Multi Factor Authentication using PKI in Top Secret
search cancel

Multi Factor Authentication using PKI in Top Secret


Article ID: 217768


Updated On:


Top Secret ACF2


MFA is implemented for TSS using radius calls to an RSA server.

Investigating replacing the radius/RSA solution with a PKI solution to verify a user (the second factor) based on their smart card or PKI file (same thing different medium - x509 certificate).

The logon process would be something like below:

1. enter userid/password

2. TSS AAM calls PKI server to obtain users x509 certificate

3. User enters their password to verify certificate (to access VPN the PKI file is specified and requires a password to "unlock" the certificate - the same process is desired for PKI-2FA)



Release : 16.0

Component : CA Top Secret for z/OS


There are two solutions for PIV (smart card) support. 
1) AAM CAPAM_PIVCACn factor support. But this option requires the CA PAM product to do the PIV card store/verification. 
2) Another way is IBM's out-of-band factors. This option requires the IBM MFA server product (like our AAM, but IBM's version).     
   This would perform PIV credentials with mainframe password (optional) to obtain a cache-token-credential (8-byte token) that is used to plug into the mainframe password field.
Summary: To implement MFA PIV, you would require either a CA-PAM product to store/verify PIV (using AAM), or IBM's MFA server to get the OOB PIV factor support.