You use the ALTUSER or ALU command to activate
users for IBM® MFA with SecurID.
Before you begin
Before you can activate users for IBM MFA, you
must first create accounts for the users in RSA Authentication Manager and assign RSA tokens.
When you activate a user for IBM Multi-Factor Authentication for z/OS®, that user is no longer able to use the z/OS password to log in. Therefore, the user must first have a valid token and credentials for RSA Authentication Manager.
To defer activation to a later time, omit the
ACTIVE keyword from the ALTUSER command, or supply the NOACTIVE keyword to deactivate the
authenticator for the user ID.
Procedure
-
Enter the following command to activate a user for IBM MFA:
ALU [Login ID] MFA(FACTOR(AZFSIDP1)
ACTIVE TAGS(SIDUSERID:[RSA User ID]))
Where:
- [Login ID] is the z/OS user name.
-
ACTIVE activates the AZFSIDP1 authenticator for the user ID.
- RSA User ID is the associated RSA user ID. The SIDUSERID tag identifies the
RSA user ID to use when an authentication request for this user is sent
to the RSA server by IBM MFA:
- If the security manager user ID matches the RSA server user ID,
you can either specify the RSA server user ID in the SIDUSERID
tag, or omit it and the security manager user ID is used by
default.
- If the security manager user ID does not match the RSA server
user ID, you must specify the RSA server user ID in the
SIDUSERID tag.
-
If needed, enter the following command to defer activating a user for IBM MFA:
ALU [Login ID] MFA(FACTOR(AZFSIDP1)
TAGS(SIDUSERID:[RSA User ID]))
Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the
AZFSIDP1 authenticator for the user
ID:
ALU <USERID> MFA(FACTOR(AZFSIDP1) ACTIVE)
-
Enter the following command to display IBM MFA
information for a user profile:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = AZFSIDP1
STATUS = ACTIVE
FACTOR TAGS =
SIDUSERID:user
-
If needed, enter the following command to deactivate a user for IBM MFA:
ALU [Login ID] MFA(FACTOR(AZFSIDP1)
NOACTIVE TAGS(SIDUSERID:[RSA User ID]))