Today, the most common way for users to access z/OS® systems is by the use of passwords or password phrases. Due to the simplicity of passwords, they can present a relatively simple point of attack for exploitation. In order for systems that rely on passwords to be secure, they must enforce password controls and provide user education. Some of the common problems with a simple password are that users tend to: choose common passwords, write down their passwords, or unintentionally install malware that can key log passwords.
A more secure option is for systems to require multiple authentication factors to verify the user's identity.
What is Multi-Factor Authentication?
A multi-factor authentication system requires that multiple authentication factors be presented during logon to verify a user's identity. Each authentication factor must be from a separate category of credential types:
Something you know: A password or security question
Something you have: An ID badge or cryptographic token device
Something you are: Fingerprint or other biometric data
By requiring multiple authentication factors, a user's account can not be compromised if one of their factors is discovered.
Users could log on with the following methods:
IBM MFA with SecurID
In the simplest terms, for IBM MFA with SecurID, the RSA Authentication Manager determines whether the user's credentials are valid and, if so, returns success to RACF. RACF then resumes control and completes the authentication and authorization process as usual.
IBM MFA with SecurID requires:
"Something you have." (The hardware or software RSA SecurID token.)
"Two things you know." (An RSA SecurID Personal Identification Number (PIN), and something you know.)
IBM TouchToken
For IBM MFA with IBM TouchToken, you use the IBM TouchToken for iOS application on supported Apple devices to generate a hashed, timed one-time password (OTP), and then use this password together with your z/OS user name to log on to the z/OS system.
The OTP password generated by the IBM TouchToken for iOS application must match the OTP password generated by the IBM TouchToken component on the z/OS server. OTP passwords are regenerated at regular intervals.
IBM TouchToken requires:
"Something you have." (The Apple Touch ID device, with the provisioned IBM TouchToken for iOS application.)
"Something you are." (Your fingerprint.)
IBM MFA Certificate Authentication
IBM MFA Certificate Authentication is a general purpose certificate authentication that includes Common Access Card (CAC) and Personal Identification Verification (PIV) cards. Certificate authentication uses the client identity certificate to authenticate the user.
IBM MFA Certificate Authentication requires:
"Something you have." (The approved certificate, typically from a PIV or CAC card or other smart card.)
"Something you know." (The Personal Identification Number (PIN).)
How does z/OS TDS LDAP work with MFA?
z/OS TDS LDAP provides a SDBM interface to RACF so that RACF profiles can be managed remotely over LDAP protocol.
Authentication with RACF users
Add, modify, delete RACF users, groups, and general resources
Users - ALTUSER, ADDUSER, and DELUSER RACF commands
Groups – ALTGROUP, ADDGROUP, and DELGROUP RACF commands
General resources – RALTER, RDEFINE, and RDELETE RACF commands
In V2R3 LDAP addes MFA support for SDBM. It includes three parts.
1.Allow customer to input MFA credentials to RACF through LDAP simple bind.
2.Allow RACF administrator to alter/search/compare MFA data in user profile through SDBM.
3.Allow RACF administrator to add/alter/search/compare MFA policy data in resource profile through SDBM.
The new MFA fields will be mapped to LDAP attributes “racfMFAFactor”, “racfMFAFactorStatus”, “racfMFAFactorTags”, “racfMFAPWFallback”, “racfMFAPolicy”, “racfMfpolicyFactors”, “racfMfpolicyTokentimeout” and “racfMfpolicyReuse” in schema.
