Implementing IBM Cloud Identity Verify with IBM Z Multi-Factor Authentication
PhilPeters 120000CQMH Visits (607)
IBM Cloud Identity is a cloud based iden
Cloud Identity Server
To set up our server, we accessed the IBM Cloud provisioning portal for Cloud Identity Free Edition, available at URL http
We started configuring our new site by selecting the person icon on the far right and clicking on switch to admin. We then clicked on the 3 line hamburger icon in the upper left and selected Configuration. With the API Access tab selected and API Clients highlighted we clicked on the Add API Client button.
We then filled in a name for the client and selected the following APIs:
After the API client was saved, values for Client ID and Client Secret were generated. These values were needed when setting up our IbmR
While still in the API Access section, we selected Allowed Domains and clicked on the Add Domain button. We added a domain of the format http
We left the Configuration section by clicking on the hamburger icon, selecting Security and then selecting the Authentication Factors tab. Scrolling down to the IBM Verify Authentication section we changed the value for User Presence from On to Off and confirmed that the value for Fingerprint was set to On. This enforces that fingerprint authentication is needed when using IBM Verify.
The Hamburger icon button was then used to go to Users and Groups. With the Users tab selected, we clicked on Add. The Identity Source of Cloud Directory was selected. A new User name was entered and information for this user (Given name, Surname, Email and Mobile number) was filled in. A country code was not required to be entered in this field, but our understanding is that it is needed for the function to work, so we added +1 on the front of the number for the United States. The Enabled and Email New Account settings were left in the On position. When the new user was created, the owner received an email at the address specified. We refer to this new user id as a CIV user in this document and the configuration that the owner had to do will be described later.
IBM Verify Gateway for RADIUS
On our Windows server, we used Firefox to logon to the following URL and download the IBM Verify Gateway for RADIUS app: http
Note: Our first attempt at downloading failed and we found that prerequisites mentioned in the documentation for the app had to be downloaded before we could successfully download the app.
We installed the app on the Windows server in C:\Program Files\IBM\IbmRadius and put in place a file called IbmR
"client-id":"<value from API Client above>",
"address": "<ip address of our z2 system>",
"address": "<ip address of our z4 system>",
We added IBM Radius to the list of tasks on our Windows server by going into Task Manager>File>Run new task and pointing to C:\Program File
In Task Manager>More details>Services we right clicked on ibmradius and selected Open Services
This opened Services (Local) where we right clicked on IBM RADIUS Service and selected Properties
In here we set the Startup type to Automatic so that it would start on its own. Service status had been set to stopped so we clicked on start.
We then configured a rule in our firewall via Administrative Tools>Windows Firewall with Advanced Security>New Rule
A Rule Type of Program was selected and we specified the path to the location of our ibmRadius.exe file
Continuing through the Rule Wizard, we chose to allow the connection, to have the rule apply for Domain, Private and Public, and we gave the rule a name of ibmradius.
IBM Z Multi-Factor Authentication configuration
On our z/OS system, we issued the following RACF commands:
===> RDEF MFADEF FACTOR.AZFRADP1 UACC(NONE) OWNER(<MFA Owner>)
===> RDEF FACILITY IRR.
===> PE IRR.
===> SETR RACLIST(FACILITY MFADEF) REFRESH
We then invoked the MFA panels by executing the command AZFEXEC and went into option 4 for Generic Radius where we filled in the following values:
PKCS#11 Token Name . . . . . . . AZFTOTP.TOKEN
Key Label . . . . . . . . . . . . AZFSTC
Primary Server Host Name. . . . <ip of our windows server running Radius Gateway>
Primary Server Port . . . . . . . 2812
Secondary Server Host Name. . .
Secondary Server Port . . . . . . 0
Tertiary Server Host Name . . .
Tertiary Server Port. . . . . . . 0
Number of Retries . . . . . . . . 3
Timeout . . . . . . . . . . . . . 10
Shared Secret . . . . . . . . . <shared secret>
Connection type . . . . . . . . . 1 1. UDP 2. TCP
Enable Compound In-band Authentication. . N
Compound In-band Credential Order . . . . 1 1. MFA Credential First
2. RACF Credential First
Compound In-band Factor Separator . . . . : Default :
Initial Trace Level . . . . . . . . . . . 3
To pick up this change we stopped and started the MFA started tasks AZF#IN00 and AZF#IN01 on each system where they were running. (AZF#IN00 on Z2 and Z4, AZF#IN01 on Z2)
We modified an existing z/OS userid to use MFA Generic Radius and associated it with a CIV ID by issuing the RACF command:
===> ALU <z/OS USERID> MFA(
Where <CIVID> is the user we created on the Cloud Identity server previously.
Enrolling a device for a new CIV User
When a user was created on the Cloud Identity server, the owner of the new id received an email at the address specified within the new CIV user information. The email contained a link to the server http
Within IBM verify app, we selected Add device.
We were then presented with instructions for downloading the IBM Verify app on our device and we followed these to install IBM Verify on an iPad.
After installing IBM Verify on the iPad, we returned to the Cloud Identity server and chose Next: Connect your account and were then presented with a QR code and followed the instructions to connect the app on our device to our account.
From within the IBM Verify app on the iPad, we touched the squares icon in the upper left and pointed the iPad's camera at the QR code. We were presented with the options: Use Touch ID or No, Thanks. We selected Use Touch ID and performed a finger scan to complete the setup. Returning to the Cloud Identity server, we selected Next: Verify your device which caused a notification to be sent to our device which required us to select the checkmark and scan our finger on the iPad before telling us that it had been verified.
Logging on to z/OS
We logged on to the z4 system with the z/OS userid associated with CIV. The password for the CIV ID was entered (rather than the password for the z/OS ID). The following message was received on the z/OS screen:
ICH70008I IBM MFA Message:
Enter OTP 0984:
The Mobile number listed for the CIV ID received the following text:
Your passcode is:
It expires in 5 minutes
We entered 372446 in the z/OS password field and then received:
ICH70008I IBM MFA Message:
AZF1903I: RADIUS AUTHENTICATION SUCCESSFUL
We were successfully logged on to z/OS, confirming that our MFA set up using CIV with an auth-method of pass
We then logged onto Z2 with our z/OS ID and again provided the password for the CIV ID. This time we received the following message on the z/OS screen:
ICH70008I IBM MFA Message:
A push notification has been sent to your device :MFA iPad (iPad):. Please refresh your IBM Verify application if you did not receive it.
On the Verify app on the iPad, we received the following message:
Do you approve this request from Z2?
IBM Cloud Identity
Verify with Touch ID
We selected the checkmark, performed a finger scan and received a request verified message. We then returned to the z/OS logon screen, hit enter to clear the message, hit enter again and we were successfully logged on to z/OS. Once again this confirmed that MFA using CIV was working; this time using an auth-method of pass
Along the way we ran into issues. Some have already been mentioned and others are documented here.
When first trying to enroll our device with IBM Verify, the iPad would not capture a picture of the QR code. It turned out that the screen was zoomed in to a level where the entire QR code was not visible. Reducing the image on the screen corrected this.
After capturing a picture of the QR code, we received an error message saying the JSON data supplied was invalid. IBM Verify had been installed on the iPad previously for generic TouchToken. After going to the app store and updating our version of IBM Verify we were able to scan the QR code without encountering the error.
This implementation included setting up products and tools that we had never used before and took some time to research (and contribute to) documentation, ask questions and experiment with settings. The result is a new, cutting-edge way to access our z/OS environment using multi-factor authentication. The hope is that our efforts make this type of implementation easier for other z/OS clients.