Configuring multifactor authentication for UMS

UMS supports multifactor authentication with the Unified Management Server 1.1 (UI78605) or later release. To improve security by using multifactor authentication, enable the Zowe Single Sign-On (SSO) provided by the Zowe API Mediation Layer. Zowe SSO leverages an access token to communicate with the z/OS® services that are accessible through the Zowe API Mediation Layer.

Before you begin

The UMS multifactor authentication requires IBM® Z Multi-Factor Authentication and z/OSMF version 2.4 or later.

The Zowe API Mediation Layer must be enabled within the Zowe instance.env file by including GATEWAY in the LAUNCH_COMPONENT_GROUPS parameter list. For details, see the Zowe documentation for component configuration.

Restriction: UMS multifactor authentication is not compatible with the IMS Administration Foundation feature. You must use the default authentication (STANDARD_JWT) method. For details of authentication types, see Table 1.

About this task

Before implementing UMS multifactor authentication, configure IBM Z Multi-Factor Authentication for new and existing users. To configure multifactor authentication for UMS, complete the following tasks:

Procedure

  1. Shut down Zowe.
    1. Stop ZSS cross-memory server. 
      /p <job_name>

      If Zowe defaults have been chosen, job_name should be replaced with ZWESISTC.

    2. Stop Zowe server. 
      /p <job_name>

      If Zowe defaults have been chosen, job_name should be replaced with ZWESVSTC.

  2. Apply the IBM APAR PH39582 required for z/OSMF.
  3. All users must have access to z/OSMF.
    For RACF the user must be connected to either IZUUSER or IZUADMIN group. For other ESMs, refer to the z/OSMF documentation for your specific ESM.
  4. To enable Zowe API Mediation Layer in UMS, configure the authType parameter.
    1. By using the <system_admin_id> user ID, open the PARMLIB member IZPUMSPM that is located at RUNHLQ.IZP.PARMLIB(IZPUMSPM).
    2. Edit the authType parameter to MFA_JWT. The default value for the authType parameter is STANDARD_JWT.
    3. Confirm the apimlHost and apimlPort parameter values are consistent with the Zowe instance.env file. The host and port parameters in the Zowe instance.env file are ZOWE_EXPLORER_HOST and GATEWAY_PORT.
    4. Run the IZP_UMS_VARDIR/bin/install/izp-update-for-apiml.sh script.
    Note: To disable Zowe API Mediation Layer in UMS, configure the authType parameter to STANDARD_JWT and run the IZP_UMS_VARDIR/bin/install/izp-update-for-apiml.sh script.
  5. Configure Zowe for multifactor authentication by adding gateway, SSO token name, SSO certificate, and SSO token label. For details, see Zowe documentation.
  6. Update RACF® to use PassTickets for MFA users by running the following command: 
    ALU ums_user_id MFA(FACTOR(AZFPTKT1) ACTIVE NOTAGS)

    For details, see Using IBM MFA with PassTickets.

  7. To RDEFINE resources in PTKTDATA and permit access to Db2 for evaluating PassTickets, refer to the following links:
  8. Permit access to the IBM Z Multi-Factor Authentication started task to verify Db2 PassTickets. Run the following command: 
    PERMIT IRRPTAUTH.<applname>.* CLASS(PTKTDATA) –
ID(<MFA STC user>) ACCESS (READ)

    For details, see Using IBM MFA with PassTickets.

    Notes:
    • To find the Db2 PassTicket <applname>, run the -DIS DDF Db2 command.
    • For a data sharing group, the Db2 PassTicket <applname> is the IPNAME or GENERICLU.
    • For a standalone Db2 subsystem, the Db2 PassTicket <applname> is the IPNAME or LUNAME.
  9. When configuring a second authentication factor for the user (AZFPTKT1), the Zowe started task (STC_USER) needs access to the PTKTDATA class. Run the following command: 
    PERMIT IRRPTAUTH.<applname>.* CLASS(PTKTDATA) -
ID(<Zowe STC User>) ACCESS(UPDATE)
    Note: To find the Db2 PassTicket <applname>, see the Db2 command.
  10. Refresh the profile by running the following command: 
    SETROPTS RACLIST(PTKTDATA) REFRESH
  11. Start Zowe.
    1. Go to System Display and Search Facility (SDSF) in 3270.
    2. Start ZSS cross-memory server. 
      /s <job_name>,reusasid=yes
      If Zowe defaults have been chosen, <job_name> should be replaced with ZWESISTC. You must specify reusasid=yes after <job_name>.
    3. Start Zowe server. 
      /s <job_name>,instance='<zowe_instance>'

      If Zowe defaults have been chosen, <job_name> should be replaced with ZWESVSTC. Replace <zowe_instance> with the absolute path of your Zowe instance directory.