How to: Configure passphrase and MFA support in the OMEGAMON 3270 Classic interface

In addition to using a regular password, you can also log on securely to the OMEGAMON 3270 Classic interface using a password phrase (passphrase) and multi-factor authentication (MFA). Some configuration steps are necessary to enable passphrase and MFA support for the OMEGAMON 3270 Classic interface. This topic explains how to perform this task using either Configuration Manager or PARMGEN.

Before you begin

A traditional mainframe password is eight bytes or less, while a passphrase is from nine to 100 bytes. MFA is an authentication method that typically requires a six-digit volatile numeric token that is paired with a password or passphrase value. A user ID must be set up in the security system to use a passphrase.
Note: Your security administrator must set up the user ID to use a passphrase. For RACF, use the PHRASE operand with the ADDUSER or ALTUSER command. For a security product other than RACF, refer to the documentation for that product for guidance on the equivalent actions.

On a 3270 screen, depending on the screen width, entering a long passphrase value into a field might require multiple lines. For example, if the screen width is 80 bytes, an input field would require multiple lines to support a value longer than 80 bytes. For a wider screen size, you can support a longer value on a single line, up to the available screen width.

On the OMEGAMON 3270 Classic interface logon screen, by default, the password fields support passwords that are eight bytes or less. Optionally, you can configure your product to support passphrase and MFA values for the OMEGAMON 3270 Classic interface; multiple settings are available. When passphrase support is enabled, configuration parameters are used to specify the SAF security class and SAF application ID to use for the OMEGAMON 3270 Classic interface.
Important: When passphrase support is enabled, OMEGAMON implements the SAF interface for external security without the use of security exits. For more information, see OMEGAMON® 3270 Classic interface security.

About this task

To use passphrase values and MFA for the OMEGAMON 3270 Classic interface, you must configure your product to enable passphrase support. Multiple passphrase configuration options are available that affect the length of the passphrase that is supported on a single line and the layout of the logon screen.
Note: It is recommended that you review the available configuration options, especially if you use programs to automate the logon process to the OMEGAMON 3270 Classic interface that rely on static placement of keywords and input fields.
Passphrase support for the OMEGAMON 3270 Classic interface is provided for the following products, listed with the respective product code:
  • OMEGAMON for CICS (C2)
  • OMEGAMON for Db2 Performance Expert (D2)
  • OMEGAMON for IMS (I2)
  • OMEGAMON for z/OS (M2)
  • IBM Z OMEGAMON Monitor for z/OS (M2)
Passphrase enablement and configuration is controlled by parameter Kpp_CLASSIC_PASSPHRASE, where pp is C2, D2, I2, or M2, depending on the supported product. When passphrase support is enabled, the SAF security class is defined by Kpp_CLASSIC_SECCLASS and the SAF application ID is defined by Kpp_CLASSIC_SAFAPPL, where pp is C2, D2, I2, or M2.
The following configuration options are available for passphrase support:
Kpp_CLASSIC_PASSPHRASE
This parameter specifies the passphrase support setting for the OMEGAMON 3270 Classic interface.
Note: In the following figures, a ruler is shown on the screen. The ruler is included in the documentation for illustrative purposes only and is not displayed in the product.
PARTIAL
Passphrase support is enabled with the PASSWORD and NEW PASSWORD fields each consisting of a single line. The minimum length of each of these fields is 34 bytes, and the maximum length (which can be up to 100 bytes) depends on the screen width. With this setting, the fields are aligned in the center of the screen, as shown in the following figure:
                                                                             
                                                                             
>                             Copyright 1980-2022                            
>                    IBM Corporation. All rights reserved.                   
>                       Use permissible by license only.                     
>                                                                            
                                                                             
                                                                             
                           ENTER USERID ==>                                  
                               PASSWORD ==>                                  
                                  GROUP ==>                                  
                           NEW PASSWORD ==>                                  
                                                                             
                           Press F3 to exit logon                            
                                                                             
                                                                             
|...+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8
12345678901234567890123456789012345678901234567890123456789012345678901234567890
Note: Passphrase support for the OMEGAMON 3270 Classic interface is introduced with APAR OA57133 (PTF UA98944). With the PARTIAL setting, the input field labels and placement are compatible with the screen layout before passphrase support was introduced.
MAX62
Passphrase support is enabled with the PASSWORD and NEW PASSWORD fields each consisting of a single line. The minimum length of each of these fields is 62 bytes, and the maximum length (which can be up to 100 bytes) depends on the screen width. With this setting, the fields are aligned at the left of the screen, as shown in the following figure:
                                                                                
