Within CA TPX, session signon using MFA fails for application without passticket.
Article ID: 73106
TPX - Session ManagementVman Session Management for z/OS
For an application (TSO) that is not set up for pass ticket, selecting the session for this application fails after signing on to CA TPX with multi-factor authentication (MFA) pin and token: IKJ56708I INVALID CURRENT PASSWORD IKJ56703A REENTER THIS OPERAND -
Also no ACL, using G command to start session. Signon works with a simple password as it always has, but not when using passcode (pin and token).
CA TPX for z/OS
Within Profile Maintenance, the Application Session Options for this TSO session had specified: Session data: &userid/&pswd
Including &pswd within Session data or an ACL will not work for an application that is not enabled to use pass tickets when the user has signed on to TPX using multi-factor authentication.
By definition in this scenario, the MFA passcode entered to sign on to CA TPX is no longer valid for a subsequent application signon.
Remove &pswd from session data for MFA users, at user or profile level.
NOTE >>>Users will be required to enter passcode on TSO logon panel - password, new token, PIN, etc.
The recommended solution is to enable pass tickets for applications.
With pass ticket enabled for an application, existing SessionData (user level) or Session data (profile level) that uses &userid/&pswd will then be valid for all users, multi-factor and non-multi-factor.
It is advisable to implement pass tickets successfully prior to enabling multi-factor authentication (CA AAM or IBM-MFA).
Note that SAMT must match the SMRT Security System.
For TSO, verify that PASSPHRASE(ON) is set within IKJTSOxx in LOGON section.