Support for Multi-Factor Authentication using RACF

CICS® Transaction Server for z/OS® provides support for Multi-Factor Authentication (MFA) using RACF®.

If you are an RACF user, see Multi-Factor Authentication for z/OS in z/OS Security Server RACF Security Administrator's Guide for an overview of MFA and the prerequisite for this feature.

If you are using other security products, see the documentation of your ESM for details of support and prerequisites.

The following information shows how to implement MFA in CICS, based on the example of RACF and IBM® Multi-Factor Authentication for z/OS.

CICS supports in-band MFA tokens. If you use z/OS Out-of-Band authentication, a one-time-use token can be generated and is supported by CICS.

MFA tokens are supported on the following session-based logon interfaces:
Table 1. Session-based logon interfaces that support MFA
Interface CICS level requirement
CICS Explorer® CICS TS V5.4 with APAR PI87691 or later
CESN and CESL
  • CICS TS V4.2 with APAR PI21865
  • CICS TS V5.1 with APAR PI21866
  • CICS TS V5.2 with APAR PI21866
  • CICS TS V5.3 or later
CPSM WUI
User-written sign-on programs using EXEC CICS SIGNON

MFA tokens are not supported on stateless requests that cache credentials.

Depending on the length, MFA tokens should be entered in the phase or password fields.

For more information, see IBM Multi-Factor Authentication for z/OS User's Guide.