IBM MFA factor AZFTOTP1 enrollment failing in ACF2

book

Article ID: 221331

calendar_today

Updated On:

Products

CA ACF2 - z/OS CA ACF2 CA ACF2 - MISC

Issue/Introduction

The IBM MFA Factor AZFTOTP1 enrollment URL gives this error:

AZF5177E An internal server error prevented enrollment of your new TouchToken Account.

AZF#IN01 log shows:

AZFTOTP:Failed to set user factor data (sts=0,safrc=8,racfrc=12,racfrsn=0x4)
AZFTOTPWEB:AZF5160E Failed to commit a user's AZFTOTP1 factor data (ABCDE, safrc=8, racfrc=12, racfrsn=0x4)

Environment

Release : 16.0

Component :

Resolution

The IBM MFA out-of-band Web Services Started Task AZFWEB logonid needs the logonid SECURITY privilege to be able to update TAGS fields in PROFILE(USER),DIV(MFA) records for all factors including AZFTOTP1, AZFCERT1 and AZFYUBI. 

Modify the AZFWEB started task as shown below:

ACF
SET LID
CHANGE AZFWEB SECURITY

There is an option to scope the SECURITY privilege as described in the IBM MFA Web services Started Task ID documentation.

 

 

 

 

Additional Information

PTF SO13978 is required for out-of-band support.