Configuring RACF for IBM MFA

There are a number of steps to be completed in order to begin using IBM® Multi-Factor Authentication for z/OS® with RACF®. IBM MFA should be installed as described in the IBM Multi-Factor Authentication for z/OS Installation and Customization. Then, perform the following steps to configure RACF for MFA:

  1. Define the factor to RACF:

    An IBM MFA factor is defined by creating an MFADEF class profile with the name FACTOR.factor-name. Supported authentication factors are listed in the IBM Multi-Factor Authentication for for z/OS product documentation. Note that a single factor name may enforce multiple authentication factors during logon.

    For example, to define the RSA SecurID factor supported by IBM MFA:
    RDEFINE MFADEF FACTOR.AZFSIDP1
  2. Assign the factor to users:
    MFA factor data can be added to a RACF user ID with the MFA keyword of the ALTUSER command. The factor must be defined in the MFADEF class before this step can be completed. The sub-keywords of MFA are:
    FACTOR/DELFACTOR
    Use the FACTOR keyword to identify the name of the factor that is being added or modified.

    Use the DELFACTOR keyword to delete a factor from a user profile.

    ACTIVE/NOACTIVE
    Use the ACTIVE keyword to activate a factor for use during logon.

    Use the NOACTIVE keyword to disable a factor and revert to password checking.

    TAGS/DELTAGS/NOTAGS
    Use the TAGS keyword to assign configuration data that is specific to the factor. The data is specified in name:value format. The IBM Multi-Factor Authentication for z/OS product documentation contains information on supported tags. IBM MFA is called to validate the data. The MFA started task must be available when assigning tags, or the ALTUSER command fails.

    Use the DELTAGS keyword to delete specific tags.

    Use the NOTAGS keyword to delete all tags for the specified factor.

    PWFALLBACK/NOPWFALLBACK
    Use the PWFALLBACK keyword to allow the user to logon with a RACF password or password phrase whenever the ability to perform multi-factor authentication is not available (for example, the MFA started task is down). PWFALLBACK is not factor-specific.

    Use NOPWFALLBACK to require the user to always authenticate using MFA.

    ADDPOLICY/DELPOLICY
    Use the ADDPOLICY keyword to add the user's list of MFA authentication policies where policy-name is the name of the MFA policy profile defined in the MFADEF class.

    Use the DELPOCLIY keyword to delete the specified policies from the user's list of MFA policies.

    NOMFA
    Use the NOMFA keyword to remove all MFA data from a user's profile.

    See the z/OS Security Server RACF Command Language Reference for more information on the MFA keywords.

    Example:

    To require a user to authenticate with RSA SecurID, but allow the user to logon with their RACF password when MFA is unavailable:
    ALTUSER SLJAXON MFA(FACTOR(AZFSIDP1) ACTIVE PWFALLBACK 
                  TAGS(SIDUSERID:SamLJ))
  3. Activate MFA checking:
    When setup is complete, activate the MFADEF class.
    SETROPTS CLASSACT(MFADEF)

    When this is completed, RACF will call IBM Multi-Factor Authentication for z/OS to perform user authentication for any user who has an active MFA factor.

    MFA checking can be disabled for all users by deactivating the MDADEF class:
    SETROPTS NOCLASSACT(MFADEF)