IBM Z Multi-Factor Authentication 2.2 enhances authentication modes and support to strengthen enterprise security

IBM United States Software Announcement 222-004
January 18, 2022

Table of contents
OverviewOverviewTechnical informationTechnical information
Key requirementsKey requirementsOrdering informationOrdering information
Planned availability datePlanned availability dateTerms and conditionsTerms and conditions
Statement of general directionStatement of general directionPricesPrices
Program numberProgram numberOrder nowOrder now
PublicationsPublicationsRegional availabilityRegional availability


At a glance

Top rule

IBM Z® Multi-factor Authentication (MFA) 2.2 includes the following enhancements:

  • Pluggable Authentication Modules (PAM) for use with Linux® on Z architecture. With these modules, administrators of supported Linux distributions can configure PAM-compatible Linux applications to require users to satisfy an MFA policy before access to the application is granted.
  • Administrators on IBM® z/OS® are now able to configure multiple instances of select MFA Factors. This can offer superior flexibility when a single z/OS External Security Manager (ESM) database supports disparate tenant user communities. 1
  • Support for RSA SecurID authentication via the RSA REST API (z/OS and Linux).
  • Documentation and formal support for customer use of Policy Authentication web interfaces that were previously internal and undocumented (z/OS and Linux).
  • An IBM Z MFA configuration option to request that browser clients receiving cache token credentials mask the display of such credentials, in combination with new served resources to honor this setting in the IBM Z MFA user interfaces for web-based policy authentication (z/OS and Linux).
  • The addition of a "console modify" command to force the invalidation of all cache token credentials currently in the IBM Z MFA cache for a given user ID (z/OS only).
  • A web-based ESM password reset feature for users who have forgotten their ESM password but who are able to successfully authenticate to an IBM Z MFA Policy (z/OS only).

1 For example, suppose a large multinational corporation operates subdivisions in Europe and Asia. Its z/OS mainframe operations have been consolidated under a single security team. The European division maintains a Remote Authentication Dial-In User Service (RADIUS) server to support hard tokens from one third-party authentication vendor. Because of the parent company's merger and acquisition history, the Asian division maintains a separate RADIUS server to support soft tokens from a different third-party authentication vendor. With IBM Z MFA 2.2, the mainframe security team simply configures two separate instances of the AZFRADP1 factor: AZFRADP1#EU and AZFRADP1#ASIA, each pointing to different RADIUS server IP addresses.



Back to topBack to top

Overview

Top rule

IBM Z MFA 2.2 can raise the level of assurance of your mission-critical systems with a flexible and tightly integrated multi-factor authentication solution. The IBM Z MFA and IBM z/OS Security Server RACF® programs help to create a layered defense by requiring select z/OS users to authenticate with multiple factors, including the following:

  • Something they know, such as a password or security question
  • Something they have, such as an ID badge or cryptographic token device
  • Something they are, represented by a fingerprint or other biometric attribute

Password technology, now more than 50 years old, has proven to be susceptible to theft, which poses business risk through a wide range of hacking techniques. The majority of users who sign on to z/OS are performing tasks that are critical to the success of their business. These include accessing personally identifiable information, managing money, working with intellectual property, sharing information with subcontractors or business partners, and managing systems with privileged status. Unwanted access to any of these users’ accounts could be detrimental to a business. In addition to strengthening protection, deployment of IBM Z MFA can enable businesses to satisfy a number of regulatory requirements that require support beyond password and password phrase technology. When users access IBM Z-hosted applications, IBM Z MFA 2.2 should be used to authenticate those users.

All versions of IBM Z MFA secure user logons to z/OS, using parts that run on z/OS. IBM Z MFA 2.1 introduced protection for user logons to z/VM®. IBM Z MFA 2.2 can protect Linux on Z Architecture applications that support the PAM framework, using PAM modules that run on Linux.

