
}

checkCTC – Check cached token validity service
The check cached token validity service returns a JSON document that indicates if the MFA generated
authentication token specified in the request is currently valid for the userid that is specified in the
request.
checkCTC Request
Table 82. checkCTC request
Method: POST
URL: https://host:port/checkCTC/
Version: HTTP/1.1
Headers required:
Content-Length:<length>
Content-Type: Either application/json or text/plain may be specified. You must specify text/plain when
using Javascript fetch().
Body: JSON checkTokenRequest object
checkCTC successful response

Table 83. checkCTC successful response
Body: JSON checkTokenResponse object
checkCTC JSON request objects

Table 84. checkCTC JSON request objects

checkTokenRequest object
Userid S Z The userid to use for the
request.
value of 2.
Ctc S Z The MFA generated token to
check for validity.
checkCTC JSON response objects


Table 85. checkCTC JSON response objects
checkTokenResponse object
rc I Request return code.
rsn I Request reason code.
checkCTC request return/reason codes

Table 86. checkCTC request return/reason codes
Rc Rsn Description
0 N/A The authentication was successful for the token.
44 0 The authentication was not successful for the
token.
not documented.
Request/Response examples
Successful verification
Request
https://host:port/checkCTC/
{
"userid": "TESTUSER",
"apiVersion": 2,
"ctc":
"ABCDEFGH"
}
Response
{
"rc": 0,
"rsn":
0,
}
Unsuccessful verification
Request
https://host:port/checkCTC/
{
"userid": "",
"apiVersion": 2,
"ctc":
"ABCDEFGH"
}
Response
{
"rc": 44,
"rsn":
0,
}

Appendix D. Accessibility
Accessible publications for this product are offered through https://www.ibm.com/docs/en/zos.

If you experience difficulty with the accessibility of any z/OS information, send a detailed message to the
IBM Support Portal at https://www.ibm.com/mysupport/s/?language=en_US. or use the following mailing
address.
IBM Corporation
Attention: MHVRCFS Reader Comments
Department H6MA, Building 707
2455 South Road
Poughkeepsie, NY 12601-5400
United States
Accessibility features
Accessibility features help users who have physical disabilities such as restricted mobility or limited vision
use software products successfully. The accessibility features in z/OS can help users do the following
tasks:
• Run assistive technology such as screen readers and screen magnifier software.
• Operate specific or equivalent features by using the keyboard.
• Customize display attributes such as color, contrast, and font size.
Consult assistive technologies

Assistive technology products such as screen readers function with the user interfaces found in z/OS.
Consult the product information for the specific assistive technology product that is used to access z/OS
interfaces.
Keyboard navigation of the user interface

You can access z/OS user interfaces with TSO/E or ISPF. The following information describes how to use
TSO/E and ISPF, including the use of keyboard shortcuts and function keys (PF keys). Each guide includes
the default settings for the PF keys.
• z/OS TSO/E Primer
• z/OS TSO/E User's Guide
• z/OS ISPF User's Guide Vol I
Dotted decimal syntax diagrams

Syntax diagrams are provided in dotted decimal format for users who access IBM Knowledge Center with
a screen reader. In dotted decimal format, each syntax element is written on a separate line. If two or
more syntax elements are always present together (or always absent together), they can appear on the
same line because they are considered a single compound syntax element.
Each line starts with a dotted decimal number; for example, 3 or 3.1 or 3.1.1. To hear these numbers
correctly, make sure that the screen reader is set to read out punctuation. All the syntax elements that
have the same dotted decimal number (for example, all the syntax elements that have the number 3.1)
are mutually exclusive alternatives. If you hear the lines 3.1 USERID and 3.1 SYSTEMID, your syntax
can include either USERID or SYSTEMID, but not both.

