search cancel

Setting up Mainframe Advanced Authentication for Top Secret questions.

book

Article ID: 190767

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

We are working on Advanced Authentication setup using Radius (Symantec SVIP soft tokens). We were able to follow documentation and successfully setup RADIUS_OTP type of credential. The goal however is to go with multi-factor authentication where users need to enter a password followed by a pin (or if entered without a pin a push should be generated). When we tried using RADIUS_PASSWORD credential type we are getting RADIUS SERVER UNAVAILABLE TSS messages during logon. Task MFASTC has an error message in it that might be related: 'java.lang.NumberFormatException: For input string: "" '

We also have some additional questions:
- Can more than 1 factor be active on the same LPAR - RADIUS_OTP and RADIUS_PASSWORD?
-
Will every LPAR need to have MFASTC running on it or just 1 per SYSPLEX? We DO NOT share TSS databases.
-
What are all those radius types and what are differences? RADIUS_RSA, RADIUS_SAFENET, RADIUS_GENERIC, RADIUS_DEFENDER, RADIUS_OTP,RADIUS_PASSWORD
-
How to list MFACTIVE, MFACTOR and MFADATA on the ACID? These do not come up on TSS LIST(<id>) DATA(ALL)
-
Can multiple factors be added to user ID? Can those be added to a profile and used with a % as a mask for userID.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

1. Can more than 1 factor be active on the same LPAR - RADIUS_OTP and RADIUS_PASSWORD?
Answer:
Since there can have multiple factor per user, there can be more than 1 factor be active on the same LPAR. Although there can assign multiple factors to a user, only one factor can be active at any given time.

This restriction will be lifted in the future due to IBM's Out-of-Band (OOB) support for multiple factors (being active) within a policy pertaining to a user. An enhancement is being made to Top Secret to support IBM's Out-of-Band (OOB).

This will allow Top Secret control option MFACTIVE(YES|FACILITY) to be set for one or more factors for a user.

example:
TSS LIST(RACHAEL) DATA(MFA)

ACCESSORID = RACHAEL NAME = RACHAEL E. KOT
----------- SEGMENT MFA
FACTOR = RADIUS_PASSWORD
MFACTIVE = YES
TAGS = RADIUSNAME:kotpa01
FACTOR = CAAAMRSA
MFACTIVE = FACILITY
TAGS = RSANAME:kotpa01

TSS0300I LIST FUNCTION SUCCESSFUL

Note: During logon time, TSS will use the first one active in the list of MFA factors.
With IIBM MFA Out-Of-Band , one or more factors will be used if the IBM MFA Out-Of-Band  Policy calls for it.



2. Will every LPAR need to have MFASTC running on it or just 1 per SYSPLEX? We DO NOT share TSS databases.
Answer:
MFASTC started task is needed for each LPAR.

3. What are all those radius types and what are differences? RADIUS_RSA, RADIUS_SAFENET, RADIUS_GENERIC, RADIUS_DEFENDER, RADIUS_OTP,RADIUS_PASSWORD
Answer:
The factor name provides a clue on its functional usage:
• Use the factor RADIUS_RSA when the server is running RADIUS protocol, with RSA as it's client authentication method.
• Use the factor RADIUS_PASSWORD when the server is running RADIUS protocol, with some token processing as it's client authentication method; in conjunction with supplying the Top Secret PASSWORD as one of the MFA factors. So the user's credentials would be a password plus a token code.
• GENERIC would be used for any time of RADIUS method.
• And so forth...


4. How to list MFACTIVE, MFACTOR and MFADATA on the ACID? These do not come up on TSS LIST() DATA(ALL)
Answer:
TSS LIST(acid) DATA(MFA)

which is documented here.

----------- SEGMENT MFA
PWFALLBACK = YES
FACTOR = AZFSIDP1
MFACTIVE = NO
TAGS = SIDUSERID:KOTPA77
FACTOR = CAAAMRSA
MFACTIVE = YES
TAGS = RSANAME:KOTPA77
FACTOR = CAPAM_PIVCAC0
MFACTIVE = YES
TAGS = PAMNAME:CN=PIVKey EE228562B324B7438D6E995360323E2C
FACTOR = RADIUS_RSA
MFACTIVE = NO
TAGS = RADIUSNAME:KOTPA77



5. Can multiple factors be added to user ID? Can those be added to a profile and used with a % as a mask for userID.
Answer:
See answer to question 1.