Start the IBM MFA services started task

The IBM® MFA services started task supports authentication of users and validation of tags specified in the RACF® ALTUSER command at runtime.

Before you begin

You must configure at least one of the following strong authentication factors before you start the IBM MFA services started task:
  • RSA SecurID ACEv5 UDP AZFSIDP1
  • RSA SecurID Auth API (HTTPS) AZFSIDP3
  • TOTP AZFTOTP1
  • Certificate AZFCERT1
  • Generic RADIUS AZFRADP1
  • Safenet RADIUS AZFSFNP1
  • SecurID RADIUS AZFSIDR1
  • Yubico OTP AZFYUBI1
  • IBM Security Verify Access AZFISAM1
  • LDAP AZFLDAP1
  • Check CTC AZFCKCTC
Important: Start the IBM MFA started tasks after TCP/IP, PAGENT (for AT-TLS, if needed), and ICSF (if needed) have started successfully and all TCP/IP-related services such as the resolver are running and fully initialized. See IBM MFA configuration roadmap for the factor-specific configuration requirements.

Start the IBM MFA started tasks before applications that use IBM MFA.

If a user who has been activated for IBM MFA attempts to log on to an application and the IBM MFA started tasks are not started, the logon fails. Only users with PWFALLBACK enabled as described in Configuring Password Fallback will be able to log on with their z/OS password or passphrase.

About this task

In Copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01), you copied the AZF#IN00 member of the SAZFSAMP data set to the PROCLIB from which you run started tasks.

Procedure

  1. Start TCP/IP, AT-TLS (if needed), ICSF, and all TCP/IP-related services such as the resolver. See IBM MFA configuration roadmap for information about which authentication factors require AT-TLS.
  2. To start the started task if it is stopped, enter the following operator command:
    S <STC Job Name>
    For example:
    S AZF#IN00
  3. Start the started task on every z/OS instance sharing the RACF database where users log on.
  4. Verify that the task started. The absence of errors after the "AZF2110I Started console receiver" message in the SYSLOG indicates success.
    Note: If you have configured multiple instances of a factor as described in Configuring multiple instances of a factor, each factor instance is identified and logged separately in the IBM MFA started task’s SYSPRINT.