IBM Z MFA 2.2 supports many authentication types and integration features. A partial list of supported features and integrations is included in the table below. The use of italics indicates features new in version 2.2. Authentication types evaluated directly within IBM Z MFA without the use of an external network service are denoted with two asterisks.**

Authentication type or integration feature z/OS z/VM and Linux on Z
Multiple instances for select authentication types, enabling, for example, two or more generic RADIUS configurations to be used simultaneously Yes No
RFA SecurID via HTTPS REST API Yes Yes
RSA SecurID via RADIUS Password Authentication Protocol (PAP) Yes Yes
RSA SecurID via ACEv5 UDP protocol Yes Yes
Time-based one-time passwords (TOTPs)** Yes Yes
Generic RADIUS PAP via User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) Yes Yes
Yubico Yubikey tokens using the Yubico OTP algorithm** Yes Yes
PassTicket support Yes No
Certificate-based authentication including Personal Identity Verification/Common Access Card (PIV/CAC) and other smart cards** Yes Yes
OTPs generated by the IBM Security® Access Manager (ISAM) pick-up OTP capability Yes Yes
The capability to obtain a secure credential from IBM Z MFA on one system or sysplex and use the credential to access applications inside and outside the sysplex boundary Yes No
The capability to protect z/OS applications that use IBM HTTP Server, powered by Apache, now including 31-bit applications and applications that use subrequests Yes No
The capability to accept authentication requests from ESMs running on z/VM No Yes
The capability to run multiple instances of the multi-factor authentication Web services started task in a sysplex Yes No
The capability to configure multi-factor authentication to operate in a strict Payment card industry (PCI)-compliant mode Yes Yes
Integration through a System Authorization Facility (SAF) API that enables IBM Express Logon Facility to work with multi-factor authentication Yes No
Compound out-of-band authentication, which enables the specification of more than one authentication factor in the authentication process Yes Yes
Compound in-band authentication, which requires the user to supply a RACF credential (password or passphrase) in conjunction with a valid MFA credential Yes No
RACF Identity Tokens (JavaScript Object Notation [JSON] Web Token support) in which a set of authentication API calls can be linked together to appear as a single authentication transaction Yes No
Self-service SAF password or passphrase change for both MFA users and non-MFA users Yes No
MFA-internal passwords, protected by PBKDF2, for use within an MFA policy or during self-service enrollment No Yes
Self-service MFA-internal password change for MFA users only No Yes


Back to topBack to top

Key requirements

Top rule

  • z/OS: z/OS Security Server RACF, or other compatible ESM
  • Linux on Z architecture: Red Hat® Enterprise Linux (RHEL) minimum version or SUSE Linux Enterprise Server (SLES) minimum version
  • z/VM: z/VM 7.1 RACF or other compatible ESM

Depending on the factor being used, the following might be additional requirements:

  • Minimum RSA Authentication Manager server version for RSA REST API, or later, for RSA SecurID via RSA REST API
  • Any supported version of RSA Authentication Manager server for RSA SecurID integrations via ACEv5 or RADIUS UDP protocols
  • SafeNet Authentication Service 3.5.4, or later
  • A web browser that is capable of initiating TLS 1.2 sessions and operating with local smart card drivers if smart cards are employed
  • A RADIUS server configured for PAP with shared secrets for generic RADIUS
  • An on-premises IBM Security Access Manager 9.0.6 instance, or access to a Security Verify instance if using this support
  • A Lightweight Directory Access Protocol (LDAP) server
  • Tokens compatible with either IBM Z MFA supported factors or ISAM


Back to topBack to top

Planned availability date

Top rule

January 21, 2022

Availability within a country is subject to local legal requirements.



Back to topBack to top

Accessibility by people with disabilities

Top rule

A US Section 508 Accessibility Compliance Report containing details on accessibility compliance can be found on the Product accessibility information website.



Back to topBack to top

Statement of general direction

Top rule

As of April 30, 2023, IBM plans to discontinue support of the IBM TouchToken App for iOS devices. Clients should consider using the IBM Verify app for iOS.

Statements by IBM regarding its plans, directions, and intent are subject to change or withdrawal without notice at the sole discretion of IBM. Information regarding potential future products is intended to outline general product direction and should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for IBM products remain at the sole discretion of IBM.



Back to topBack to top

Program number

Top rule

Program number VRM Program name
5655-MA1 2.2 IBM Z Multi-Factor Authentication
5655-MA2 1.1.0 IBM Z Multi-Factor Authentication S&S

IBM Z Multi-Factor Authentication

Program number Subscription and Support program number
5655-MA1 5655-MA2


Back to topBack to top

Offering Information

Top rule

Product information is available on the IBM Offering Information website.



Back to topBack to top

Business Partner information

Top rule

If you are an IBM Business Partner acquiring IBM products or services directly from IBM, you may link directly to Business Partner information for this announcement.

