z/OS® V2R3 Communications Server, with APAR PI85185, RACF® APAR OA53002, and IBM® MFA for z/OS APARs PI86470 and PI93341, extends the TN3270 Telnet server Express Logon Feature (ELF) to support IBM Multi-Factor Authentication (MFA) for z/OS. With this support, TN3270 clients can experience the same single sign-on behavior that is already offered by the PassTicket-based ELF, but now via an MFA token that is assigned by a SAF-compliant external security manager like IBM Security Server RACF. With the new EXPRESSLOGONMFA parameter in the TN3270E Telnet server profile, ELF attempts to authenticate clients by using their X.509 client certificate through MFA. If no MFA token is available for the user, the authentication fails by default. ELF can be configured to revert back to PassTicket authentication in certain cases where MFA authentication is unsuccessful.
Dependencies:
- IBM Security Server RACF APAR OA53002
- IBM Multi-Factor Authentication for z/OS APARs PI86470 and PI93341
To enable
TN3270E Telnet server Express Logon Feature support for Multi-Factor Authentication, perform the
tasks in
Table 1.
Table 1. TN3270E Telnet server Express Logon Feature support for Multi-Factor Authentication
| Task/Procedure |
Reference |
| Define MFA policies for the appropriate client user IDs. |
z/OS Security Server RACF Security Administrator's Guide |
| Enable Express Logon MFA support in the TN3270E Telnet server. |
|
To find all new and updated topics about
TN3270E Telnet server Express Logon Feature support for Multi-Factor Authentication, see
Table 2.