ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Does Top Secret Propagate IBM MFA TAGS REGSTATE With CPF?

book

Article ID: 237301

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Two LPARs are running in a sysplex: system A and system B. Each LPAR has its own Top Secret security file that is kept in sync with CPF (Command Propagation Facility). IBM MFA (Multi Factor Authentication) has been installed using PIV cards for out-of-band (AZFCERT1). 

- The POLICY and MFACTOR are added to the user's ACID and show up on the ACID on both system A and system B.

- The user then enrolls via the IBM RSA registration website on system A.

- At this point TSS LIST(acid) DATA(MFA) shows TAGS REGSTATE:REVIEW on System A where the enrollment took place. But on System B TSS LIST(acid) DATA(MFA) still shows TAGS REGSTATE:OPEN. For example:

TSS LIST(acid) DATA(MFA) on system A shows:                  
 ACCESSORID = acid    NAME       = name
 -----------  SEGMENT MFA                  
 FACTOR     = AZFCERT1
 MFACTIVE   = YES                          
 TAGS       = REGSTATE:REVIEW


TSS LIST(acid) DATA(MFA) on system B shows:                  
 ACCESSORID = acid    NAME       = name
 -----------  SEGMENT MFA                  
 FACTOR     = AZFCERT1
 MFACTIVE   = YES                          
 TAGS       = REGSTATE:OPEN

- On system A, an administrator then issues

TSS REPLACE(acid) MFACTOR(AZFCERT1) MFADATA(REGSTATE:APPROVED)  MFACTIVE(YES)

which approves and changes the ACID on system A to TAGS = REGSTATE:APPROVED. But on System B TAGS = remains REGSTATE:OPEN.  The original REGSTATE tag seemed to propagate to System B but not any updates after that, including the approval, so when trying to use MFA on system B, it fails to get a token. Does CPF replicate the IBM MFA user definitions from one LPAR to another?

Environment

Release : 16.0

Component : Advanced Authentication Mainframe

Resolution

The user registers their certificate (certificate enrollment, or CE) pointing to a single LPAR. This is the LPAR where the MFA data changes from REGSTATE:OPEN to REGSTATE:REVIEW, but only on the LPAR that the user performs the enrollment. CPF is not involved in this process, so this does not get CPF'd to other systems. 

You can't change the state directly from OPEN to APPROVED, it must be in REVIEW state first and the REVIEW state is not done via a command. The modification of the REGSTATE from OPEN to REVIEW is performed automatically during the CE process and not by TSS commands. This happens during the extract. Once the tag data is set to REGSTATE:REVIEW after successful CE, then and only then, you can use a TSS command to change it to APPROVED. For example:

TSS REPLACE(acid) MFACTOR(AZFCERT1) MFADATA(REGSTATE:APPROVED)  

You can use the TARGET(=) on the TSS REPLACE command above to limit the command to only execute on the local system.