Next Steps: Configure IBM MFA Compound In-Band

After you are able to successfully log in using TOTP in-band, the next step is to require authentication in-band with a combination of a TOTP token, and a passphrase or password.

About this task

Important: When you enable IBM® MFA Compound In-Band, it is enabled for all users that are active for the AZFTOTP1 factor.

If both IBM MFA Compound In-Band and TSO pre-prompt are enabled, users may not be able to change a password using in-band authentication. IBM recommends that you use identity tokens to change passwords. See Changing a user password with an identity token for information about using identity tokens.

The z/OS application must support passphrases. IBM MFA Compound In-Band does not support applications that are limited to an 8-character password. This is required because IBM MFA Compound In-Band concatenates the OTP token with the passphrase or password, separated by a valid separator, and stores the result in the passphrase field.

Procedure

  1. Execute AZFEXEC.
  2. Choose AZFTOTP1.
  3. On the AZFTOTP1 factor attributes panel, configure the following attributes:
    • Set Enable Compound In-band Authentication to Y.
    • Choose whether you want the IBM MFA credential to be entered before or after the RACF credential. The IBM MFA credential first is the default.

      For IBM MFA credential first, IBM MFA searches from left to right for the separator character. For RACF credential first, IBM MFA searches from right to left for the separator character.

      Note: This feature requires APAR OA54920 for RACF, which is available on z/OS V2R2 and later. (See http://www-01.ibm.com/support/docview.wss?uid=isg1OA54920.)
    • Change the Compound In-band Factor Separator field if needed. It is set to a colon (:) by default. Possible values are shown in Table 1. (FTP cannot use the forward slash (/) or the colon (:). HTTP cannot use the forward slash (/). Other applications may have other character restrictions.)
      Note: Encodings are shown for code page IBM-1047.
      Table 1. Valid Separator Characters
      Character Name Character Hexadecimal (for reference)
      Plus sign + 4e
      Less than sign < 4c
      Equal sign = 7e
      Greater than sign > 6e
      Ampersand & 50
      Straight single quotation mark ' 7d
      Left parenthesis ( 4d
      Right parenthesis ) 5d
      Comma , 6b
      Underscore _ 6d
      Hyphen - 60
      Period . 4b
      Slash right / 61
      Colon : 7a
      Semicolon ; 5e
      Question mark ? 6f
      Percent % 6c
      Asterisk * 7f
      Double quotation mark " 5c
      Vertical bar | 4f
  4. Save the changes.
  5. Restart the IBM MFA AZF#IN00 services started task.
  6. Instruct the user to enter their OTP token, the required separator, and their passphrase or password in the password field, based on the credential order you selected. For example:
    OTP token:passphrase