Assistance or best practices needed to roll out pass tickets and eventually MFA with TPX.

Release : 5.4

z/OS 

1. Make sure you are current on all TPX maintenance

2)   Security Action/Message Table (SAMT) Updates (LU10629)

The sample SAMTs for ACF2 Top Secret , RACF, and SAF in hlq.CB0VDATV(ADMIN1) have been updated to change the default message #DFLTMSG) action from A (allow) to R (reject).

This change mitigates the potential security risk that is caused by new messages from an External Security System (ESM) during TPX signon.

New return codes and message IDs have also been added to the sample SAMT tables. These return codes and message IDs are related to generic signon credentials and multi-factor authentication messages that are generated from different ESMs. These additions maintain currency with new ESM codes and messages that may affect customers.

The following return codes and message IDs have been added for ACF2

:

The following return codes and message IDs have been added for 

Top Secret

:

The following return codes and message IDs have been added for RACF:

The following return codes and message IDs have been added for SAF:

3)Make sure panel Panel TEN1003 is updated to support passcode entry. For more information on sign-on panels, see Password Verification.

You must add security messages to the Security Access Message Table (SAMT) for MFA/AAM support. See Security messages to add to TPX

 SAMT when employing MFA/AAM for more information.

Apply the following PTFs for MFA/AAM support:

• RO93703 (Base)
• RO93704 (English Panel TEN1003)
• R093702 (Uppercase Panel TUP1003)

For more information, see the Knowledge Base article How to set up 

TPX with Multi-Factor Authentication (MFA) and Advanced Authentication Mainframe (AAM) Support.

4) LOCK/UNLOCK Reverification Enhancement

TPX supports using the LOCK/UNLOCK function for users who sign on with a password, passphrase, or Multi-Factor Authentication and Advanced Authentication Mainframe (MFA/AAM) code.

Panel TEN1023 is modified to accept a passcode (password, passphrase, or MFA/AAM code) to unlock the terminal. For more information on using panel TEN1023 for LOCK/UNLOCK, see Lock and Unlock Your Terminal.

Users who sign in without a passcode or with a Pass Ticket must use a lock word to lock and unlock the terminal.

Apply the following PTFs for the LOCK/UNLOCK enhancement:

• RO94337 (Base)
• RO94338 (English panels)

If you use the TPX  user signon and signoff exit TPXUSNSF has been enhanced with the addition of call point 52. Call point 52 is for users who log into TPX  with a password, passphrase, or pass code. Existing call point 48 is for users who log into TPX with a lock word. For more information, see Signon and Signoff Exit.

This enhancement is necessary because the LOCK/UNLOCK code structure was modified to work with a greater than 8-character password such as a passphrase or an RSA token.

5) Set up PassTickets for all of your applications before implementing MFA.

                        https://knowledge.broadcom.com/external/article?articleId=9672

6) Create the ACL for auto signon to the application in your ACL library

    From TPXOPER reload the ACL  - RELOAD ACL=aclname

    Add the ACL name to the Startup ACL:     ________ in the session either at the profile

    Level or User Level or even at the application level(for all users).