Activate and deactivate users check CTC
You use the ALTUSER or ALU command to activate users for AZFCKCTC.
Procedure
-
Enter the following command to activate a user for AZFCKCTC:
Important: If you activate a user for AZFCKCTC, the user cannot be associated with a policy name or have any other active authentication factors.
ALU [Login ID] MFA(FACTOR(AZFCKCTC) ACTIVE TAGS(ALTUSERID:[User ID]))
Where:- [Login ID] is the z/OS® user name.
- ACTIVE activates the AZFCKCTC authenticator for the user ID.
- ALTUSERID is the user name of the user on the CTC source. The user name on the CTC destination and CTC source does not need to be the same.
-
Tell users they must use the IBM® MFA Out-of-Band web server login page on
the CTC source to get a CTC, where the hostname and port specify the IBM MFA CTC source, and policy-name is the policy the user must
use. You may want to have the user bookmark this URL.
https://server-host:port/mfa/policy-name
The user is then presented with IBM MFA Out-of-Band web page for the configured authentication factors.
If the IBM MFA Out-of-Band authentication is successful, the user then uses the resulting CTC to log on in-band to an application on the CTC destination.
Tip: To prevent confusion, ensure that you tell users to use the CTC as their password on the destination system. -
If needed, enter the following command to defer activating a user for AZFCKCTC:
ALU [Login ID] MFA(FACTOR(AZFCKCTC) TAGS(ALTUSERID:[User ID]))
Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFCKCTC authenticator for the user ID:ALU <USERID> MFA(FACTOR(AZFCKCTC) ACTIVE)
-
Enter the following command to display IBM MFA
information for a user profile:
LISTUSER [Login ID] MFA
MULTIFACTOR AUTHENTICATION INFORMATION: --------------------------------------- PASSWORD FALLBACK IS NOT ALLOWED FACTOR = AZFCKCTC STATUS = ACTIVE FACTOR TAGS = ALTUSERID:user
-
If needed, enter the following command to deactivate a user for AZFCKCTC:
ALU [Login ID] MFA(FACTOR(AZFCKCTC) NOACTIVE)