Summary of changes
Changes made to IBM® MFA for Version 2 Release 2.
New
The following information is new.
- Version 2.2 September 2023 refresh
-
- IBM MFA obtains and caches the IP address of authentication servers, such as a RADIUS server, when the IBM MFA started task starts. You can use the DNSREFRESH console command to refresh the IP addresses without having to restart the IBM MFA started task, as described in Refreshing server IP addresses.
- The AZFTOTP1 Suspension Threshold limits the number of times a user consecutively fails to provide a valid TOTP code. In this release, Suspension Threshold is enabled by default, with a default setting of 100, as described in Configure AZFTOTP1. If a previous setting exists, the existing value is maintained.
- The AZF9221E and AZF9135E error messages are added in this release.
- Version 2.2 September 2022 refresh
-
- When configuring bulk provisioning for users, the azfprov1.sh script invokes azfbulkcmd.sh, which allows you to make any needed customizations if you are using an ESM other than RACF. No changes to azfbulkcmd.sh are required if you are using RACF. This change is described in Configuring bulk provisioning users for IBM MFA.
- Configuring bulk provisioning users for IBM MFA also makes clear that you need to have UPDATE access to the system security manager FACILITY class profile IRR.RFACTOR.USER to update the user factor data.
- Using IBM MFA with PassTickets is updated with additional information about how the application performs a SAF RACROUTE REQUEST=VERIFY request.
- Version 2.2
-
- Configuring multiple instances of a factor is added in this release.
- The RSA SecurID Authentication API authentication factor is added in this release, as described in Configuring IBM MFA for RSA SecurID Authentication API.
- Auto approval of user's enrolled certificates is added in this release, as described in Configure Certificate Authentication and Approve user certificates.
- The ability to reset a user's password is added in this release, as described in Resetting a user password.
- Enable Client Token Display is added to the IBM MFA web services started settings, as described in Configure IBM MFA web services started task.
- Enable Dynamic Instance Names is added in this release, as described in Configure IBM MFA STC configuration attributes.
- Version 2.1 April 2021 refresh
-
- The description of Use Single-key Encryption in Configure AZFTOTP1 is updated to clarify that if disabled, a new TKDS object is created to hold the TOTP secret for each new enrolling user.
- Version 2.1 March 2021 refresh
-
- Configuring IBM HTTP Server - Powered by Apache for IBM MFA is updated to clarify that only one PKCS#11 token is required and what access is needed.
- Special considerations for sub-requests is added.
- Configuring CSFSERV Resource Profiles is updated to say that adding specific profiles over generic profiles could effectively remove access required by an existing user or application, and to review the profiles that are already in place in your environment.
- Configure an AT-TLS profile is updated with additional context in the certificate steps.
- Changing the caching mode C entries is added.
- Version 2.1 January 2021 refresh
-
- IBM MFA configuration roadmap is updated with Table 2 to assist with configuration planning.
- Set the WLM service class is added to describe setting the MVS workload management (WLM) service class.
- AZF6025E is added.