The dotted decimal numbering level denotes the level of nesting. For example, if a syntax element with
dotted decimal number 3 is followed by a series of syntax elements with dotted decimal number 3.1, all
the syntax elements numbered 3.1 are subordinate to the syntax element numbered 3.
Certain words and symbols are used next to the dotted decimal numbers to add information about the
syntax elements. Occasionally, these words and symbols might occur at the beginning of the element
itself. For ease of identification, if the word or symbol is a part of the syntax element, it is preceded by
the backslash (\) character. The * symbol is placed next to a dotted decimal number to indicate that the
syntax element repeats. For example, syntax element *FILE with dotted decimal number 3 is given the
format 3 \* FILE. Format 3* FILE indicates that syntax element FILE repeats. Format 3* \* FILE
indicates that syntax element * FILE repeats.
Characters such as commas, which are used to separate a string of syntax elements, are shown in the
syntax just before the items they separate. These characters can appear on the same line as each item,
or on a separate line with the same dotted decimal number as the relevant items. The line can also show
another symbol to provide information about the syntax elements. For example, the lines 5.1*, 5.1
LASTRUN, and 5.1 DELETE mean that if you use more than one of the LASTRUN and DELETE syntax
elements, the elements must be separated by a comma. If no separator is given, assume that you use a
blank to separate each syntax element.
If a syntax element is preceded by the % symbol, it indicates a reference that is defined elsewhere. The
string that follows the % symbol is the name of a syntax fragment rather than a literal. For example, the
line 2.1 %OP1 means that you must refer to separate syntax fragment OP1.
The following symbols are used next to the dotted decimal numbers.
? indicates an optional syntax element
The question mark (?) symbol indicates an optional syntax element. A dotted decimal number
followed by the question mark symbol (?) indicates that all the syntax elements with a corresponding
dotted decimal number, and any subordinate syntax elements, are optional. If there is only one
syntax element with a dotted decimal number, the ? symbol is displayed on the same line as the
syntax element, (for example 5? NOTIFY). If there is more than one syntax element with a dotted
decimal number, the ? symbol is displayed on a line by itself, followed by the syntax elements that
are optional. For example, if you hear the lines 5 ?, 5 NOTIFY, and 5 UPDATE, you know that the
syntax elements NOTIFY and UPDATE are optional. That is, you can choose one or none of them.
The ? symbol is equivalent to a bypass line in a railroad diagram.
! indicates a default syntax element
The exclamation mark (!) symbol indicates a default syntax element. A dotted decimal number
followed by the ! symbol and a syntax element indicate that the syntax element is the default option
for all syntax elements that share the same dotted decimal number. Only one of the syntax elements
that share the dotted decimal number can specify the ! symbol. For example, if you hear the lines
2? FILE, 2.1! (KEEP), and 2.1 (DELETE), you know that (KEEP) is the default option for
the FILE keyword. In the example, if you include the FILE keyword, but do not specify an option,
the default option KEEP is applied. A default option also applies to the next higher dotted decimal
number. In this example, if the FILE keyword is omitted, the default FILE(KEEP) is used. However,
if you hear the lines 2? FILE, 2.1, 2.1.1! (KEEP), and 2.1.1 (DELETE), the default option
KEEP applies only to the next higher dotted decimal number, 2.1 (which does not have an associated
keyword), and does not apply to 2? FILE. Nothing is used if the keyword FILE is omitted.
* indicates an optional syntax element that is repeatable
The asterisk or glyph (*) symbol indicates a syntax element that can be repeated zero or more times.
A dotted decimal number followed by the * symbol indicates that this syntax element can be used
zero or more times; that is, it is optional and can be repeated. For example, if you hear the line 5.1*
data area, you know that you can include one data area, more than one data area, or no data area.
If you hear the lines 3* , 3 HOST, 3 STATE, you know that you can include HOST, STATE, both
together, or nothing.
Notes:
1. If a dotted decimal number has an asterisk (*) next to it and there is only one item with that dotted
decimal number, you can repeat that same item more than once.

2. If a dotted decimal number has an asterisk next to it and several items have that dotted decimal
number, you can use more than one item from the list, but you cannot use the items more than
once each. In the previous example, you can write HOST STATE, but you cannot write HOST HOST.
3. The * symbol is equivalent to a loopback line in a railroad syntax diagram.
+ indicates a syntax element that must be included
The plus (+) symbol indicates a syntax element that must be included at least once. A dotted decimal
number followed by the + symbol indicates that the syntax element must be included one or more
times. That is, it must be included at least once and can be repeated. For example, if you hear the
line 6.1+ data area, you must include at least one data area. If you hear the lines 2+, 2 HOST,
and 2 STATE, you know that you must include HOST, STATE, or both. Similar to the * symbol, the
+ symbol can repeat a particular item if it is the only item with that dotted decimal number. The +
symbol, like the * symbol, is equivalent to a loopback line in a railroad syntax diagram.
Appendix D. Accessibility 325
Notices
This information was developed for products and services offered in the U.S.A. or elsewhere.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that
only that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any license to these patents. You can
send license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual
Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan, Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in
any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of
the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this
one) and (ii) the mutual use of the information which has been exchanged, should contact:
Site Counsel
IBM Corporation
2455 South Road
Poughkeepsie, NY 12601-5400
USA

Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.
The licensed program described in this information and all licensed material available for it are provided
by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or
any equivalent agreement between us.
Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without
notice, and represent goals and objectives only.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
COPYRIGHT LICENSE:
This information might contain sample application programs in source language, which illustrate
programming techniques on various operating platforms. You may copy, modify, and distribute these
sample programs in any form without payment to IBM, for the purposes of developing, using, marketing
or distributing application programs conforming to the application programming interface for the
operating platform for which the sample programs are written. These examples have not been thoroughly
tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function
of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not
be liable for any damages arising out of your use of the sample programs.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might
be trademarks of IBM or other companies. A current list of IBM trademarks is available at https://
www.ibm.com/legal/copytrade.
UNIX is a registered trademark of The Open Group in the United States and other countries.

Index
A authorize access (continued)

IRR.RFACTOR.MFADEF.FACTOR_NAME suffix profile 176
accept certificates shared secret 92, 103, 112
Certificate Authentication 89 authorize load library 7
accessibility AZF messages 235
contact IBM 323 AZF started task
features 323 define user 9, 35
activate and deactivate users AZFCKCTC
AZFCKCTC 165 activate and deactivate users 165
Certificate Authentication 88 AZFRADP1
generic RADIUS 98 configure 93
IBM MFA Compound In-Band 56, 65, 75, 97, 107, 127, AZFSFNP1
135, 142, 164 configure 104
IBM MFA for ELF 167 AZFSIDR1
IBM MFA Out-of-Band 50 configure 113
IBM MFA Password Authentication 171 AZFTOTP1 settings
IBM Security Verify Access 128, 130 configure registration server 70
LDAP 137
multiple instance 179
RSA SecurID RADIUS 118
B
SafeNet RADIUS 109 bulk provision users
SecurID 58 IBM MFA 183
SecurID Authentication API 67 bypass applications 207
TOTP 79 bypass applications by name 208
activate MFADEF class 11 bypass applications for MFA 209
additional check CTC system programming steps 161 bypass IBM MFA
additional generic RADIUS system programming steps 93 additional specificity through ACL and UACC 208
additional multiple instance system programming steps 177 by application name 208
additional RSA SecurID RADIUS system programming steps by ID 209
113 determine authentication information 208
additional SafeNet RADIUS system programming steps 104 Bypass IBM MFA 207
additional SecurID Authentication API system programming
steps 62
additional SecurID system programming steps 52 C
administrative steps
CAC card
certificate authentication 81, 169
configure certificate authentication 81
IBM MFA for TOTP 69
cache token sharing
IBM Security Verify Access 121
changing 26
LDAP 131
configure 25
RACF 9
certificate authentication
Yubico OTP 139
configure 81, 169
allocate node secret data set 53
Certificate authentication
allocate SDCONF.REC data set 52
administrative steps 81
assistive technologies 323
configure AT-TLS profile 83
AT-TLS policy
define factors in FACILITY class 81
example 297
define factors in MFADEF class 81
AT-TLS profile
import client certificate 82
configure for certificate authentication 83
system programming steps 82
configure for TOTP 36
Certificate Authentication
import client certificate 82
