IBM Support

VM66338: RACF/VM ENABLEMENT FOR IBM Z MULTIFACTOR AUTHENTICATION

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • This APAR implements new function in RACF/VM to provide support
    for IBM Z Multifactor Authentication.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All z/VM administrators with the RACF for    *
    *                 z/VM feature installed.                      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    Enable support in RACF for multifactor authentication with the
    IBM Z Multifactor Authentication product.
    

Problem conclusion

Temporary fix

Comments

  • The RACF Security Server for z/VM 7.1 will provide support to
    communicate with the IBM Z Multifactor Authentication product
    with the PTF from this APAR. This will allow human users of
    z/VM to access their userids by providing factors instead of,
    or in addition to, traditional passwords or password phrases.
    
    IBM Z Multifactor Authentication is a separate product and is
    required to use this support.  A security administrator must
    use the Linux-based IBM Z MFA server and not the IBM z/OS
    version to enable MFA support for z/VM. Please refer to the
    IBM Z Multifactor Authentication Program Directory (5655-MA1)
    for more information on installing and configuring IBM Z MFA,
    including minimum distribution and package levels for supported
    Linux on Z releases.
    
    RACF for z/VM has been enabled to create, modify, audit, and
    delete the MFA configuration for a z/VM userid. When a z/VM
    userid is enabled for MFA, the IBM Z MFA server becomes the
    Policy Decision Point (PDP) for authentication. Human users
    must authenticate to IBM Z MFA in advance of the z/VM logon;
    they will receive a derived credential of configurable
    complexity after successful completion. This credential can
    then be entered on the z/VM LOGON screen, via CP LOGON, or
    through any other interface one might expect for access to a
    z/VM system. RACF for z/VM verifies the validity of the derived
    credential with the Multifactor Authentication Server and
    either allows or denies access; RACF remains the Policy
    Enforcement Point (PEP) for the z/VM authentication flow and
    follows the audit, user revocation and expiration
    configuration.
    
    MFA-enabled users may be granted Password Fallback authority,
    in which case they may choose to authenticate directly to z/VM
    using their traditional RACF for z/VM password or password
    phrase. This is an auditable event, additionally, the z/VM
    System Operator is notified. MFA is enabled on a per-user
    basis; there is no technical requirement to enable every user
    for MFA. This is important for technical users or service
    virtual machines (which should not necessarily have passwords).
    
    This support is enabled for z/VM 7.1 RACF and future releases.
    It is recommended that all members in a mixed-level Single
    System Image cluster be updated to z/VM 7.1, with CP APAR
    VM66324, before enabling MFA. While the RACF database may be
    shared between earlier and later releases of z/VM, validation
    of the derived credential will not occur when logging onto a
    system missing the required support.
    
    The output of RACFDBU and RACFADU has been updated to include
    the protected user status, MFA configuration and various MFA
    related audit events.
    
    The following publications have been updated:
    
    RACF Security Server Command Language Reference (SC24-6306-02)
    - Update ADDUSER, ALTUSER, LISTUSER commands
    
    RACF Security Server Macros and Interfaces (SC24-6309-01)
    - SMF record definitions
    - User Basic Data Record
    
    RACF Security Server Messages and Codes (GC24-6310-02)
    - Add various new MFA related messages
    - Update ICH408I to include MFA decisions
    
    RACF Security Server Security Administrator's Guide
    (GC24-6310-02)
    - Add new chapter about MFA administration and configuration
    
    Security Server RACROUTE Macro Reference (SC24-6324-01)
    - Update RACROUTE macro definition with AUTH=NOMFA options
    
    NOTE:
    APAR VM66338 hits part IRRTEMP2, but the RACF database templates
    are NOT updated.  Although message VMFSRV1220W is received when
    applying VM66338, running the RACFCONV utility is not necessary
    when RACF database template version HRF77A0 00000194.00000022 is
    already active.
    

APAR Information

  • APAR number

    VM66338

  • Reported component name

    RACF/VM SUPPORT

  • Reported component ID

    576700201

  • Reported release

    710

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2019-11-04

  • Closed date

    2020-05-13

  • Last modified date

    2021-06-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UV99363

Modules/Macros

  • ICHCAD01 ICHCAU00 ICHCCU00 ICHCCU01 ICHCLU00 ICHCOP05 ICHCTV00
    ICHPRCVT ICHRAU00 ICHRAU02 ICHRAU05 ICHRIN00 ICHRIXP  ICHSEC00
    IHAACEE  IRRADUX1 IRRADU01 IRRADU10 IRRADU20 IRRCAU0P IRRCCU0P
    IRRDBU03 IRRENV00 IRRENV11 IRRHIST0 IRRMPP00 IRRMXPW0 IRRPRIPL
    IRRRDF09 IRRRIN09 IRRRIN17 IRRTEMP2 IRRXTR01 RACDBULD RACDBUTB
    RACINIT  RACROUTE RPIBLLNK RPIBLOBJ RPIMFA   RPIMLGN  RPISTART
    SYS1
    

Publications Referenced
SC24630602SC24630901GC24631002SC24631101SC24632401

Fix information

  • Fixed component name

    RACF/VM SUPPORT

  • Fixed component ID

    576700201

Applicable component levels

  • R710 PSY UV99363

       UP20/05/19 P 2101

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z/OS"}],"Version":"710"}]

Document Information

Modified date:
30 June 2021