UMS supports multifactor authentication with the Unified Management Server 1.1 (UI78605) or later release.
To improve security by using multifactor authentication, enable the Zowe Single Sign-On (SSO) provided by the Zowe API Mediation Layer. Zowe
SSO leverages an access token to communicate with the
z/OS®
services that are accessible through the Zowe API Mediation
Layer.
Before you begin
The UMS multifactor authentication requires IBM® Z Multi-Factor Authentication and
z/OSMF version 2.4 or later. The
Zowe API Mediation Layer must be enabled within the
Zowe
instance.env file by including GATEWAY
in the
LAUNCH_COMPONENT_GROUPS
parameter list. For details, see the
Zowe documentation for
component configuration.
Restriction: UMS multifactor
authentication is not compatible with the
IMS Administration Foundation feature. You must use the
default authentication (
STANDARD_JWT
) method.
For details of authentication types, see Table 1.
About this task
Before implementing UMS multifactor authentication, configure IBM Z Multi-Factor Authentication
for new and existing users. To configure multifactor authentication for UMS, complete
the following tasks:
Procedure
-
Shut down Zowe.
-
Stop ZSS cross-memory server.
/p <job_name>
If Zowe defaults have been chosen,
job_name
should be replaced with
ZWESISTC
.
-
Stop Zowe server.
/p <job_name>
If Zowe defaults have been chosen, job_name
should be
replaced with ZWESVSTC
.
-
Apply the
IBM
APAR
PH39582
required for z/OSMF.
-
All users must have access to z/OSMF.
For RACF the user must be connected to either IZUUSER
or IZUADMIN
group. For other ESMs, refer to the
z/OSMF documentation for your specific ESM.
-
To enable Zowe API Mediation Layer in UMS, configure the
authType
parameter.
-
By using the
<system_admin_id>
user ID, open the
PARMLIB
member IZPUMSPM
that is
located at
RUNHLQ.IZP.PARMLIB(IZPUMSPM)
.
-
Edit the
authType
parameter to
MFA_JWT
. The default value for the
authType
parameter is
STANDARD_JWT
.
-
Confirm the
apimlHost
and apimlPort
parameter values are consistent with the Zowe
instance.env file. The host and port parameters in
the Zowe
instance.env file are
ZOWE_EXPLORER_HOST
and
GATEWAY_PORT
.
-
Run the
IZP_UMS_VARDIR/bin/install/izp-update-for-apiml.sh
script.
Note: To disable Zowe API Mediation Layer in UMS, configure
the authType
parameter to STANDARD_JWT
and
run the
IZP_UMS_VARDIR/bin/install/izp-update-for-apiml.sh
script.
-
Configure Zowe
for multifactor authentication by adding gateway,
SSO token name, SSO
certificate, and SSO token label. For details, see Zowe
documentation.
-
Update
RACF®
to use PassTickets for
MFA users
by running the following command:
-
To
RDEFINE
resources in PTKTDATA
and permit
access to Db2 for evaluating PassTickets,
refer to the following links:
-
Permit access to the IBM Z
Multi-Factor Authentication started task to verify Db2 PassTickets. Run the following
command:
PERMIT IRRPTAUTH.<applname>.* CLASS(PTKTDATA) –
ID(<MFA STC user>) ACCESS (READ)
For details, see Using IBM MFA with
PassTickets.
Notes:
- To find the Db2 PassTicket
<applname>
, run the
-DIS DDF
Db2 command.
- For a data sharing group, the Db2 PassTicket
<applname>
is the IPNAME
or
GENERICLU
.
- For a standalone Db2 subsystem, the Db2 PassTicket
<applname>
is the IPNAME
or
LUNAME
.
-
When configuring a second authentication factor for
the user (
AZFPTKT1
), the
Zowe started task (STC_USER
) needs access to the
PTKTDATA
class. Run the following command:
PERMIT IRRPTAUTH.<applname>.* CLASS(PTKTDATA) -
ID(<Zowe STC User>) ACCESS(UPDATE)
Note: To find the Db2 PassTicket
<applname>
, see the
Db2 command.
-
Refresh the profile by running the following command:
SETROPTS RACLIST(PTKTDATA) REFRESH
-
Start Zowe.
-
Go to System Display and Search Facility (SDSF) in 3270.
-
Start ZSS cross-memory server.
/s <job_name>,reusasid=yes
If Zowe defaults have been chosen, <job_name>
should be replaced with ZWESISTC
. You must specify
reusasid=yes
after
<job_name>.
-
Start Zowe server.
/s <job_name>,instance='<zowe_instance>'
If Zowe defaults have been chosen, <job_name>
should be replaced with ZWESVSTC
. Replace
<zowe_instance> with the absolute path of
your Zowe instance directory.