Configure IBM MFA for ELF

IBM® MFA for ELF allows IBM MFA in-band authentication from Express® Logon Feature (ELF). IBM MFA for ELF uses the AZFCERT1 factor and returns a cache token credential if the authentication is successful.

Before you begin

IBM MFA for ELF requires a functioning Express® Logon Feature (ELF) configuration that uses an ELF script and EXPRESSLOGONMFA to delegate the authentication decision to IBM MFA. IBM MFA performs the authentication and, if successful, IBM MFA returns a cache token credential.
Important: The EXPRESSLOGONMFA statement requires you to configure AT-TLS, as described in the EXPRESSLOGONMFA statement description.

See z/OS Communications Server: IP Configuration Guide and z/OS Communications Server: IP Configuration Reference for information about EXPRESSLOGONMFA support in the TN3270E Telnet Server.

Tip: You perform all of the same IBM MFA configuration steps as for Certificate Authentication, and the user must register their certificate as for that factor. The functional difference is that the user does not use the IBM MFA Out-of-Band web page to log in, and instead follows the ELF login procedure. ELF uses the IBM MFA cache token credential to log the user in without user action.

Procedure

  1. Perform the RACF® administration steps for Certificate Authentication, as described in Additional RACF administration steps for certificate authentication.
  2. Import the root CA certificate of the client certificate chain, as described in Import root CA certificate of client certificate chain.
  3. Configure Certificate Authentication, as described in Configure Certificate Authentication.
  4. Configure a policy with the AZFCERT1 factor for the user, or use an existing policy with only that factor configured.
    The Default Policy Name configured in Configure IBM MFA STC configuration attributes applies as follows:
    • If the user has only one policy attached, IBM MFA attempts to use it. This policy must have only one factor, AZFCERT1.
    • If the user has more than one policy attached, one of them must be the default policy. IBM MFA attempts to use the default policy.
    • If a default policy is not configured and the user has more than one policy assigned, IBM MFA fails the request.
  5. Activate the users for Certificate Authentication as described in Activate and deactivate users for Certificate Authentication.
  6. Instruct the users to enroll their certificates, as described in IBM Z® Multi-Factor Authentication User's Guide.
    Important: The user must register the same certificate used in their ELF configuration.
  7. Approve the user certificates, as described in Approve user certificates.
  8. When requested by ELF, IBM MFA for ELF authenticates the user certificate and returns a cache token credential if successful.
    Note: If ELF is configured with EXPRESSLOGONMFA FALLBACK, and the following conditions occur:
    • The IBM MFA services started task is not running.
    • The user is not configured for IBM MFA password fallback.
    then RACF fails the login attempt.
  9. ELF uses the cache token credential to log the user in without user action.