accept certificates 89
authorize access
activate and deactivate users 88
IRR.RFACTOR.MFADEF.AZFCKCTC profile 160
administration and operation steps 88
IRR.RFACTOR.MFADEF.AZFRADP1 profile 92
configure panel 85
IRR.RFACTOR.MFADEF.AZFSFNP1 profile 103
Certificate authentication administrative steps
IRR.RFACTOR.MFADEF.AZFSIDP1 profile 52
authorize access to IRR.RFACTOR.MFADEF.AZFCERT1
IRR.RFACTOR.MFADEF.AZFSIDP3 profile 62
profile 82
IRR.RFACTOR.MFADEF.AZFSIDR1 profile 112
Index 329
Certificate authentication administrative steps (continued) define factors (continued)
authorize access to IRR.RFACTOR.MFADEF.AZFPASS1 IBM MFA Out-of-Band 49
profile 11, 170 multiple instance 176
check CTC password authentication 169, 170
additional system programming steps 161 RSA RADIUS 112
administration and operation steps 165 SafeNet RADIUS 102
configure 161 SecurID 51
configure check CTC 159 SecurID Authentication API 61
RACF administration steps for check CTC 160 started task 10, 11
clear shared RADIUS secret 99 define generic RADIUS factors in MFADEF class 91, 175
clear shared SafeNet RADIUS secret 110 define IBM MFA Password Authentication parameters 170
configure define profile in STARTED class 10, 36
IBM Verify Gateway for RADIUS 153, 155, 157, 158 define RSA RADIUS factors in MFADEF class 111
configure account define SafeNet RADIUS factors in MFADEF class 102
IBM Security Verify 151 define SecurID Authentication API factors in MFADEF class
configure authentication factors 61
IBM Security Verify 153 define SecurID Authentication API parameters 63
configure client define SecurID factors in MFADEF class 51
IBM Security Verify 152 define SecurID parameters 54
Configure IBM MFA 13 define user for AZF started task 9, 35
Configure IBM MFA certificate authentication 81, 169 disaster recovery
Configure IBM MFA for check CTC 159 SecurID 59
Configure IBM MFA for ELF 167
Configure IBM MFA for generic RADIUS 91, 158
Configure IBM MFA for LDAP 131
E
Configure IBM MFA for RSA RADIUS 111 ELF
Configure IBM MFA for RSA SecurID Authentication API 61, configure for IBM MFA 167
62 enable mixed-case passwords 12
Configure IBM MFA for SafeNet RADIUS 101 Examples for IBM MFA 3
Configure IBM MFA for SecurID 51
Configure IBM MFA for TOTP 69
Configure IBM MFA for Yubico OTP 139, 151 F
Configure IBM MFA out-of-band authentication 45
FACILITY class
Configure IBM MFA STC panel 21, 35
define factor for IBM Security Verify Access 121
Configure IBM Security Verify Access 121
define factor for LDAP 131
contact
define factor for Yubico OTP 139
z/OS 323
define factors for certificate authentication 81
copy SAZFEXEC(AZFEXEC) 7
define factors for check CTC 160
copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01) 7
define factors for generic RADIUS 91
copy sdconf.rec 53
define factors for IBM MFA 40
create csv file
define factors for IBM MFA for TOTP 69
Yubico OTP 144, 148
define factors for IBM MFA Out-of-Band 49
csfserv resource profiles
define factors for multiple instance 176
configure 29
define factors for password authentication 170
CTCs
define factors for RSA RADIUS 112
invalidating user 221
define factors for SafeNet RADIUS 102
customize AZFEXEC 7
define factors for SecurID 51
customize IBM MFA
define factors for SecurID Authentication API 61
overview 5
define factors for started task 11
D G
Generic RADIUS
define check CTC factors in MFADEF class 160
define factor
additional system programming steps 93
IBM Security Verify Access 121
LDAP 131
configure for IBM MFA 91, 158
Yubico OTP 139
RACF administration steps 91
define factors
generic TOTP
certificate authentication 81
configure user profile 78
check CTC 160
generic RADIUS 91
IBM MFA 40
IBM MFA for TOTP 69

