Activate and deactivate users check CTC

You use the ALTUSER or ALU command to activate users for AZFCKCTC.

Procedure

  1. Enter the following command to activate a user for AZFCKCTC:
    Important: If you activate a user for AZFCKCTC, the user cannot be associated with a policy name or have any other active authentication factors.
    ALU [Login ID] MFA(FACTOR(AZFCKCTC)
        ACTIVE TAGS(ALTUSERID:[User ID]))    
    Where:
    • [Login ID] is the z/OS® user name.
    • ACTIVE activates the AZFCKCTC authenticator for the user ID.
    • ALTUSERID is the user name of the user on the CTC source. The user name on the CTC destination and CTC source does not need to be the same.
  2. Tell users they must use the IBM® MFA Out-of-Band web server login page on the CTC source to get a CTC, where the hostname and port specify the IBM MFA CTC source, and policy-name is the policy the user must use. You may want to have the user bookmark this URL.
    https://server-host:port/mfa/policy-name

    The user is then presented with IBM MFA Out-of-Band web page for the configured authentication factors.

    If the IBM MFA Out-of-Band authentication is successful, the user then uses the resulting CTC to log on in-band to an application on the CTC destination.

    Tip: To prevent confusion, ensure that you tell users to use the CTC as their password on the destination system.
  3. If needed, enter the following command to defer activating a user for AZFCKCTC:
     ALU [Login ID] MFA(FACTOR(AZFCKCTC)
         TAGS(ALTUSERID:[User ID]))    
    Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFCKCTC authenticator for the user ID:
    ALU <USERID> MFA(FACTOR(AZFCKCTC) ACTIVE)
  4. Enter the following command to display IBM MFA information for a user profile:
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:      
    ---------------------------------------      
      PASSWORD FALLBACK IS NOT ALLOWED           
      FACTOR = AZFCKCTC                          
        STATUS = ACTIVE                          
        FACTOR TAGS =                            
          ALTUSERID:user
  5. If needed, enter the following command to deactivate a user for AZFCKCTC:
     ALU [Login ID] MFA(FACTOR(AZFCKCTC)
        NOACTIVE)