A fix is available
APAR status
Closed as new function.
Error description
This APAR implements new function in RACF/VM to provide support for IBM Z Multifactor Authentication.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All z/VM administrators with the RACF for * * z/VM feature installed. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** Enable support in RACF for multifactor authentication with the IBM Z Multifactor Authentication product.
Problem conclusion
Temporary fix
Comments
The RACF Security Server for z/VM 7.1 will provide support to communicate with the IBM Z Multifactor Authentication product with the PTF from this APAR. This will allow human users of z/VM to access their userids by providing factors instead of, or in addition to, traditional passwords or password phrases. IBM Z Multifactor Authentication is a separate product and is required to use this support. A security administrator must use the Linux-based IBM Z MFA server and not the IBM z/OS version to enable MFA support for z/VM. Please refer to the IBM Z Multifactor Authentication Program Directory (5655-MA1) for more information on installing and configuring IBM Z MFA, including minimum distribution and package levels for supported Linux on Z releases. RACF for z/VM has been enabled to create, modify, audit, and delete the MFA configuration for a z/VM userid. When a z/VM userid is enabled for MFA, the IBM Z MFA server becomes the Policy Decision Point (PDP) for authentication. Human users must authenticate to IBM Z MFA in advance of the z/VM logon; they will receive a derived credential of configurable complexity after successful completion. This credential can then be entered on the z/VM LOGON screen, via CP LOGON, or through any other interface one might expect for access to a z/VM system. RACF for z/VM verifies the validity of the derived credential with the Multifactor Authentication Server and either allows or denies access; RACF remains the Policy Enforcement Point (PEP) for the z/VM authentication flow and follows the audit, user revocation and expiration configuration. MFA-enabled users may be granted Password Fallback authority, in which case they may choose to authenticate directly to z/VM using their traditional RACF for z/VM password or password phrase. This is an auditable event, additionally, the z/VM System Operator is notified. MFA is enabled on a per-user basis; there is no technical requirement to enable every user for MFA. This is important for technical users or service virtual machines (which should not necessarily have passwords). This support is enabled for z/VM 7.1 RACF and future releases. It is recommended that all members in a mixed-level Single System Image cluster be updated to z/VM 7.1, with CP APAR VM66324, before enabling MFA. While the RACF database may be shared between earlier and later releases of z/VM, validation of the derived credential will not occur when logging onto a system missing the required support. The output of RACFDBU and RACFADU has been updated to include the protected user status, MFA configuration and various MFA related audit events. The following publications have been updated: RACF Security Server Command Language Reference (SC24-6306-02) - Update ADDUSER, ALTUSER, LISTUSER commands RACF Security Server Macros and Interfaces (SC24-6309-01) - SMF record definitions - User Basic Data Record RACF Security Server Messages and Codes (GC24-6310-02) - Add various new MFA related messages - Update ICH408I to include MFA decisions RACF Security Server Security Administrator's Guide (GC24-6310-02) - Add new chapter about MFA administration and configuration Security Server RACROUTE Macro Reference (SC24-6324-01) - Update RACROUTE macro definition with AUTH=NOMFA options NOTE: APAR VM66338 hits part IRRTEMP2, but the RACF database templates are NOT updated. Although message VMFSRV1220W is received when applying VM66338, running the RACFCONV utility is not necessary when RACF database template version HRF77A0 00000194.00000022 is already active.
APAR Information
APAR number
VM66338
Reported component name
RACF/VM SUPPORT
Reported component ID
576700201
Reported release
710
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2019-11-04
Closed date
2020-05-13
Last modified date
2021-06-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UV99363
Modules/Macros
ICHCAD01 ICHCAU00 ICHCCU00 ICHCCU01 ICHCLU00 ICHCOP05 ICHCTV00 ICHPRCVT ICHRAU00 ICHRAU02 ICHRAU05 ICHRIN00 ICHRIXP ICHSEC00 IHAACEE IRRADUX1 IRRADU01 IRRADU10 IRRADU20 IRRCAU0P IRRCCU0P IRRDBU03 IRRENV00 IRRENV11 IRRHIST0 IRRMPP00 IRRMXPW0 IRRPRIPL IRRRDF09 IRRRIN09 IRRRIN17 IRRTEMP2 IRRXTR01 RACDBULD RACDBUTB RACINIT RACROUTE RPIBLLNK RPIBLOBJ RPIMFA RPIMLGN RPISTART SYS1
SC24630602 | SC24630901 | GC24631002 | SC24631101 | SC24632401 |
Fix information
Fixed component name
RACF/VM SUPPORT
Fixed component ID
576700201
Applicable component levels
R710 PSY UV99363
UP20/05/19 P 2101
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"710"}]
Document Information
Modified date:
30 June 2021