Configuring multifactor authentication for UMS

Edit online

To improve security by using multifactor authentication, enable the Zowe Single Sign-On (SSO) provided by the Zowe API Mediation Layer. Zowe SSO leverages an access token to communicate with the z/OS® services that are accessible through the Zowe API Mediation Layer. To enable Zowe SSO for Unified Management Server, configure the login user authentications from the UMS server and Zowe components to Db2 or IMS subsystems and subsystem tools services over TCP/IP to allow PassTicket-based authentication.

Before you begin

The UMS multifactor authentication requires IBM® Z Multi-Factor Authentication and z/OSMF version 2.4 or later.

The Zowe API Mediation Layer must be enabled within the Zowe YAML file by enabling gateway by including the YAML definition components.gateway.enabled: true. For details, see the Zowe documentation for component configuration.

About this task

Before implementing UMS multifactor authentication, configure IBM Z Multi-Factor Authentication for new and existing users. To configure multifactor authentication for UMS, complete the following tasks.
Note: If you plan to use Zowe SSO and not MFA, steps 6 and 8 are not required.

Procedure

  1. Shut down Zowe.
    1. Stop Zowe cross-memory server. 
      /p <job_name>

      If Zowe defaults have been chosen, job_name should be replaced with ZWESISTC.

    2. Stop Zowe server. 
      /p <job_name>

      If Zowe defaults have been chosen, job_name should be replaced with ZWESLSTC.

  2. Apply the IBM APAR PH39582 required for z/OSMF.
  3. All users must have access to z/OSMF.
    For RACF the user must be connected to either IZUUSER or IZUADMIN group. For other ESMs, refer to the z/OSMF documentation for your specific ESM.
  4. To enable Zowe API Mediation Layer in UMS, configure the authType parameter.
    1. By using the <system_admin_id> user ID, open the PARMLIB(ZWEYAML) member.
    2. Edit the components.izp.server.authType parameter to MFA_JWT. The default value for the authType parameter is STANDARD_JWT.
      Note: MFA_JWT is only supported if API Mediation Layer Gateway is enabled. The components.gateway.enabled value must be true in the zowe.yaml file.
  5. Configure Zowe for Single-Sign-On (SSO) and Multi-Factor Authentication (MFA). For details, see Zowe SSO overview, Zowe gateway component configuration, and Zowe App Server configuration for MFA.
  6. Update RACF® to use PassTickets for each MFA user by running the following command: 
    ALU <ums_user_id> MFA(FACTOR(AZFPTKT1) ACTIVE NOTAGS)

    Where <ums_user_id> is a UMS user ID for which MFA login is configured. For details, see Using IBM MFA with PassTickets.

  7. To RDEFINE resources in PTKTDATA and permit access to subsystem or subsystem tool services,
    For Db2 for evaluating PassTickets, refer to the following links:
    For IMS Connect, refer to Enabling IMS Connect to receive RACF PassTickets.
    For IMS Tools, refer to Enabling IMS Tools TCP server to receive RACF PassTickets.
  8. Permit access to the IBM Z Multi-Factor Authentication started task to verify PassTickets. Run the following command: 
    PERMIT IRRPTAUTH.<applname>.* CLASS(PTKTDATA) –
ID(<MFA STC user>) ACCESS (READ)

    For details, see Using IBM MFA with PassTickets.

    Note: The order of evaluation to find the <applname> for Db2 subsystems is as follows:
    1. IPNAME
    2. GENERICLU (after the NETID)
    3. LUNAME (after the NETID)

    UMS will use these fields first that are defined (for example, where the value is not NONE).

    For data sharing groups, one of GENERICLU or IPNAME should be defined, and it should be the same across all members in that group.

    For IMS Connect services <applname>, refer to Enabling IMS Connect to receive RACF PassTickets. For IMS Tools TCP server <applname>, refer to Enabling IMS Tools TCP server to receive RACF PassTickets.

  9. The Zowe started task (<Zowe_STC_User>) needs access to the PTKTDATA class. Run the following command: 
    PERMIT IRRPTAUTH.<applname>.* CLASS(PTKTDATA) -
ID(<Zowe STC User>) ACCESS(UPDATE)
    Notes:
  10. Refresh the profile by running the following command: 
    SETROPTS RACLIST(PTKTDATA) REFRESH
  11. Start Zowe.
    1. Go to System Display and Search Facility (SDSF) in 3270.
    2. Start Zowe cross-memory server. 
      /S <job_name>,REUSAID=YES
      If Zowe defaults have been chosen, <job_name> should be replaced with ZWESISTC. You must specify REUSASID=YES after <job_name>.
    3. Start Zowe server. 
      /S ZWESLSTC,JOBNAME=ZWE1SV

      If Zowe defaults have been chosen, <job_name> should be replaced with ZWESLSTC.