BP Attachment for Announcement Letter 222-004


Back to topBack to top

Publications

Top rule

The product documentation includes the following publications:

Title Order number
IBM Z Multi-Factor Authentication Program Directory GI13-5220-01
IBM Z Multi-Factor Authentication Installation and Customization SC27-8447-41
IBM Z Multi-Factor Authentication User's Guide SC27-8448-41
IBM Z Multi-Factor Authentication for z/VM and Linux on Z SC27-4938-41

Access to the IBM Z MFA documentation in HTML and PDF formats is available on the IBM z/OS documentation web page.



Back to topBack to top

Services

Top rule

IBM Systems Lab Services

Systems Lab Services offers infrastructure services to help build hybrid cloud and enterprise IT solutions. From servers to storage systems and software, Systems Lab Services can help deploy the building blocks of a next-generation IT infrastructure to empower a client's business. Systems Lab Services consultants can perform infrastructure services for clients online or onsite, offering deep technical expertise, valuable tools, and successful methodologies. Systems Lab Services is designed to help clients solve business challenges, gain new skills, and apply best practices.

Systems Lab Services offers a wide range of infrastructure services for IBM Power® servers, IBM Storage systems, IBM Z, and IBM LinuxONE. Systems Lab Services has a global presence and can deploy experienced consultants online or onsite around the world.

For assistance, contact Systems Lab Services at ibmsls@us.ibm.com.

To learn more, see the IBM Systems Lab Services website.

IBM Consulting

As transformation continues across every industry, businesses need a single partner to map their enterprise-wide business strategy and technology infrastructure. IBM Consulting is the business acceleration partner to help cocreate change across an organization. IBM specialists can help businesses succeed through finding collaborative ways of working that forge connections across people, technologies, and partner ecosystems. IBM Consulting brings together the business expertise and an ecosystem of technologies that help solve some of the biggest problems faced by organizations. With methods that get results faster, an integrated approach that is grounded in an open and flexible hybrid cloud architecture, and incorporating technology from IBM Research® and IBM Watson® AI, IBM Consulting enables businesses to lead change with confidence and deliver continuous improvement across a business and its bottom line.

For additional information, see the IBM Consulting website.

IBM Technology Support Services (TSS)

Get preventive maintenance, onsite and remote support and gain actionable insights into critical business applications and IT systems. Speed developer innovation with support for over 240 open-source packages. Leverage powerful IBM analytics and AI-enabled tools to enable client teams to manage IT problems before they become emergencies.

TSS offers extensive IT maintenance and support services that cover more than one niche of a client’s environment. TSS covers products from IBM and OEMs, including servers, storage, network, appliances, and software, to help clients ensure high availability across their data center and hybrid cloud environment.

For details on available services, see the Technology support for hybrid cloud environments website.

IBM TechU

Improve your knowledge in hybrid cloud and AI solutions. TechU provides the most recent content so that you can learn, engage, and increase your skills with IBM Technology specialists.

A one-year, renewable digital TechU membership provides access to IBM Systems online education to help address your technical enablement needs for existing and new projects.

Submit questions or comments to techuid@us.ibm.com.

For additional details, see the IBM TechU website.

IBM Expert Labs

Expert Labs can help clients accelerate their projects and optimize value by leveraging their deep technical skills and knowledge. With more than 20 years of industry experience, these specialists know how to overcome the biggest challenges to deliver business results that can have an immediate impact.

Expert Labs' deep alignment with IBM product development allows for a strategic advantage as they are often the first in line to get access to new products, features, and early visibility into roadmaps. This connection with the development enables them to deliver First of a Kind implementations to address unique needs or expand a client's business with a flexible approach that works best for their organization.

For additional information, see the IBM Expert Labs website.

IBM Security Expert Labs

With extensive consultative expertise on IBM Security software solutions, Security Expert Labs helps clients and partners modernize the security of their applications, data, and workforce. With an extensive portfolio of consulting and learning services, Expert Labs provides project-based and premier support service subscriptions.

These services can help clients deploy and integrate IBM Security software, extend their team resources, and help guide and accelerate successful hybrid cloud solutions, including critical strategies such as zero trust. Remote and on-premises software deployment assistance is available for IBM Cloud Pak® for Security, IBM Security QRadar®/QRoC, IBM Security SOAR/Resilient®, IBM i2®, IBM Security Verify, IBM Security Guardium®, and IBM Security MaaS360®.

For more information, contact Security Expert Labs at sel@us.ibm.com.

For additional information, see the IBM Security Expert Labs website.



