IBM Support

Does Connect:Direct z/OS 5.2 Support MFA (Multi-Factor Authentication)?

Question & Answer


Question

Does Connect:Direct z/OS 5.2 Support MFA (Multi-Factor Authentication)?

Answer

Connect:Direct does not support MFA (multi-factor authentication). If MFA is activated in the Security product (RACF, ACF2, TSS), Connect:Direct must be identified as an application that does not perform MFA processing.

APAR PI76113 / PTF UI44819 was first SPE written to support this by adding the APPLID parameter to the Stage 2 Security exit. The parameter defaulted to CONDIR but could be changed to any 1 to 8 character application name as desired by the customer. Whether you were going to use MFA or not, the customer was required to define profile definitions and access privileges in their Security product.

PTF UI44819 was later marked as PE in order to address those z/OS environments that were not going to use MFA but were still required to make updates to their Security product in support of the APPLID parameter. The fixing APAR PI91530 / PTF UI53187 added the default of NOMFA to the APPLID parameter in the Stage 2 Security exit which caused DGASECUR to bypass using APPL= on RACROUTE calls and therefore avoid requiring profile definitions and access privileges be defined in your Security product when not using MFA.

If MFA is activated in the Security product (RACF, ACF2, TSS), Connect:Direct must be identified as an application that does not perform MFA processing by doing the following:


    (1) Install PTF UI53187.

    (2) After installing this PTF, the Stage-2 Security Exit source must be modified to change the APPLID parameter from NOMFA to something else such as CONDIR or any other 1 to 8 character application name. Make any other local modifications to the Stage-2 Security Exit source and reassemble.

    (3) The Security product must be updated to define this application name used in the Stage 2 Security exit and add a MFA bypass profile. The following is an example of how the RACF Security product is updated to define the application name and bypass profiles:


      RDEFINE APPL applname OWNER(secadmin) UACC(NONE)
      RDEFINE MFADEF MFABYPASS.APPL.applname OWNER(secadmin) UACC(NONE)
      SETROPTS RACLIST(APPL) REFRESH
      SETROPTS RACLIST(MFADEF) REFRESH

      where 'applname' is the selected application name, such as CONDIR, and 'secadmin' is the ID of the security administrator.

    (4) Once the above profiles are defined, the UserIDs that will SIGNON to Connect:Direct for API functions and/or for Process execution must be permitted READ access to both profiles. The following is an example of how the RACF Security product is updated to grant READ access to each user that performs SIGNON functions or executes processes:
      PERMIT applname CLASS(APPL) ID(userid) ACCESS(READ)
      PERMIT MFABYPASS.APPL.applname CLASS(MFADEF) ID(userid) ACC(READ)
      where 'applname' is the selected application name defined above and 'userid' is the ID of an individual C:D z/OS user.
Note: since the above references are for RACF so you would need to check for ACF2's or TSS's equivalent if not using RACF.

If MFA is not activated in the Security product and you have PTF UI53187 installed, take the APPLID parameter default of NOMFA and reassemble the Stage-2 Security Exit.

[{"Product":{"code":"SSFGBN","label":"IBM Sterling Connect:Direct for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"5.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
17 December 2019

UID

swg22012723

Page Feedback