Configure IBM MFA Compound In-Band

Configure IBM® MFA Compound In-Band authentication only if you require the user to authenticate in-band with a combination of an LDAP password, and a RACF® passphrase or password.

About this task

Important: When you enable IBM MFA Compound In-Band, it is enabled for all users that are active for the AZFLDAP1 factor.

If both IBM MFA Compound In-Band and TSO pre-prompt are enabled, users may not be able to change a password using in-band authentication. IBM recommends that you use identity tokens to change passwords. See Changing a user password with an identity token for information about using identity tokens.

The z/OS application must support passphrases. IBM MFA Compound In-Band does not support applications that are limited to an 8-character password. This is required because IBM MFA Compound In-Band concatenates the LDAP password with the RACF passphrase or password, separated by a valid separator, and stores the result in the passphrase field.

Important: Unexpected results can occur if the user's LDAP password includes the separator character you choose.


  1. Execute AZFEXEC.
  2. Choose AZFLDAP1.
  3. On the AZFLDAP1 factor attributes panel, configure the following attributes:
    • Set Enable Compound In-band Authentication to Y.
    • Choose whether you want the IBM MFA credential to be entered before or after the RACF credential. The IBM MFA credential first is the default.

      For IBM MFA credential first, IBM MFA searches from left to right for the separator character. For RACF credential first, IBM MFA searches from right to left for the separator character.

      Note: This feature requires APAR OA54920 for RACF, which is available on z/OS V2R2 and later. (See
    • Change the Compound In-band Factor Separator field if needed. It is set to a colon (:) by default. Possible values are shown in Table 1. (FTP cannot use the forward slash (/) or the colon (:). HTTP cannot use the forward slash (/). Other applications may have other character restrictions.)
      Note: Encodings are shown for code page IBM-1047.
      Table 1. Valid Separator Characters
      Character Name Character Hexadecimal (for reference)
      Plus sign + 4e
      Less than sign < 4c
      Equal sign = 7e
      Greater than sign > 6e
      Ampersand & 50
      Straight single quotation mark ' 7d
      Left parenthesis ( 4d
      Right parenthesis ) 5d
      Comma , 6b
      Underscore _ 6d
      Hyphen - 60
      Period . 4b
      Slash right / 61
      Colon : 7a
      Semicolon ; 5e
      Question mark ? 6f
      Percent % 6c
      Asterisk * 7f
      Double quotation mark " 5c
      Vertical bar | 4f
  4. Save the changes.
  5. Restart the IBM MFA AZF#IN00 services started task.
  6. Instruct the user to enter their LDAP password, the required separator, and their RACF passphrase or password in the password field, based on the credential order you selected. For example:
    LDAP password:passphrase