search cancel

IBM MFA Security Profile Documentation Assistance With Top Secret

book

Article ID: 187422

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

An issue using IBM Multi Factor Authentication is occurring in which the shared secret used to validate the security certificate is invalidated after an IPL. IBM has requested certain documentation from RACF. Since the issue is occuring on both RACF and Top Secret LPARs, what is the Top Secret equivalent for the IBM request below?

"Please capture a raw copy of the current security profile. I don't see that you said which ESM the system of interest is running (we would like to know which it is). Assuming it is RACF, please run utility IRRUT200 with a control statement of "INDEX FORMAT", and search the generated output for the string "-FACTOR.AZFSFNP1". You should find an index entry for the base and MFA segment for the factor which you should record. Then print off the block(s) containing the two segments. If the RBA is 000000106100 you can use the IDCAMS control statement "PRINT INDA(<racf.database>) SKIP(X'106') COUNT(1)" to print the record containing the profile. If it is not RACF you will need to get assistance from Broadcom to collect the raw data."

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

There's no equivalent doc from a Top Secret perspective. The share secret issue in this case (running IBM MFA) is purely an IBM thing - regardless of it running under Top Secret. There is no base record for any IBM factors on the Top Secret security file. The only factor data we would have would be at the user level as an MFA segment. To get that info (MFA tag data), you would simple issue TSS LIST(acid) DATA(MFA). Other then that - that's it.

Outside of generating a PKCS#11 token on the TSS side, most of the server setup (along with shared secret) is performed by the IBM exec called AZFEXEC.

If the server "shared secret" value is changed, it needs to be re-configured with new value and redo PKCS#11 token command; then perform the AZFEXEC steps again.

IBM MFA and SafeNet RADIUS Implementation Steps Under Top Secret:

1. Configure IBM MFA for SafeNet factor: AZFSFNP1
      a. Refer to IBM Multi-Factor Authentication for z/OS Installation and Customization, Chapter: Configuring IBM MFA for SafeNet RADIUS.
      b. For PKCS#11 token setup, the Top Secret command would be:
      TSS P11TOKEN TOKENADD LABLCTKN(AZFSFNP1)

Additional Information