Back to topBack to top

Technical information

Top rule

Specified operating environment

Hardware requirements

A currently supported IBM Z server.

Software requirements

IBM Z MFA requires the following:

  • z/OS 2.2 Security Server RACF 2.2, or later, with PTFs for MFA support. See RACF Multi-Factor Authentication Support for details.
  • z/VM 7.1 RACF, or later, with PTFs for MFA support.
  • For generic RADIUS support, access to an external server that supports the RADIUS PAP protocol.
  • For SafeNet support, access to an external Gemalto SafeNet Authentication Service server.
  • For RSA SecurID exploitation, access to an external RSA Authentication Manager 8.1 server.
  • For ISAM exploitation, access to an ISAM server.
  • For Security Verify exploitation, valid Security Verify provisioned users.

Such information is provided subject to the following terms. IT system security involves protecting systems and information through prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated, or misused, or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service, or security measure can be completely effective in preventing improper use or access. IBM systems, products, and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Limitations

Authentication requests using IBM Z MFA are expected to be slower than non-IBM Z MFA authentication requests. At the very least, IBM Z MFA authentication will incur extra path length when calling Multi-Factor Authentication Services. Depending on the factor type, there might be additional considerations such as network calls to external authentication servers. Non-IBM Z MFA authentication requests should have little to no noticeable performance degradation.

See the Terms and conditions section of this announcement or the License Information document that is available on the IBM Software License Agreement website.

IBM Support

IBM Support is your gateway to technical support tools and resources that are designed to help you save time and simplify support. IBM Support can help you find answers to questions, download fixes, troubleshoot, submit and track problem cases, and build skills. Learn and stay informed about the transformation of IBM Support, including new tools, new processes, and new capabilities, by going to the IBM Support Insider.

Additional IBM support

IBM Garage™

IBM Garage is a framework for accelerating digital transformation. It helps you generate innovative ideas and equips you with the practices, technologies, and expertise to turn those ideas into business value in weeks. When you work with IBM Garage you bring pain points into focus. You empower your team to take manageable risks, adopt leading technologies, speed up solution development, and measure the value of everything you do. IBM Garage has experts and services to address a broad array of use cases, including capabilities for business transformation, hybrid cloud, analytics and AI, infrastructure systems, security, and more. For more information, see the IBM Garage website.

IBM Z Washington System Center (WSC)

IBM Z Washington Systems Center (WSC): WSC, a team with deep technical expertise, provides technical assistance. WSC teams can help position, design, and implement solutions, and support critical situations that contribute to IBM Z, IBM LinuxONE, and Linux on IBM Z software, hardware, and services. For installation and technical support, provided by local Technical Specialists, contact the WSC at ilin@us.ibm.com.

For additional information, see the Washington System Center - IBM Z website.

Planning information

Packaging

The IBM Z MFA product package is distributed with the following:

Title Order number
IBM Z Multi-Factor Authentication Program Directory GII3-5220-01
IBM Z Multi-Factor Authentication Installation and Customization SC27-8447-41
IBM Z Multi-Factor Authentication User's Guide SC27-8448-41
IBM Z Multi-Factor Authentication for z/VM and Linux on Z SC27-4938-41

Direct client support

For technical support or assistance, contact your IBM representative or go to the IBM Support website.

Security, auditability, and control

The IBM Z MFA product is closely integrated with z/OS Security Server RACF and centralizes authentication factor information in the RACF database. IBM Z MFA relies on the RACF Security Administrator to identify which users are subject to requiring IBM Z MFA policy. IBM Z MFA relies on the integrity, security, and auditability features and functions of z/OS and the IBM Z platform hardware.

The client is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.



Back to topBack to top

Ordering information

Top rule

Consult your IBM representative.

The programs in this announcement all have Value Unit-Based pricing.

