VM66338: RACF/VM ENABLEMENT FOR IBM Z MULTIFACTOR AUTHENTICATION

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• This APAR implements new function in RACF/VM to provide support
  for IBM Z Multifactor Authentication.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All z/VM administrators with the RACF for    *
  *                 z/VM feature installed.                      *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  Enable support in RACF for multifactor authentication with the
  IBM Z Multifactor Authentication product.
  

Problem conclusion

Temporary fix

Comments

• The RACF Security Server for z/VM 7.1 will provide support to
  communicate with the IBM Z Multifactor Authentication product
  with the PTF from this APAR. This will allow human users of
  z/VM to access their userids by providing factors instead of,
  or in addition to, traditional passwords or password phrases.
  
  IBM Z Multifactor Authentication is a separate product and is
  required to use this support.  A security administrator must
  use the Linux-based IBM Z MFA server and not the IBM z/OS
  version to enable MFA support for z/VM. Please refer to the
  IBM Z Multifactor Authentication Program Directory (5655-MA1)
  for more information on installing and configuring IBM Z MFA,
  including minimum distribution and package levels for supported
  Linux on Z releases.
  
  RACF for z/VM has been enabled to create, modify, audit, and
  delete the MFA configuration for a z/VM userid. When a z/VM
  userid is enabled for MFA, the IBM Z MFA server becomes the
  Policy Decision Point (PDP) for authentication. Human users
  must authenticate to IBM Z MFA in advance of the z/VM logon;
  they will receive a derived credential of configurable
  complexity after successful completion. This credential can
  then be entered on the z/VM LOGON screen, via CP LOGON, or
  through any other interface one might expect for access to a
  z/VM system. RACF for z/VM verifies the validity of the derived
  credential with the Multifactor Authentication Server and
  either allows or denies access; RACF remains the Policy
  Enforcement Point (PEP) for the z/VM authentication flow and
  follows the audit, user revocation and expiration
  configuration.
  
  MFA-enabled users may be granted Password Fallback authority,
  in which case they may choose to authenticate directly to z/VM
  using their traditional RACF for z/VM password or password
  phrase. This is an auditable event, additionally, the z/VM
  System Operator is notified. MFA is enabled on a per-user
  basis; there is no technical requirement to enable every user
  for MFA. This is important for technical users or service
  virtual machines (which should not necessarily have passwords).
  
  This support is enabled for z/VM 7.1 RACF and future releases.
  It is recommended that all members in a mixed-level Single
  System Image cluster be updated to z/VM 7.1, with CP APAR
  VM66324, before enabling MFA. While the RACF database may be
  shared between earlier and later releases of z/VM, validation
  of the derived credential will not occur when logging onto a
  system missing the required support.
  
  The output of RACFDBU and RACFADU has been updated to include
  the protected user status, MFA configuration and various MFA
  related audit events.
  
  The following publications have been updated:
  
  RACF Security Server Command Language Reference (SC24-6306-02)
  - Update ADDUSER, ALTUSER, LISTUSER commands
  
  RACF Security Server Macros and Interfaces (SC24-6309-01)
  - SMF record definitions
  - User Basic Data Record
  
  RACF Security Server Messages and Codes (GC24-6310-02)
  - Add various new MFA related messages
  - Update ICH408I to include MFA decisions
  
  RACF Security Server Security Administrator's Guide
  (GC24-6310-02)
  - Add new chapter about MFA administration and configuration
  
  Security Server RACROUTE Macro Reference (SC24-6324-01)
  - Update RACROUTE macro definition with AUTH=NOMFA options
  
  NOTE:
  APAR VM66338 hits part IRRTEMP2, but the RACF database templates
  are NOT updated.  Although message VMFSRV1220W is received when
  applying VM66338, running the RACFCONV utility is not necessary
  when RACF database template version HRF77A0 00000194.00000022 is
  already active.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UV99363

Modules/Macros

• ICHCAD01 ICHCAU00 ICHCCU00 ICHCCU01 ICHCLU00 ICHCOP05 ICHCTV00
  ICHPRCVT ICHRAU00 ICHRAU02 ICHRAU05 ICHRIN00 ICHRIXP  ICHSEC00
  IHAACEE  IRRADUX1 IRRADU01 IRRADU10 IRRADU20 IRRCAU0P IRRCCU0P
  IRRDBU03 IRRENV00 IRRENV11 IRRHIST0 IRRMPP00 IRRMXPW0 IRRPRIPL
  IRRRDF09 IRRRIN09 IRRRIN17 IRRTEMP2 IRRXTR01 RACDBULD RACDBUTB
  RACINIT  RACROUTE RPIBLLNK RPIBLOBJ RPIMFA   RPIMLGN  RPISTART
  SYS1
  

Fix information

• Fixed component name

  RACF/VM SUPPORT

• Fixed component ID

  576700201

Applicable component levels

• R710 PSY UV99363

     UP20/05/19 P 2101

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.