Configuring RACF for IBM MFA
There are a number of steps to be completed in order to begin using IBM® Multi-Factor Authentication for z/OS® with RACF®. IBM MFA should be installed as described in the IBM Multi-Factor Authentication for z/OS Installation and Customization. Then, perform the following steps to configure RACF for MFA:
- Define the factor to RACF:
An IBM MFA factor is defined by creating an MFADEF class profile with the name FACTOR.factor-name. Supported authentication factors are listed in the IBM Multi-Factor Authentication for for z/OS product documentation. Note that a single factor name may enforce multiple authentication factors during logon.
For example, to define the RSA SecurID factor supported by IBM MFA:RDEFINE MFADEF FACTOR.AZFSIDP1
- Assign the factor to users:MFA factor data can be added to a RACF user ID with the MFA keyword of the ALTUSER command. The factor must be defined in the MFADEF class before this step can be completed. The sub-keywords of MFA are:
- FACTOR/DELFACTOR
- Use the FACTOR keyword to identify the name of the factor that is being added or modified.
Use the DELFACTOR keyword to delete a factor from a user profile.
- ACTIVE/NOACTIVE
- Use the ACTIVE keyword to activate a factor for use during logon.
Use the NOACTIVE keyword to disable a factor and revert to password checking.
- TAGS/DELTAGS/NOTAGS
- Use the TAGS keyword to assign configuration data that is specific to the factor. The data is
specified in name:value format. The IBM
Multi-Factor Authentication for z/OS product documentation
contains information on supported tags. IBM MFA is called to
validate the data. The MFA started task must be available when assigning tags, or the ALTUSER
command fails.
Use the DELTAGS keyword to delete specific tags.
Use the NOTAGS keyword to delete all tags for the specified factor.
- PWFALLBACK/NOPWFALLBACK
- Use the PWFALLBACK keyword to allow the user to logon with a RACF password or password phrase whenever the ability to perform multi-factor authentication
is not available (for example, the MFA started task is down). PWFALLBACK is not factor-specific.
Use NOPWFALLBACK to require the user to always authenticate using MFA.
- ADDPOLICY/DELPOLICY
- Use the ADDPOLICY keyword to add the user's list of MFA authentication policies where
policy-name is the name of the MFA policy profile defined in the MFADEF
class.
Use the DELPOCLIY keyword to delete the specified policies from the user's list of MFA policies.
- NOMFA
- Use the NOMFA keyword to remove all MFA data from a user's profile.
See the z/OS Security Server RACF Command Language Reference for more information on the MFA keywords.
Example:
To require a user to authenticate with RSA SecurID, but allow the user to logon with their RACF password when MFA is unavailable:ALTUSER SLJAXON MFA(FACTOR(AZFSIDP1) ACTIVE PWFALLBACK TAGS(SIDUSERID:SamLJ))
- Activate MFA checking:When setup is complete, activate the MFADEF class.
SETROPTS CLASSACT(MFADEF)
When this is completed, RACF will call IBM Multi-Factor Authentication for z/OS to perform user authentication for any user who has an active MFA factor.
MFA checking can be disabled for all users by deactivating the MDADEF class:SETROPTS NOCLASSACT(MFADEF)