search cancel

zMFA setup in ACF2 for access to PKCS#11 token

book

Article ID: 242508

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

When installing z/MFA on an LPAR for the first time with ACF2 security there is an issue when starting the AZF#IN00 task after configuration where the task gets error message: 

AZF2405E Authenticator initialize failed : AZFRADP1 and then ends. 

IBM reviewed the output and requested to follow their documentation here: https://www.ibm.com/docs/en/zma/2.1.0?topic=customization-configuring-pkcs11-token 

What are the steps required for an ACF2 environment based on this documentation?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Starting from step 3 in the documentation, here are the ACF2 translations:

3. Create the PKCS#11 token using RACDCERT ADDTOKEN

This is done either in ICSF or the P11TOKEN Subcommand within ACF2. The P11TOKEN subcommand is:

P11token Add Token(token-name)

Steps 4- 7 have no ACF2 equivalent. Instead, CRYPTOZ TYPE(CRY) is required to be resident.
Note that CRY is the default type code for the CRYPTOZ resource class. If something other than CRY is set to be the type code, then replace CRY with the type code associated with the CRYPTOZ resource 

SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCRY) ADD
F ACF2,REFRESH(INFODIR)

8. Give the user ID of the web services started task CONTROL access to the profile that protects the token, where AZFWEB is the user ID of the web services started task.

SET RESOURCE(CRY)
RECKEY SO add( token-name UID(uid for AZFWEB) SERVICE(DELETE) ALLOW)

9. Give the user ID of the administrator who executes the panels CONTROL access to the profile that protects the token

SET RESOURCE(CRY)
RECKEY SO add( token-name UID(uid for Admin) SERVICE(DELETE) ALLOW)

10. Give the user ID of the IBM MFA services started task UPDATE access to the profile that protects the token, where AZFSTC is the user ID of the IBM MFA services started task.

SET RESOURCE(CRY)
RECKEY USER add( token-name UID(uid for AZFSTC) SERVICE(UPDATE) ALLOW)

11. Give the user ID of the web services started task UPDATE access to the profile that protects the token, where AZFWEB is the user ID of the web services started task.

SET RESOURCE(CRY)
RECKEY USER add( token-name UID(uid for AZFWEB) SERVICE(UPDATE) ALLOW)

12. Give the user ID of the administrator who executes the panels UPDATE access to the profile that protects the token.

SET RESOURCE(CRY)
RECKEY USER add( token-name UID(uid for Admin) SERVICE(UPDATE) ALLOW)

Step 13 does not have an ACF2 equivalent.

14. Give the user ID of the administrator who executes the panels READ access to the profile.

SET RESOURCE(CRY)
RECKEY CLEARKEY add( token-name UID(uid for Admin) SERVICE(READ) ALLOW)

15. Give the user ID of the IBM MFA services started task READ access to the profile that protects the token, where AZFSTC is the user ID of the IBM MFA services started task.

SET RESOURCE(CRY)
RECKEY CLEARKEY add( token-name UID(uid for AZFSTC) SERVICE(READ) ALLOW)

16. Refresh the profile for the CRYPTOZ class, so that the changes take effect:

F ACF2,REBUILD(CRY)

Additional Information

Note that it has been reported that READ access to the SO and USER resources may also be required. This is undocumented in the provided IBM documentation. To verify if this is the case, run the ACFRPTRV report against the SMF active at the time of the violation.