When using TPX there are Passticket issues with IBM MFA and CA AAM

book

Article ID: 223125

calendar_today

Updated On:

Products

CA TPX - Session Management CA ACF2 CA Advanced Authentication Mainframe

Issue/Introduction

TPX Passticket validation fails for application session initiation, when IBM MFA / CA AAM is activated. 

Checking for PassTicket use in the SEVPOST exit doesn't always work.
CA AAM users with the RADIUS_RSA factor can't use PassTickets.

Cause

When the user is an IBM MFA user with an active factor, flag SXPPSTKT is not set in the SEVPOST Exit parameter list even though a PassTicket is successfully used for signon.

Environment

Release :  5.4
                16.0
                 2.0

Component : CA TPX    for  Z/OS
                      CA ACF2 for Z/OS
                      CA AAM  for Z/OS

Resolution

To circumvent change the RADIUS_RSA factor to NOACTIVE for the user or stop the CA AAM started task and give the user's Logonid FALLBACK.

To Fix the problem, apply ACF2 PTF LU01453.