IBM MFA Security Profile Documentation Assistance With Top Secret
Article ID: 187422
Updated On:
Products
Issue/Introduction
An issue using IBM Multi Factor Authentication is occurring in which the shared secret used to validate the security certificate is invalidated after an IPL. IBM has requested certain documentation from RACF. Since the issue is occuring on both RACF and Top Secret LPARs, what is the Top Secret equivalent for the IBM request below?
"Please capture a raw copy of the current security profile. I don't see that you said which ESM the system of interest is running (we would like to know which it is). Assuming it is RACF, please run utility IRRUT200 with a control statement of "INDEX FORMAT", and search the generated output for the string "-FACTOR.AZFSFNP1". You should find an index entry for the base and MFA segment for the factor which you should record. Then print off the block(s) containing the two segments. If the RBA is 000000106100 you can use the IDCAMS control statement "PRINT INDA(<racf.database>) SKIP(X'106') COUNT(1)" to print the record containing the profile. If it is not RACF you will need to get assistance from Broadcom to collect the raw data."
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
Outside of generating a PKCS#11 token on the TSS side, most of the server setup (along with shared secret) is performed by the IBM exec called AZFEXEC.
If the server "shared secret" value is changed, it needs to be re-configured with new value and redo PKCS#11 token command; then perform the AZFEXEC steps again.
IBM MFA and SafeNet RADIUS Implementation Steps Under Top Secret:
1. Configure IBM MFA for SafeNet factor: AZFSFNP1
a. Refer to IBM Multi-Factor Authentication for z/OS Installation and Customization, Chapter: Configuring IBM MFA for SafeNet RADIUS.
b. For PKCS#11 token setup, the Top Secret command would be:
TSS P11TOKEN TOKENADD LABLCTKN(AZFSFNP1)
Additional Information
Feedback