H IBM Security Verify Access (continued)
define factor in MFADEF class 121
High availability system programming steps 122
configureIBM MFA for 217 IBM Security Verify Access administrative steps
authorize access to profile 122
IBM Verify Gateway for RADIUS
I configure 153, 155, 157, 158
IBM HTTP Server -Powered by Apache ingest .csv file
configure 198 Yubico OTP 145
configure PKCS#11 tokens 195 IRR.DIGTCERT.LISTRING profile
configure subrequests 198 authorize access 41
IBM MFA IRR.RFACTOR.MFADEF.AZFCERT1 profile
bulk provision users 183 authorize access 82
changine cache token sharing 26 IRR.RFACTOR.MFADEF.AZFCKCTC profile
configuration roadmap 13 authorize access 160
configure AZFRADP1 93 IRR.RFACTOR.MFADEF.AZFPASS1 profile
configure AZFSIDR1 113 authorize access 11, 170
configure AZSFNP1 104 IRR.RFACTOR.MFADEF.AZFRADP1 profile
configure cache token sharing 25 authorize access 92
configure check CTC 161 IRR.RFACTOR.MFADEF.AZFSFNP1 profile
configure for high availability 217 authorize access 103
configure multiple instance 177 IRR.RFACTOR.MFADEF.AZFSIDP1 profile
configure PCI mode 27 authorize access 52
configure started tasks 21 IRR.RFACTOR.MFADEF.AZFSIDP3 profile
define factors in FACILITY class 40 authorize access 62
resource profile authorization reference 213 IRR.RFACTOR.MFADEF.AZFSIDR1 profile
IBM MFA bypass authorize access 112
applications 207 IRR.RFACTOR.MFADEF.AZFTOTP1 profile
PassTickets 203 authorize access 70
IBM MFA Compound In-Band IRR.RFACTOR.MFADEF.FACTOR_NAMEsuffix profile
activate and deactivate users 56, 65, 75, 97, 107, 127, authorize access 176
135, 142, 164 IRR.RFACTOR.POLICY profile
RSA SecurID RADIUS 116 authorize access 50
IBM MFA for ELF IRR.RFACTOR.USER profile
activate and deactivate users 167 authorize access 41
IBM MFA for TOTP
administration and operation steps 76 K
configure user profile 76, 193 keyboard
define factors in FACILITY class 69 navigation 323
define factors in MFADEF class 69 PF keys 323
system programming steps 70 shortcut keys 323
IBM MFA Out-of-Band
configure web services 41, 47, 85
L
define factors in FACILITY class 49 LDAP
IBM MFA Out-of-Band administrative steps activate and deactivate users 137
authorize access to IRR.RFACTOR.POLICY profile 50 administration and operation steps 137
IBM MFA Password Authentication administrative steps 131
activate and deactivate users 171 configure 131, 132
administration and operation steps 170 define factor in FACILITY class 131
define parameters 170 define factor in MFADEF class 131
IBM MFA SMF records 301 system programming steps 132
IBM OpenSSH 201 LDAP administrative steps
IBM Security Verify authorize access to profile 132
configure account 151 link list
configure authentication factors 153 add SAZFLOAD 8
configure client 152 load library
IBM Security Verify Access authorize 7
activate and deactivate users 128, 130
administrative steps 121 M
configure 121, 122
MFADEF class
define factor in FACILITY class 121
Index 331
MFADEF class (continued) Password fallback
activate 11 configuring 173
define factor for IBM Security Verify Access 121 passwords
define factor for LDAP 131 changing user 187, 189
define factor for Yubico OTP 139 resetting user 191
define factors for certificate authentication 81 PCI mode
define factors for check CTC 160 configure 27
define factors for generic RADIUS 91, 175 PIV card
define factors for IBM MFA for TOTP 69 configure certificate authentication 81
define factors for password authentication 169 PKCS#11 tokens
define factors for RSA RADIUS 111 configure for IBM HTTP Server -Powered by Apache 195
define factors for SafeNet RADIUS 102 configure for TOTP 31
define factors for SecurID 51, 61 preparing for IBM MFA 1
define factors for started task 10 printing statistics 59
migrating versions 231, 233 profile
mixed-case passwords authorize access 122, 132, 140
enable for RACF 12
modify trace levels 223
multi-factor authentication policies
R
apply to users 47 RACF
create 47 enable mixed-case passwords 12
Multiple factors RACF administration steps for check CTC 160
configuring 175 RACF administration steps for generic RADIUS 91
multiple instance RACF administration steps for multiple instances 175
configure 177 RACF administration steps for RSA SecurID Authentication
Multiple instance API 61
activate and deactivate users 179 RACF administration steps for RSA SecurID RADIUS 111
additional system programming steps 177 RACF administration steps for SafeNet RADIUS 102
administration and operation steps 179 RACF administration steps for SecurID 51
multiple instance authentication policies RACF administrative steps
apply to users 180 activate MFADEF class 11
create 180 authorize access 52, 62, 92, 103, 112, 160, 176
Multiple instances define check CTC factors in FACILITY class 160
RACF administration steps 175 define check CTC factors in MFADEF class 160
define entry in STARTED class 10, 36
N define generic RADIUS factors in FACILITY class 91
define multiple instance factors in FACILITY class 176
navigation define Radius factors in MFADEF class 91, 111, 175
keyboard 323 define RSA RADIUS factors in FACILITY class 112
node secret define SafeNet RADIUS factors in FACILITY class 102
clear for SecurID 59 define SafeNet RADIUS factors in MFADEF class 102
node secret data set define SecurID Authentication API factors in FACILITY
allocate 53 class 61
Notices 327 define SecurID Authentication API factors in MFADEF
class 61
define SecurID factors in FACILITY class 51
O define SecurID factors in MFADEF class 51
out-of-band authentication define user for AZF started task 9, 35
configure 45 Radius
clear shared secret 119
RADIUS
P additional system programming steps 104
parameters
clear shared secret 99
define for IBM MFA Password Authentication 170
configure SafeNet 101
define for SecurID 54
RACF administration steps for SafeNet 102
define for SecurID Authentication API 63
RADIUS shared secret
PassTickets
clear 99
bypass IBM MFA 203
re-register users
password authentication
TOTP 79
remove factors 219
Password authentication
removing IBM MFA
factors 219
Resource profile