The search operation will show MFA attributes such as:
racfMFAPWFallback=PWFALLBACK
racfMFAFactor=FACTOR01
racfMFAFactor=FACTOR02
racfMFAFactorStatus=FACTOR01:ACTIVE
racfMFAFactorStatus=FACTOR02:NOACTIVE
racfMFAFactorTags=FACTOR01:TAG1:ABC
racfMFAFactorTags=FACTOR01:TAG2:123
racfMFAFactorTags=FACTOR02:TAG1:DEF
racfMFAFactorTags=FACTOR02:TAG2:789
racfMFAPolicy=POL01
racfMFAPolicy=POL02
The MFA related modify operation will be convert to altuser RACF command, such as “altuser user01 MFA(FACTOR(<factor-name>) TAGS(...) ACTIVE PWFALLBACK ADDPOLICY(...))”. We don't support add operation because RACF doesn't provide the corresponding adduser RACF command. The factor name portion indicates which factor we are manipulating. Only one factor can be manipulated in one RACF altuser command. The conversion methods are listed below:
LDAP modify operation RACF command
+racfMFAFactor=factorname MFA(FACTOR(factorname))
-racfMFAFactor=factorname MFA(DELFACTOR(factorname))
-racfMFAFactor NOMFA
+racfMFAFactorStatus=factorname:ACTIVE MFA(FACTOR(factorname) ACTIVE)
+racfMFAFactorStatus=factorname:NOACTIVE MFA(FACTOR(factorname) NOACTIVE)
+racfMFAFactorTags=factorname:tagname:tagvalue MFA(FACTOR(factorname) TAGS(tagname:tagvalue))
-racfMFAFactorTags=factorname:tagname MFA(FACTOR(factorname) DELTAGS(tagname))
-racfMFAFactorTags=factorname: MFA(FACTOR(factorname) NOTAGS)
+racfMFAPWFallback=PWFALLBACK MFA(PWFALLBACK)
+racfMFAPWFallback=NOPWFALLBACK MFA(NOPWFALLBACK)
+racfMFAPolicy=policyname MFA(ADDPOLICY(policyname))
-racfMFAPolicy=policyname MFA(DELPOLICY(policyname))
-racfMFAPolicy MFA(DELPOLICY(*))
The MFA policy related add/modify operation will be convert to rdefine/ralter RACF command, such as “rdefine/ralter MFADEF POLICY.POL01 MFPOLICY(FACTORS(FACTOR01 FACTOR02) TOKENTIMEOUT(60) REUSE(YES))”. The conversion methods are listed below:
LDAP modify operation RACF command
+racfMfpolicyFactors=factorname MFPOLICY(FACTORS(factorname))
-racfMfpolicyFactors MFPOLICY(NOFACTORS)
+racfMfpolicyTokenTimeout=seconds MFPOLICY(TOKENTIMEOUT(seconds))
+racfMfpolicyReuse=YES|NO MFPOLICY(REUSE(YES|NO))
Operate MFA fields with LDAP
ldapsearch -D "racfid=drew2,profiletype=user,cn=myracf" -w xxxx -s sub -b "racfid=drew2,profiletype=user,cn=myracf" "objectclass=*"
racfid=DREW2,profiletype=USER,cn=myracf
racfid=DREW2
racfauthorizationdate=04/11/17
racfowner=RACFID=SUIMGUP,PROFILETYPE=USER,CN=MYRACF
racfpasswordinterval=180
racfpasswordchangedate=11/22/18
racfprogrammername=SPECIAL USER
racfdefaultgroup=RACFID=DCEMVS,PROFILETYPE=GROUP,CN=MYRACF
racflastaccess=11/23/18/01:20:44
racflogondays=SUNDAY
racflogondays=MONDAY
racflogondays=TUESDAY
racflogondays=WEDNESDAY
racflogondays=THURSDAY
racflogondays=FRIDAY
racflogondays=SATURDAY
racflogontime=ANYTIME
racfconnectgroupname=RACFID=DCEMVS,PROFILETYPE=GROUP,CN=MYRACF
racfhavepasswordenvelope=NO
racfhavepassphraseenvelope=NO
