TSO/E with Challenge-Response and compound in-band authentication

In SafeNet Challenge-Response mode, you are presented with a challenge in your TSO/E session. You provide this challenge to the MobilePASS application, which in turn generates a passcode. You then use the generated passcode to log on to TSO/E. Your administrator must have configured your account for IBM® MFA Compound In-Band.

Consult Table 1 to determine which login option matches your specific configuration and then follow the steps.
Important: If your RACF® password has expired and you are using TSO/E, you are prompted during the compound in-band login session to change your RACF password. However, after attempting to change your password, the IBM MFA credentials are then replayed, which causes the password change operation to fail. In this case, begin a new TSO/E session, log in with your existing password and IBM MFA credentials, and then use the -New Password option on the panel to change your RACF password.

This alternate logon flow is not needed if your administrator has configured your account for identity tokens. Identity tokens are configured on your behalf, and are not something you directly use.

Table 1. TSO/E Logon Options for SafeNet Challenge-Response with Compound In-Band
PIN Passphrase Accepted? You enter...
No PIN Yes
  1. Enter any single alphabetic character in the TSO/E Password field and press Enter.
  2. Copy the challenge, paste it in MobilePASS, and generate a passcode.
  3. Enter the MobilePASS passcode in the TSO/E Password field, followed by the separator, followed by your passphrase or password.1
Server-side User Select Yes
  1. Enter any single alphabetic character in the TSO/E Password field and press Enter.
  2. Copy the challenge, paste it in MobilePASS, and generate a passcode.
  3. Enter the PIN followed by the MobilePASS passcode in the TSO/E Password field, followed by the separator, followed by your passphrase or password.1
User-selected PIN Yes
  1. Enter any single alphabetic character in the TSO/E Password field and press Enter.
  2. Copy the challenge, paste it in MobilePASS, and generate a passcode.
  3. Enter the passcode in the TSO/E Password field, followed by the separator, followed by your passphrase or password.1
New PIN required Yes
  1. Enter any single alphabetic character in the TSO/E Password field and press Enter.
  2. Copy the challenge, paste it in MobilePASS, and generate a passcode.
  3. Enter the PIN followed by the passcode in the TSO/E Password field, followed by the separator, followed by your passphrase or password.1 (The PIN is not needed in User-selected PIN mode.)
  4. Respond to the prompts to enter a new PIN.
Notes®:
  • 1Your security administrator can reverse the order in which you enter the credentials, so that you enter your passphrase or password first, followed by the separator. Consult your security administrator for guidance.