Resource profile (continued) started task (continued)
authorization reference for IBM MFA 213 start for services 55, 64, 74, 87, 95, 106, 115, 126, 134,
resource profile for shared secret 141, 163, 177
authorize access 92, 103, 112 started tasks
RSA RADIUS configure 21
additional system programming steps 113 statistics
configure for SecurID 111 printing for SecurID 59
RSA SecurID Authentication API STC panel
configure 61, 62 configure 21, 35
RACF administration steps 61 subrequests
RSA SecurID RADIUS configure for IBM HTTP Server -Powered by Apache 198
activate and deactivate users 118 summary of changes xvii
IBM MFA Compound In-Band 116 system programming steps
RACF administration steps 111 add SAZFLOAD link list 8
authorize load library 7
certificate authentication 82
S copy SAZFEXEC(AZFEXEC) 7
SafeNet RADIUS copy SAZFSAMP(AZF#IN00) 7
activate and deactivate users 109 customize AZFEXEC 7
administration and operation steps 109 IBM MFA for TOTP 70
clear shared secret 110 IBM Security Verify Access 122
SafeNet RADIUS shared secret LDAP 132
clear 110 set WLM service class 8
SCHEDxx PARMLIB update SCHEDxx PARMLIB 8
update 8 Yubico OTP 140
sdconf.rec
copy for SecurID 53 T
SDCONF.REC data set
allocate for SecurID 52 tcp/ip stacks
sdopts.rec file 53 affinity 229
SecurID TOTP
activate and deactivate users 58 activate and deactivate users 79
additional system programming steps 52, 62 configure 69
administration and operation steps 58 configure AT-TLS profile 36
allocate node secret data set 53 configure PKCS#11 tokens 31
allocate SDCONF.REC data set 52 re-register user 79
clear node secret 59 TOTP administrative steps
configure 51 authorize access to IRR.DIGTCERT.LISTRING profile 41
copy sdconf.rec 53 authorize access to IRR.RFACTOR.MFADEF.AZFTOTP1
define parameters 54 profile 70
printing statistics 59 authorize access to IRR.RFACTOR.USER profile 41
RACF administration steps 51 trace levels
sdopts.rec file 53 modify 223
SecurID Authentication API trademarks 328
activate and deactivate users 67 translation
administration and operation steps 67 configure 211
define parameters 63 Troubleshooting 225
SecurID disaster recovery 59
self-enroll tokens
Yubico OTP 145, 146
U
sending comments to IBM xv update SCHEDxx PARMLIB 8
services user interface
start started task 55, 64, 74, 87, 95, 106, 115, 126, ISPF 323
134, 141, 163, 177 TSO/E 323
set WLM service class 8 user profile
shared secret configure for generic TOTP 78
clear for Radius 119 configure for IBM MFA for TOTP 76, 193
shortcut keys 323
STARTED class
define entry 10, 36 V
started task
versions
migrating 231, 233
Index 333
W
web services
configure 41, 47, 85
start started task 44
web services server
configure 70
WLS service class
set 8
Y
Yubico OTP
configure 139, 140, 151
create csv file 144, 148
define factor in FACILITY class 139
define factor in MFADEF class 139
ingest an .csv file 145
self-enroll tokens 145, 146
Yubico OTP administrative steps
authorize access to profile 140

