1. Can multiple RSA servers be specified (i.e. a primary and 3 backups)?

 2. Is there anything special needed to use SSL link to RSA server instead of clear?

 3. What happens if a user is Two Factor Authentication (2FA) and the TSSMFA server is unavailable, and 'NOT' fall back to password is set?

 4. What happens if user has access to appropriate TSSMFA rule but they don’t have a MFA segment on their userid?

 5. What if a user has a 2FA segment on their userid, but they don’t have access to any of the 2FA rules?

Release : 16.0

Component : CA Top Secret for z/OS

1. Can multiple RSA servers be specified (i.e. a primary and 3 backups)?

1A)  No, only one server can be specified.

 2. Is there anything special needed to use SSL link to RSA server instead of clear?

 2A)  No, AAM will pick up RSA server address from SDCONF.REC file (RSA configurations file that is generated within RSA Security Console).

3. What happens if a user is Two Factor Authentication (2FA) and the TSSMFA server is unavailable, and 'NOT' fall back to password is set?

3A)  User logon will fail.

 4. What happens if user has access to appropriate TSSMFA rule but they don’t have a MFA segment on their userid?

4A)  For RSA (factor=CAAAMRSA), the MFA segment is actual not required; only if the RSA userid is different from the TSS user, then you will need to defined a MFA segment in order to perform userid-mapping. If the TSS userid is not the same as the RSA userid

4A) If the TSS userid is different than RSA userid, then the logon will fail without a MFA segment.

 5. What if a user has a 2FA segment on their userid, but they don’t have access to any of the 2FA rules?

5A)  For RSA (factor=CAAAMRSA), it depends on the value set for MFACTIVE (part of MFA segment).

     - If MFACTIVE(FACILITY) without a permit the logon would use password processing, not 2FA.

    - If MFACTIVE(YES) there is no need for a permit; the logon will proceed as 2FA.