IBM Support

IBM Security zSecure support for IBM Multi-Factor Authentication for z/OS (APAR numbers OA49576, OA50009, OA50011, OA50012, OA50284)

News


Abstract

To enable future support for IBM Multi-Factor Authentication (MFA) for z/OS, some basic enhancements have been provided in IBM Security zSecure suite Versions 2.2.0, 2.1.1, and 2.1.0.

MFA support is intended to simplify administration by helping to enforce authentication policy, providing alert notifications, and reporting on authentication audit events and compliance. IBM Security zSecure capabilities help prevent privileged user threats, simplify administration, automate auditing, and reduce operational risk.

Content

Documentation updates
The current basic enhancements for MFA have resulted in several documentation updates for the following zSecure publications:

  • IBM Security zSecure Admin and Audit for RACF User Reference Manual
  • IBM Security zSecure CARLa Command Reference
  • IBM Security zSecure Command Verifier User Guide
  • IBM Security zSecure Messages Guide


See the attached PDF file for the documentation updates:
zSecure_MFA.pdfzSecure_MFA.pdf

Note: Referenced topics that have not changed are not included in this document. You can find them in the publication that the chapter applies to.

RACF-Offline
Using zSecure RACF-Offline, you can issue RACF commands against an offline or inactive RACF database. With the introduction of IBM Multi-Factor Authentication for z/OS (MFA) services, several RACF commands interact with the MFA server. Based on the information provided by these RACF commands, the MFA server might update information that is related to the affected user. When issuing RACF commands in the offline environment, such interaction is undesirable and might lead to consistency errors. For this reason, the following functions are currently not supported in the RACF-Offline environment:
  • Adding, removing, or changing MFA information in a USER profile.
  • Deleting users that have MFA information.

MFA-related updates for QRadar SIEM
The MFA-related SMF records for QRadar SIEM did not result in zSecure documentation updates.
The following fields pertaining to SMF Type 80 records were made available to QRadar:
authenticatorSpecifies the authentication method that was used for a successful authentication.
compCodeSpecifies the job or step completion code of an authentication request.

Migration
The following aids are available to assist in planning for and applying all relevant maintenance at once:
  • A technote from the RACF team about support for multi-factor authentication in conjunction with the new IBM Multi-factor Authentication for z/OS product.
  • If you have RACF-Offline and you install the RACF PTF for MFA, then the RACF-Offline PTF for MFA will automatically be installed as well, because the RACF PTFs provide ++ VER statements in the version control program System Modification Program Extended (SMP/E) specifications.
  • To pick up additonal recommended maintenance, it is good practice to regularly run REPORT MISSINGFIX for the following category that has been defined: IBM.Function.Multi-FactorAuthentication (MFA/K).

[{"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.1;2.1.1;2.2","Edition":""},{"Product":{"code":"SSRM9V","label":"IBM Security zSecure Command Verifier"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSATXH","label":"IBM Security zSecure suite"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSRQ8D","label":"IBM Security zSecure Audit for RACF"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSDR89","label":"IBM Security zSecure Adapters for QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg21976903