Program number Program name Value Unit exhibit
5655-MA1 IBM Z Multi-Factor Authentication VUE040

For each IBM Z IPLA program with Value Unit pricing, the quantity of that program needed to satisfy applicable IBM terms and conditions is referred to as the required license capacity. Your required license capacity is based upon the following factors:

  • The IBM Z IPLA program you select
  • The applicable Value Unit Exhibit
  • The applicable terms


Value Unit exhibit VUE040

Cumulative Blocks of UserID Range Value Units per Block of UserID
1 to 10 1.00 VU/Blocks of 500 UserIDs
11 to 30 0.50 VU/Blocks of 500 UserIDs
31 to 100 0.30 VU/Blocks of 500 UserIDs
101 to 300 0.20 VU/Blocks of 500 UserIDs
301 to 1000 0.15 VU/Blocks of 500 UserIDs
1001 to 2000 0.10 VU/Blocks of 500 UserIDs
2001 + 0.05 VU/Blocks of 500 UserIDs


Ordering z/OS through the internet

Shopz provides an easy way to plan and order your z/OS ServerPac or CBPDO. It will analyze your current installation, determine the correct product migration, and present your new configuration based on z/OS. Additional products can also be added to your order (including determination of whether all product requisites are satisfied). For more details and availability, go to the Shopz website.

Charge metric

The charge metrics for these licensed products can be found in the following License Information documents:

Program identifier License Information document title License Information document number
5655-MA1 IBM Z Multi-Factor Authentication Release 2.2 L-MZAI-C4XQ46
5655-MA2 IBM Z Multi-Factor Authentication S&S 1.1.0 L-MZAI-C4XQ46

Select your language of choice and scroll down to the Charge Metrics section. Follow-on releases, if any, may have updated terms. See the License Information documents website for more information.

Basic license

To order, specify the program product number and the appropriate license or charge option. Also, specify the desired distribution medium. To suppress shipment of media, select the license-only option in CFSW.

Program name: IBM Z Multi-Factor Authentication

Program PID: 5655-MA1

Entitlement identifier Description License option/Pricing metric
S018G0T IBM Z Multi-Factor Authentication Basic OTC, per Value Unit
  IBM Z Multi-Factor Authentication MultiVersion Measurement NC

Orderable supply ID Language
S018FP2 US English

Subscription and support PID: 5655-MA2

Entitlement identifier Description License option/Pricing metric
S018G0V IBM Z Multi-Factor Authentication S&S Basic MSC, per Value Unit
  IBM Z Multi-Factor Authentication S&S No charge, decline SW S&S
  IBM Z Multi-Factor Authentication S&S MultiVersion Measurement S&S NC
Orderable supply ID Language Distribution medium
S018FNZ US English Paper

Subscription and Support

To receive voice technical support via telephone and future releases and versions at no additional charge, Subscription and Support must be ordered. The capacity of Subscription and Support (Value Units) must be the same as the capacity ordered for the product licenses.

To order, specify the Subscription and Support program number (PID) referenced above and the appropriate license or charge option.

IBM is also providing Subscription and Support for these products via a separately purchased offering under the terms of the IBM International Agreement for Acquisition of Software Maintenance. This offering:

  • Includes and extends the support services provided in the base support to include technical support via telephone.
  • Entitles you to future releases and versions, at no additional charge. Note that you are not entitled to new products.

When Subscription and Support is ordered, the charges will automatically renew annually unless cancelled by you.

The combined effect of the IPLA license and the Agreement for Acquisition of Software Maintenance gives you rights and support services comparable to those under the traditional ICA S/390® and System z® license or its equivalent. To ensure that you continue to enjoy the level of support you are used to in the ICA business model, you must order both the license for the program and the support for the selected programs at the same Value Unit quantities.

Customized Offerings

Product deliverables are shipped only through CBPDO and ServerPac. These customized offerings are offered for internet delivery. For more details on Internet delivery, go to the Help section on the Shopz website.

IBM recommends internet delivery. However, if you still require physical media, you can choose DVD.

Many products can be ordered in ServerPac the month following their availability in CBPDO. z/OS can be ordered through CBPDO and ServerPac on the planned availability date. Many products will also be orderable in a Product ServerPac without also having to order the z/OS operating system or subsystem.

Shopz and CFSW will determine the eligibility based on product requisite checking. For more details on the Product ServerPac, go to the Help section on the Shopz website.

Production of software product orders will begin on the planned availability date.

  • CBPDO shipments will begin within 3 business days after the planned availability date.
  • ServerPac, shipments will begin within 3-4 weeks after the planned product availability date due to additional customization and data input verification.



Back to topBack to top

Terms and conditions

Top rule

The information provided in this announcement letter is for reference and convenience purposes only. The terms and conditions that govern any transaction with IBM are contained in the applicable contract documents such as the IBM International Program License Agreement, IBM International Passport Advantage® Agreement, and the IBM Agreement for Acquisition of Software Maintenance.

