Start the IBM MFA services started task

The IBM® MFA services started task supports authentication of users and validation of tags specified in the RACF® ALTUSER command at runtime.

Before you begin

During the initial setup of IBM MFA, you do not need to start the started task until you have defined all factors and created the settings.

You must configure at least one of the following strong authentication factors before you start the IBM MFA services started task:
  • RSA SecurID ACEv5 UDP AZFSIDP1
  • RSA SecurID Auth API (HTTPS) AZFSIDP3
  • TOTP AZFTOTP1
  • Certificate AZFCERT1
  • Generic RADIUS AZFRADP1
  • Safenet RADIUS AZFSFNP1
  • SecurID RADIUS AZFSIDR1
  • Yubico OTP AZFYUBI1
  • IBM Security Verify Access AZFISAM1
  • LDAP AZFLDAP1
  • Check CTC AZFCKCTC
  • OpenID Connect AZFOIDC1 (SSO)
Important: Start the IBM MFA started tasks after TCP/IP, PAGENT (for AT-TLS, if needed), and ICSF (if needed) have started successfully and all TCP/IP-related services such as the resolver are running and fully initialized. See IBM MFA configuration roadmap for the factor-specific configuration requirements.

Start the IBM MFA started tasks before applications that use IBM MFA.

If a user who has been activated for IBM MFA attempts to log on to an application and the IBM MFA started tasks are not started, the logon fails. Only users with PWFALLBACK enabled as described in Configuring Password Fallback will be able to log on with their z/OS password or passphrase.

About this task

In Copy SAZFSAMP(AZF#IN00) and SAZFSAMP(AZF#IN01), you copied the AZF#IN00 member of the SAZFSAMP data set to the PROCLIB from which you run started tasks.

The IBM MFA services started task connects to a system LX. IBM recommends that you start AZF#IN00 with REUSASID=YES on the start command. If this is not done, the address space that the started task runs in will become non-reusable when IBM MFA terminates.

Procedure

  1. Start TCP/IP, AT-TLS (if needed), ICSF, and all TCP/IP-related services such as the resolver. See IBM MFA configuration roadmap for information about which authentication factors require AT-TLS.
  2. To start the started task if it is stopped, enter the following operator command: 
    S <STC Job Name>
    For example: 
    S AZF#IN00
  3. Start the started task on every z/OS instance sharing the RACF database where users log on.
  4. Verify that the task started. The absence of errors after the "AZF2110I Started console receiver" message in the SYSLOG indicates success.
    Note: If you have configured multiple instances of a factor as described in Configuring multiple instances of a factor, each factor instance is identified and logged separately in the IBM MFA started task’s SYSPRINT.
  5. Restart the started task after you define any new factors and create settings, and after you change the settings for existing factors.