Changing a user password with an identity token
As of z/OS® V2R4, RACF® supports identity tokens implemented through the JSON web token assertion mechanism (JWT). You should enable identity token support whenever possible because it greatly improves the end-user logon flow for applications that support identity tokens, such as TSO/E, when the current credential is expired.
Before you begin
About this task
There are some IBM® MFA in-band login scenarios, particularly with compound in-band and password change, that necessitate an authentication requiring multiple RACROUTE calls to complete. In this case, state information is required so that IBM MFA and RACF perform the appropriate action for each state. You can use identity tokens to change RACF passwords, change a PIN, or change both during an in-band logon to TSO.
- The user is configured for AZFLDAP1 with compound in-band authentication, and their RACF password has expired. For the purpose of example, further assume that you have configured their account to require their RACF credential first.
- The user enters their current RACF password, the separator character, and their LDAP password.
- If successful, the user receives the following message
ICH70008I IBM MFA Message: AZF9853I LDAP AUTHENTICATION SUCCESS
- The user presses Enter to continue.
- The user is then prompted to change their RACF password.
Procedure
SETROPTS RACLIST(IDTDATA) CLASSACT(IDTDATA)