IBM®
Product Number: 5655-MA1
SC27-8447-41

MFA Install and Customization

Uploaded by

Copyright:

Available Formats

MFA Install and Customization

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MFA Install and Customization

Uploaded by

Copyright:

Available Formats

IBM MFA

IBM Z Multi-Factor Authentication

About this information........................................................................................ xiii

How to send your comments to IBM......................................................................xv

Summary of changes.......................................................................................... xvii

Chapter 1. Preparing for IBM MFA.......................................................................... 1

Chapter 2. IBM MFA examples................................................................................3

Chapter 3. Customizing IBM MFA........................................................................... 5

Chapter 4. System programming steps................................................................... 7

Chapter 5. RACF administration steps.................................................................... 9

Chapter 6. IBM MFA configuration roadmap..........................................................13

Chapter 7. Configuring IBM MFA STC configuration attributes............................... 21

Chapter 8. Configuring CSFSERV Resource Profiles...............................................29

Chapter 9. Configuring a PKCS#11 token.............................................................. 31

Chapter 10. Configuring IBM MFA web services configuration attributes................35

Chapter 11. Configuring IBM MFA Out-of-Band authentication.............................. 45

Chapter 12. Configuring IBM MFA for RSA SecurID............................................... 51

Chapter 13. Configuring IBM MFA for RSA SecurID Authentication API..................61

Chapter 14. Configuring IBM MFA for TOTP........................................................... 69

Chapter 15. Configuring IBM MFA certificate authentication..................................81

Chapter 16. Configuring IBM MFA for generic RADIUS...........................................91

Chapter 17. Configuring IBM MFA for SafeNet RADIUS........................................ 101

Chapter 18. Configuring IBM MFA for RSA SecurID RADIUS.................................111

Chapter 19. Configuring IBM MFA for IBM Security Verify Access.........................121

Chapter 20. Configuring LDAP............................................................................ 131

Chapter 21. Configuring Yubico OTP................................................................... 139

Chapter 22. Configuring IBM MFA generic RADIUS to authenticate with IBM

Chapter 24. Configuring IBM MFA for ELF............................................................167

Chapter 25. Configuring IBM MFA Password Authentication................................ 169

Chapter 26. Configuring Password Fallback........................................................173

Chapter 27. Configuring multiple instances of a factor........................................ 175

Chapter 28. Configuring bulk provisioning users for IBM MFA.............................. 183

Chapter 29. Changing a user password with an identity token............................. 187

Chapter 30. Changing a user password with web interface..................................189

Chapter 31. Resetting a user password...............................................................191

Chapter 32. Configure TOTP for users................................................................. 193

Chapter 34. IBM CL/SuperSession for z/OS........................................................ 201

Chapter 36. Bypassing IBM MFA......................................................................... 207

Chapter 37. Translating IBM MFA messages and HTML........................................ 211

Chapter 38. Resource profile authorization reference......................................... 213

Chapter 39. Configuring IBM MFA for high availability......................................... 217

Chapter 40. Removing all IBM MFA factors for a user.......................................... 219

Chapter 41. Invalidating a user's CTCs............................................................... 221

Chapter 42. Modifying component trace levels....................................................223

Chapter 43. Troubleshooting IBM MFA ............................................................... 225

Chapter 44. Using a specific TCP/IP stack...........................................................229

Chapter 45. Migrating from Version 1 Release 3 to Version 2 Release 0................ 231

Chapter 46. Migrating from Version 1 Release 2 to Version 1 Release 3................ 233

Chapter 47. Multi-Factor Authentication messages............................................. 235

Appendix A. AT-TLS policy example....................................................................297

Appendix B. IBM MFA SMF Record type 83 subtype 7 records..............................301

Appendix C. IBM MFA web API request/response formats.................................. 307

2. Overview of steps for customizing IBM MFA................................................................................................ 5

3. Required levels of permission.....................................................................................................................11

4. IBM MFA Configuration Roadmap...............................................................................................................13

5. Required Configuration Steps..................................................................................................................... 15

6. MFA Services Started Task ......................................................................................................................... 21

7. CSFSERV Resource Profiles........................................................................................................................ 29

8. CSFSERV Resource Profiles When CHECKAUTH is YES............................................................................. 29