                                                                                
>                             Copyright 1980-2022                               
>                    IBM Corporation. All rights reserved.                      
>                       Use permissible by license only.                        
>                                                                               
                                                                                
                                                                                
ENTER USERID ==>                                                                
    PASSWORD ==>                                                                
       GROUP ==>                                                                
NEW PASSWORD ==>                                                                
                                                                                
                           Press F3 to exit logon                               
                                                                                
                                                                                
|...+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8
12345678901234567890123456789012345678901234567890123456789012345678901234567890
FULL
Passphrase support is enabled with the PASSWORD and NEW PASSWORD fields each consisting of two lines. The value in the second line is concatenated onto the end of the value in the first line. The length of the first line is 34 bytes and the length of the second line is 66 bytes, allowing the maximum passphrase value of 100 bytes to be entered. With this setting, the fields are aligned in the center of the screen, as shown in the following figure:
                                                                                
                                                                                
>                             Copyright 1980-2022                               
>                    IBM Corporation. All rights reserved.                      
>                       Use permissible by license only.                        
>                                                                               
                                                                                
                                                                                
                           ENTER USERID ==>                                     
                               PASSWORD ==>                                     
                                                                                
                                  GROUP ==>                                     
                           NEW PASSWORD ==>                                     
                                                                                
                                                                                
                           Press F3 to exit logon                               
                                                                                
                                                                                
|...+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8
12345678901234567890123456789012345678901234567890123456789012345678901234567890
NO or NONE
Passphrase support is not enabled. The lengths of the PASSWORD and NEW PASSWORD fields are eight bytes each. With this setting, if you have external security defined using a security exit, the fields are aligned in the center of the screen, as shown in the following figure:
                                                                                
                                                                                
>                             Copyright 1980-2020                               
>                    IBM Corporation. All rights reserved.                      
>                       Use permissible by license only.                        
>                                                                               
                                                                                
                                                                                
                           ENTER USERID ==>                                     
                               PASSWORD ==>                                     
                                  GROUP ==>                                     
                           NEW PASSWORD ==>                                     
                                                                                
                           Press F3 to exit logon                               
                                                                                
                                                                                
|...+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8
12345678901234567890123456789012345678901234567890123456789012345678901234567890
Note: If you do not have external security defined, none of the fields for credentials appear on the logon screen.

Use the following procedure to enable passphrase and MFA support for your OMEGAMON 3270 Classic interface. If you do not want to use passphrase or MFA when logging on to the OMEGAMON 3270 Classic interface, no configuration changes are needed.

Procedure

To enable passphrase support for your OMEGAMON 3270 Classic interface, perform the following steps for each of your supported OMEGAMON products. Use either of the following methods:

  • Using Configuration Manager:
    1. In RTEDEF(Kpp$PARM) or RTEDEF(Kpp$lpar), add the following parameters:
      • Kpp_CLASSIC_PASSPHRASE set to value PARTIAL, MAX62, or FULL
      • Kpp_CLASSIC_SECCLASS set to the OMEGAMON SAF security class
      • Kpp_CLASSIC_SAFAPPL set to the OMEGAMON SAF application ID
    2. Run the GENERATE action.
    Recycle the OMEGAMON Classic started task for the configuration changes to take effect. See the product-specific documentation for more information.
    Note: For more information about changing parameter values after you have completed configuration of the runtime environment using Configuration Manager, see Creating or updating a runtime environment.
  • Using PARMGEN:
    1. In WCONFIG(#rtename), add the following parameters:
      • Kpp_CLASSIC_PASSPHRASE set to value PARTIAL, MAX62, or FULL
      • Kpp_CLASSIC_SECCLASS set to the OMEGAMON SAF security class
      • Kpp_CLASSIC_SAFAPPL set to the OMEGAMON SAF application ID
    2. Submit the $PARSE job to refresh the profile.
    Recycle the OMEGAMON Classic started task for the configuration changes to take effect. See the product-specific documentation for more information.
    Note: For more information about changing parameter values after you have completed configuration of the runtime environment using PARMGEN, see Scenario RTE03: Changing parameters in an RTE.