To use IBM® MFA Out-of-Band you must use the
RDEFINE command to define policies for multiple instance factors, and the
ALU command to apply the policies to one or more users.
Before you begin
Important: If you apply a policy to a user, the user must have all the factors defined
in the policy, and those factors must be active for the user. RACF® does not prevent you from applying a policy to a user who does not have all the required
factors defined. This will prevent the user from authenticating with IBM MFA Out-of-Band.
Procedure
-
Enter the following command to create a multi-factor authentication policy:
RDEF MFADEF POLICY.POLICY-NAME MFPOLICY(FACTOR(FACTOR-NAME<suffix>)
TOKENTIMEOUT(num-of-seconds) REUSE(Y|N))
Where:
- POLICY-NAME is a name of your choice between 1 and 20 characters. The allowed
characters are A-Z, 0-9. You might find it convenient to give the policy a descriptive name, such as
CERTSIDPTOTP or CERTONLY.
-
FACTOR-NAME<suffix> is a space-separated list of factor names combined with
your chosen suffix. The allowed factor names are as follows:
- AZFRADP1
- AZFSIDP1
- AZFSIDP3
- AZFSIDR1
- AZFSFNP1
- AZFLDAP1
- AZFISAM1
- AZFCKCTC
- TOKENTIMEOUT sets the length of time (in seconds) the IBM MFA Out-of-Band token is valid once generated. The value can be between 1 and 86,400 (the number of seconds in a day). The default is 300 seconds
(5 minutes.)
- REUSE determines whether the IBM MFA Out-of-Band token
can be reused by an application. Possible values are Y or N.
The default is N.
-
Repeat 1 as needed.
-
Refresh the MFADEF class:
SETROPTS RACLIST(MFADEF) REFRESH
-
Enter the following command to display information about a specific policy:
RLIST MFADEF POLICY.POLICY-NAME MFPOLICY
-
Enter the following command to display information about all IBM MFA factors and policies:
-
Enter the following command to apply the policy to a user:
ALU <USERID> MFA(ADDPOLICY(POLICY-NAME))
-
Repeat 6 as needed. If
you apply multiple policies to a user, instruct the user which policy to use.
-
Enter the following command to display IBM MFA
information for a user profile, including any applied policies:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
AUTHENTICATION POLICIES =
TOTPONLY
FACTOR = AZFSIDP1<suffix>
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
-
If needed, enter the following command to remove a policy from a user:
ALU <USERID> MFA(DELPOLICY(POLICY-NAME))
-
If needed, enter the following commands to delete a policy and refresh the MFADEF class:
RDEL MFADEF POLICY.POLICY-NAME
SETROPTS RACLIST(MFADEF) REFRESH