Licensing

IBM International Program License Agreement including the License Information document and Proof of Entitlement (PoE) govern your use of the program. PoEs are required for all authorized use.

This software license includes Software Subscription and Support (also referred to as Software Maintenance).

Software Maintenance

The following agreement applies for Software Subscription and Support (Software Maintenance) and does not require client signatures:

  • IBM Agreement for Acquisition of Software Maintenance (Z125-6011)

These programs are licensed under the IBM Program License Agreement (IPLA) and the associated Agreement for Acquisition of Software Maintenance, which provide for support with ongoing access to releases and versions of the program. These programs have a one-time license charge for use of the program and an annual renewable charge for the enhanced support that includes telephone assistance (voice support for defects during normal business hours), as well as access to updates, releases, and versions of the program as long as support is in effect.

License Information number

The following License Information documents apply to the offerings in this announcement:

Program identifier License Information document title License Information document number
5655-MA1 IBM Z Multi-Factor Authentication Release 2.2 L-MZAI-C4XQ46
5655-MA2 IBM Z Multi-Factor Authentication S&S 1.1.0 L-MZAI-C4XQ46

Follow-on releases, if any, may have updated terms. See the License Information documents website for more information.


Migration from IBM MFA V1.x

If you are planning to migrate to IBM MFA 2.2 from a version prior to 2.0, contact your IBM representative for the appropriate course of action.

Limited warranty applies

Yes

Limited warranty

IBM warrants that when the program is used in the specified operating environment, it will conform to its specifications. The warranty applies only to the unmodified portion of the program. IBM does not warrant uninterrupted or error-free operation of the program or that IBM will correct all program defects. You are responsible for the results obtained from the use of the program.

IBM provides you with access to IBM databases containing information on known program defects, defect corrections, restrictions, and bypasses at no additional charge. For further information, see the IBM Support Guide.

IBM will maintain this information for at least one year after the original licensee acquires the program (warranty period).

Program technical support

Enhanced support

Technical support of a program product version or release will be available for a minimum of five years from the planned availability date, as long as your Software Subscription and Support is in effect.

This technical support allows you to obtain assistance (by telephone or electronic means) from IBM for product-specific, task-oriented questions regarding the installation and operation of the program product. Software Subscription and Support also provides you with access to updates (modifications or fixes), releases, and versions of the program. You will be notified, through an announcement letter, of discontinuance of support with 12 months' notice.

If you require additional technical support from IBM, including an extension of support beyond the discontinuance date, contact your IBM representative or IBM Business Partner. This extension may be available for a fee.

For additional information on the IBM Software Support Lifecycle Policies, see the Standard and enhanced IBM software support lifecycle policies website.

Money-back guarantee

If for any reason you are dissatisfied with the program and you are the original licensee, you may obtain a refund of the amount you paid for it, if within 30 days of your invoice date you return the program and its PoE to the party from whom you obtained it. If you downloaded the program, you may contact the party from whom you acquired it for instructions on how to obtain the refund.

For clarification, note that for programs acquired under any of IBM's On/Off Capacity on Demand (On/Off CoD) software offerings, this term does not apply since these offerings apply to programs already acquired and in use by you.

Volume orders (IVO)

No

Passport Advantage applies

No

Software Subscription and Support applies

Yes. During the Software Subscription and Support period, for the unmodified portion of a program, and to the extent problems can be recreated in the specified operating environment, IBM will provide the following:

  • Defect correction information, a restriction, or a bypass.
  • Program updates: Periodic releases of collections of code corrections, fixes, functional enhancements and new versions and releases to the program and documentation.
  • Technical assistance: A reasonable amount of remote assistance by telephone or electronically to address suspected program defects. Technical assistance is available from the IBM support center in the organization's geography.

Additional details regarding Technical Assistance, which includes IBM contact information, are provided in the IBM Support Guide.

Software Subscription and Support does not include assistance for:

  • The design and development of applications.
  • Your use of programs in other than their specified operating environment.
  • Failures caused by products for which IBM is not responsible under the IBM Agreement for Acquisition of Software Maintenance.

Software Subscription and Support is provided only if the program is within its support timeframe as specified in the Software Support Lifecycle policy for the program.

Yes. All distributed software licenses include Software Subscription and Support (also referred to as Software Maintenance) for a period of 12 months from the date of acquisition, providing a streamlined way to acquire IBM software and assure technical support coverage for all licenses. Extending coverage for a total of three years from date of acquisition may be elected.

