Activate and deactivate users for IBM MFA SecurID Authentication API

You use the ALTUSER or ALU command to activate users for IBM® MFA with SecurID Authentication API.

Before you begin

Before you can activate users for IBM MFA, you must first create accounts for the users in RSA Authentication Manager and assign RSA tokens.

When you activate a user for IBM Multi-Factor Authentication for z/OS®, that user is no longer able to use the z/OS password to log in. Therefore, the user must first have a valid token and credentials for RSA Authentication Manager.

To defer activation to a later time, omit the ACTIVE keyword from the ALTUSER command, or supply the NOACTIVE keyword to deactivate the authenticator for the user ID.

Procedure

  1. Enter the following command to activate a user for IBM MFA:
    ALU [Login ID] MFA(FACTOR(AZFSIDP3)
        ACTIVE TAGS(SIDUSERID:[RSA User ID]))    
    Where:
    • [Login ID] is the z/OS user name.
    • ACTIVE activates the AZFSIDP3 authenticator for the user ID.
    • RSA User ID is the associated RSA user ID. The SIDUSERID tag identifies the RSA user ID to use when an authentication request for this user is sent to the RSA server by IBM MFA:
      • If the security manager user ID matches the RSA server user ID, you can either specify the RSA server user ID in the SIDUSERID tag, or omit it and the security manager user ID is used by default.
      • If the security manager user ID does not match the RSA server user ID, you must specify the RSA server user ID in the SIDUSERID tag.
  2. If needed, enter the following command to defer activating a user for IBM MFA:
     ALU [Login ID] MFA(FACTOR(AZFSIDP3)
         TAGS(SIDUSERID:[RSA User ID]))    
    Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFSIDP3 authenticator for the user ID:
    ALU <USERID> MFA(FACTOR(AZFSIDP3) ACTIVE)
  3. Enter the following command to display IBM MFA information for a user profile:
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:      
    ---------------------------------------      
      PASSWORD FALLBACK IS NOT ALLOWED           
      FACTOR = AZFSIDP3                          
        STATUS = ACTIVE                          
        FACTOR TAGS =                            
          SIDUSERID:user
  4. If needed, enter the following command to deactivate a user for IBM MFA:
     ALU [Login ID] MFA(FACTOR(AZFSIDP3)
        NOACTIVE TAGS(SIDUSERID:[RSA User ID]))