racfmfapwfallback=NOPWFALLBACK
racfmfafactor=FACTOR05
racfmfafactor=FACTOR02
racfmfafactorstatus=FACTOR05:NOACTIVE
racfmfafactorstatus=FACTOR02:ACTIVE
racfattributes=SPECIAL
racfattributes=PASSWORD
objectclass=TOP
objectclass=RACFBASECOMMON
objectclass=RACFUSER
ldapmodify -D "racfid=drew2,profiletype=user,cn=myracf" -w xxxx
racfid=drew2,profiletype=user,cn=myracf
+racfmfafactorstatus=factor05:active
modifying entry racfid=drew2,profiletype=user,cn=myracf
ldapsearch -D "racfid=drew2,profiletype=user,cn=myracf" -w xxxx -s sub -b "racfid=drew2,profiletype=user,cn=myracf" "objectclass=*"
racfid=DREW2,profiletype=USER,cn=myracf
racfid=DREW2
racfauthorizationdate=04/11/17
racfowner=RACFID=SUIMGUP,PROFILETYPE=USER,CN=MYRACF
racfpasswordinterval=180
racfpasswordchangedate=11/22/18
racfprogrammername=SPECIAL USER
racfdefaultgroup=RACFID=DCEMVS,PROFILETYPE=GROUP,CN=MYRACF
racflastaccess=11/23/18/01:26:22
racflogondays=SUNDAY
racflogondays=MONDAY
racflogondays=TUESDAY
racflogondays=WEDNESDAY
racflogondays=THURSDAY
racflogondays=FRIDAY
racflogondays=SATURDAY
racflogontime=ANYTIME
racfconnectgroupname=RACFID=DCEMVS,PROFILETYPE=GROUP,CN=MYRACF
racfhavepasswordenvelope=NO
racfhavepassphraseenvelope=NO
racfmfapwfallback=NOPWFALLBACK
racfmfafactor=FACTOR05
racfmfafactor=FACTOR02
racfmfafactorstatus=FACTOR05:ACTIVE
racfmfafactorstatus=FACTOR02:ACTIVE
racfattributes=SPECIAL
racfattributes=PASSWORD
objectclass=TOP
objectclass=RACFBASECOMMON
objectclass=RACFUSER
Operate MFA Policies with LDAP
ldapsearch -D cn=admin -w xxxx -s sub -b "profilename=POLICY.POLICY03, profiletype=MFADEF,cn=myracf" "objectclass=*"
profilename=POLICY.POLICY03,profiletype=MFADEF,cn=myracf
profilename=POLICY.POLICY03
racfauthorizationdate=12/15/16
racfowner=RACFID=SUIMGUP,PROFILETYPE=USER,CN=MYRACF
racflastreferencedate=12/15/16
racflastchangedate=12/15/16
racfalteraccesscount=0
racfcontrolaccesscount=0
racfupdateaccesscount=0
racfreadaccesscount=0
racfuacc=NONE
racfresourceaudit=FAILURES(READ)
racflevel=0
racfmfpolicytokentimeout=460
racfmfpolicyreuse=YES
objectclass=TOP
objectclass=RACFRESOURCE
objectclass=EXTENSIBLEOBJECT
ldapmodify -D cn=admin -w xxxx
dn: profilename=policy.policy03,profiletype=MFADEF,cn=myracf
changetype:modify
replace: x
racfmfpolicytokentimeout:240
ldapsearch -D cn=admin -w xxxx -s sub -b "profilename=POLICY.POLICY03, profiletype=MFADEF,cn=myracf" "objectclass=*"
profilename=POLICY.POLICY03,profiletype=MFADEF,cn=myracf
profilename=POLICY.POLICY03
racfauthorizationdate=12/15/16
racfowner=RACFID=SUIMGUP,PROFILETYPE=USER,CN=MYRACF
racflastreferencedate=12/15/16
racflastchangedate=12/15/16
racfalteraccesscount=0
racfcontrolaccesscount=0
racfupdateaccesscount=0
racfreadaccesscount=0
racfuacc=NONE
racfresourceaudit=FAILURES(READ)
racflevel=0
racfmfpolicytokentimeout=240
racfmfpolicyreuse=YES
objectclass=TOP
objectclass=RACFRESOURCE
objectclass=EXTENSIBLEOBJECT