Release : 16.0
Component : CA Top Secret for z/OS
1. Can more than 1 factor be active on the same LPAR - RADIUS_OTP and RADIUS_PASSWORD?
Answer:
Since there can have multiple factor per user, there can be more than 1 factor be active on the same LPAR. Although there can assign multiple factors to a user, only one factor can be active at any given time.
This restriction will be lifted in the future due to IBM's Out-of-Band (OOB) support for multiple factors (being active) within a policy pertaining to a user. An enhancement is being made to Top Secret to support IBM's Out-of-Band (OOB).
This will allow Top Secret control option MFACTIVE(YES|FACILITY) to be set for one or more factors for a user.
example:
TSS LIST(RACHAEL) DATA(MFA)
ACCESSORID = RACHAEL NAME = RACHAEL E. KOT
----------- SEGMENT MFA
FACTOR = RADIUS_PASSWORD
MFACTIVE = YES
TAGS = RADIUSNAME:kotpa01
FACTOR = CAAAMRSA
MFACTIVE = FACILITY
TAGS = RSANAME:kotpa01
TSS0300I LIST FUNCTION SUCCESSFUL
Note: During logon time, TSS will use the first one active in the list of MFA factors.
With IIBM MFA Out-Of-Band , one or more factors will be used if the IBM MFA Out-Of-Band Policy calls for it.
2. Will every LPAR need to have MFASTC running on it or just 1 per SYSPLEX? We DO NOT share TSS databases.
Answer:
MFASTC started task is needed for each LPAR.
3. What are all those radius types and what are differences? RADIUS_RSA, RADIUS_SAFENET, RADIUS_GENERIC, RADIUS_DEFENDER, RADIUS_OTP,RADIUS_PASSWORD
Answer:
The factor name provides a clue on its functional usage:
• Use the factor RADIUS_RSA when the server is running RADIUS protocol, with RSA as it's client authentication method.
• Use the factor RADIUS_PASSWORD when the server is running RADIUS protocol, with some token processing as it's client authentication method; in conjunction with supplying the Top Secret PASSWORD as one of the MFA factors. So the user's credentials would be a password plus a token code.
• GENERIC would be used for any time of RADIUS method.
• And so forth...
4. How to list MFACTIVE, MFACTOR and MFADATA on the ACID? These do not come up on TSS LIST() DATA(ALL)
Answer:
TSS LIST(acid) DATA(MFA)
which is documented here.
----------- SEGMENT MFA
PWFALLBACK = YES
FACTOR = AZFSIDP1
MFACTIVE = NO
TAGS = SIDUSERID:KOTPA77
FACTOR = CAAAMRSA
MFACTIVE = YES
TAGS = RSANAME:KOTPA77
FACTOR = CAPAM_PIVCAC0
MFACTIVE = YES
TAGS = PAMNAME:CN=PIVKey EE228562B324B7438D6E995360323E2C
FACTOR = RADIUS_RSA
MFACTIVE = NO
TAGS = RADIUSNAME:KOTPA77
5. Can multiple factors be added to user ID? Can those be added to a profile and used with a % as a mask for userID.
Answer:
See answer to question 1.