While your Software Subscription and Support is in effect, IBM provides you assistance for your routine, short duration installation and usage (how-to) questions, and code-related questions. IBM provides assistance by telephone and, if available, electronic access, only to your information systems (IS) technical support personnel during the normal business hours (published prime shift hours) of your IBM support center. (This assistance is not available to your end users.) IBM provides Severity 1 assistance 24 hours a day, every day of the year. For additional details, go to the IBM Support Handbooks page.

Software Subscription and Support does not include assistance for the design and development of applications, your use of programs in other than their specified operating environment, or failures caused by products for which IBM is not responsible under this agreement.

IBM Operational Support Services - SoftwareXcel

No

Variable charges apply

No

Educational allowance available

Yes. A 15% education allowance applies to qualified education institution clients.

Multi-Version Measurement

Multi-Version Measurement (MVM) replaces the previously announced Migration Grace Period time limit of six months and allows unlimited time for clients to run more than one eligible version of a software program. Clients may run multiple versions of a program simultaneously for an unlimited duration during a program version upgrade. Clients may also choose to run multiple versions of a program simultaneously for an unlimited duration in a production environment. MVM does not extend support dates for programs withdrawn from service.

For more information about MVM, including requirements for qualification, see the MVM web page. For a list of eligible programs, see the IPLA Execution-Based web page.

Sub-capacity utilization determination

Sub-capacity utilization is determined based on the utilization of an eligible operating system and machine, for example, z/OS running in z/Architecture® (64 bit) mode on an IBM Z, or equivalent, server.



Back to topBack to top

Statement of good security practices

Top rule

IT system security involves protecting systems and information through intrusion prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a regulatory compliant, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.



Back to topBack to top

Prices

Top rule

Program name: IBM Z Multi-Factor Authentication

Program PID: 5655-MA1

Entitlement identifier Description License option/Pricing metric
S018G0T IBM Z Multi-Factor Authentication Basic OTC, per Value Unit
  IBM Z Multi-Factor Authentication MultiVersion Measurement NC

Subscription and Support PID: 5655-MA2

Entitlement identifier Description License option/Pricing metric
S018G0V IBM Z Multi-Factor Authentication S&S Basic ASC, per Value Unit
  IBM Z Multi-Factor Authentication No charge, decline SW S&S
  IBM Z Multi-Factor Authentication MultiVersion Measurement S&S NC

IBM Global Financing

IBM Global Financing offers competitive financing to credit-qualified clients to assist them in acquiring IT solutions. Offerings include financing for IT acquisition, including hardware, software, and services, from both IBM and other manufacturers or vendors. Offerings (for all client segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or go to the IBM Global Financing website for more information.

IBM Global Financing offerings are provided through IBM Credit LLC in the United States, and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type, and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension, or withdrawal without notice.

Financing from IBM Global Financing helps you preserve cash and credit lines, enables more technology acquisition within current budget limits, can help accelerate implementation of economically attractive new technologies, offers payment and term flexibility, and can help match project costs to projected benefits. Financing is available worldwide for credit-qualified clients.



Back to topBack to top

Order now

Top rule

To order, contact the IBM Digital Sales Center, your local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968). For more information, contact the IBM Digital Sales Center.

Phone: 800-IBM-CALL (426-2255)

Fax: 800-2IBM-FAX (242-6329)

For IBM representative: askibm@ca.ibm.com

For IBM Business Partner: pwcs@us.ibm.com



IBM Digital Sales Offices
1177 S Belt Line Rd
Coppell, TX 75019-4642, US

The IBM Digital Sales Center, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products.


Note: Shipments will begin after the planned availability date.



Back to topBack to top

Regional availability

Top rule

American Samoa, Guam, Marshall Islands, Federated States of Micronesia, Northern Mariana Islands, Palau, Puerto Rico, United States, and US Virgin Islands

Trademarks

IBM Garage is a trademark of IBM Corporation in the United States, other countries, or both.

IBM Z, IBM, z/OS, RACF, z/VM, IBM Security, Passport Advantage, z/Architecture, Power, IBM Research, IBM Watson, IBM Cloud Pak, QRadar, Resilient, i2, Guardium, MaaS360, S/390 and System z are registered trademarks of IBM Corporation in the United States, other countries, or both.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.

Red Hat is a registered trademark of Red Hat Inc. in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Additional terms of use are located at

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or go to the IBM worldwide contacts page

IBM United States