Using IBM MFA with PassTickets

The RACF PassTicket is a one-time-only password that is generated by a requesting product or function. It is an alternative to the RACF password and password phrase that removes the need to send RACF passwords and password phrases across the network in clear text.

Before you begin

You must have already configured an application to use PassTickets.

About this task

If you are using a "strong" factor such as IBM TouchToken, IBM MFA with SecurID, or IBM MFA Certificate Authentication for a user, you can also specify PassTickets. (There is no practical benefit to specifying PassTickets alone because IBM MFA would not be involved.)

You can configure IBM MFA to allow the use of a PassTicket only after a successful IBM MFA logon, or to use only the PassTicket and not an IBM MFA logon.

In both cases, IBM MFA then calls R_GenSec with the user ID, the 8-character PassTicket, and the application name to evaluate the PassTicket.

Important: Make sure that you tell the application users when to log on with their PassTicket, and specifically whether they must first log on with their IBM MFA credentials.

Procedure

  1. Use RDEFINE to define an MFADEF class profile named FACTOR.AZFPTKT1. 
    RDEF MFADEF FACTOR.AZFPTKT1
  2. Refresh the MFADEF class: 
    SETROPTS RACLIST(MFADEF) REFRESH
  3. Verify the change. For example: 
    RLIST MFADEF FACTOR.AZFPTKT1
  4. Use RDEFINE to create a FACILITY class profile named IRR.RFACTOR.MFADEF.AZFPTKT1. 
    RDEF FACILITY IRR.RFACTOR.MFADEF.AZFPTKT1
  5. Refresh the FACILITY class: 
    SETROPTS RACLIST(FACILITY) REFRESH
  6. Verify the change. For example: 
    RLIST FACILITY IRR.RFACTOR.MFADEF.AZFPTKT1
  7. Authorize the administrators who execute the panels to the IRR.RFACTOR.MFADEF.AZFPTKT1 profile. Allow the access shown in Table 1:
    Table 1. Required levels of permission
    Permission Access
    READ Able to view configuration options, but may not update, create, or delete parameters.
    UPDATE, CONTROL, ALTER Able to create, update, delete, and view configuration options.
    For example:
    PERMIT IRR.RFACTOR.MFADEF.AZFPTKT1 ACCESS(ALTER) CLASS(FACILITY) 
ID(user-id)
SETROPTS RACLIST(FACILITY) REFRESH
  8. Allow the user ID of the IBM MFA services started task AZF#IN00 READ access to the PTKTDATA IRRPTAUTH.RACF_APPLICATION_NAME.USERID profile. The recommended approach is to use PTKTDATA IRRPTAUTH.RACF_APPLICATION_NAME.* for the user ID. The example assumes that you have previously RACLISTed and activated the PTKTDATA class and added the profile.
    For example:
    PERMIT IRRPTAUTH.RACF_APPLICATION_NAME.* ACCESS(READ) CLASS(PTKTDATA) 
ID(user-id)
SETROPTS RACLIST(PTKTDATA) REFRESH
  9. Execute AZFEXEC and choose AZFPTKT1.
  10. Choose from the following options:
    • Whether to require a successful IBM MFA logon prior to the PassTicket being evaluated.
      • If Y, the most recent IBM MFA authentication for the user must have occurred within the PassTicket evaluation window number of seconds. If the most recent IBM MFA logon is inside this window, IBM MFA calls R_GenSec. If the most recent IBM MFA logon is outside this window, the authentication is processed as an IBM MFA authentication and might therefore fail.
      • If N, IBM MFA calls R_GenSec without first requiring an IBM MFA logon.
    • PassTicket evaluation window, as a number of seconds. This is the length of time in seconds that PassTickets may be used to authenticate after a successful IBM MFA authentication. Valid entries are integer values between 30 and 86400 (24-hours), inclusive. The default is 600 (10 minutes). If "Require MFA Logon prior to PassTicket Evaluation" is set to Y, the most recent IBM MFA authentication for the user must have occurred within the PassTicket evaluation window.

      If "Require MFA Logon prior to PassTicket Evaluation" is set to N, the PassTicket evaluation window setting is ignored.

    • Trace level used for tracing events within the AZFPTKT1 plug-in. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is zero.
  11. Activate users for PassTickets: 
     ALU LOGIN ID MFA(FACTOR(AZFPTKT1) 
ACTIVE TAGS(WINDOW:numseconds MFAFIRST:Y|N))
    Where:
    • [Login ID] is the z/OS user name.
    • ACTIVE activates the AZFPTKT1 authenticator for the user ID.
    • WINDOW sets the evaluation window, as a number of seconds.
    • MFAFIRST specifies whether to require a successful IBM MFA logon prior to the PassTicket being evaluated. The possible values are Y and N, and uppercase is required.
    If you set MFAFIRST or WINDOW for a user, it overrides the default setting.
  12. To return a user to the default tag settings: 
    ALU LOGIN ID MFA(FACTOR(AZFPTKT1) DELTAGS(MFAFIRST
      WINDOW))