IBM® MFA for ELF allows IBM MFA in-band authentication from Express® Logon Feature (ELF). IBM MFA for ELF uses the AZFCERT1 factor and returns a cache token
credential if the authentication is successful.
Before you begin
IBM MFA for ELF requires a functioning Express® Logon Feature (ELF) configuration that uses an ELF script and EXPRESSLOGONMFA to delegate the
authentication decision to IBM MFA. IBM MFA performs the authentication and, if successful, IBM MFA returns a cache token credential. Important: The
EXPRESSLOGONMFA
statement requires you to configure AT-TLS, as described in the
EXPRESSLOGONMFA
statement description.
See
z/OS Communications Server: IP Configuration Guide
and
z/OS Communications Server: IP Configuration Reference
for information about EXPRESSLOGONMFA support in the TN3270E Telnet Server.
Tip: You perform all of the same IBM MFA
configuration steps as for Certificate Authentication, and the user must register
their certificate as for that factor. The functional difference is that the user does not use the
IBM MFA Out-of-Band web page to log in, and instead follows the ELF login
procedure. ELF uses the IBM MFA cache token credential to
log the user in without user action.
Procedure
-
Perform the RACF® administration steps for Certificate Authentication, as
described in Additional RACF administration steps for certificate authentication.
-
Import the root CA certificate of the client certificate chain, as described in Import root CA certificate of client certificate chain.
-
Configure Certificate Authentication, as described in Configure Certificate Authentication.
-
Configure a policy with the AZFCERT1 factor for the user, or use an existing policy with only
that factor configured.
The Default Policy Name configured in
Configure IBM MFA STC configuration attributes
applies as follows:
- If the user has only one policy attached, IBM MFA
attempts to use it. This policy must have only one factor, AZFCERT1.
- If the user has more than one policy attached, one of them must be the default policy. IBM MFA attempts to use the default policy.
- If a default policy is not configured and the user has more than one policy assigned, IBM MFA fails the request.
-
Activate the users for Certificate Authentication as described in Activate and deactivate users for Certificate Authentication.
-
Instruct the users to enroll their certificates, as described in
IBM Z® Multi-Factor Authentication
User's Guide.
Important: The user must register the same certificate used in their ELF configuration.
-
Approve the user certificates, as described in Approve user certificates.
-
When requested by ELF, IBM MFA for ELF authenticates the user
certificate and returns a cache token credential if successful.
Note: If ELF is configured with
EXPRESSLOGONMFA FALLBACK, and
the following conditions occur:
- The IBM MFA services started task is not running.
- The user is not configured for IBM MFA password
fallback.
then RACF fails the login attempt.
-
ELF uses the cache token credential to log the user in without user action.