z/OS user IDs and Multi-Factor Authentication (MFA)

IBM Multi-Factor Authentication for z/OS allows z/OS security administrators to enhance SAF authentication, by requiring identified users to use multiple authentication factors (for example, both a password and a cryptographic token) to sign on to a z/OS system. IBM MFA also provides support for time-based one time password generation technologies such as RSA SecureId.

For the most part, IBM MQ is unaware of how users have "logged on" to the CICS or batch systems that are driving IBM MQ work, the signed on user ID credential is associated with the z/OS task or address space and IBM MQ uses this for checking authorization to resources. User IDs enabled for MFA can be used for authorization to IBM MQ resources and authentication through pass tickets used with the CICS and IMS bridges.

Important: Special considerations apply however, when using applications, such as the IBM MQ Explorer, which pass a user ID and password credentials on an MQCONNX API call with the MQCSP_AUTH_USER_ID_AND_PWD option. IBM MQ has no facility to pass an additional credential on this API request.

Limitations and potential workarounds are described in the following text.


IBM MQ Explorer

The IBM MQ Explorer cannot be used to log on to a z/OS system with a userid for which MFA is enabled because there is no facility for passing a second authentication factor from the IBM MQ Explorer to z/OS.

Additionally, there are two different mechanisms used by the IBM MQ Explorer to re-use a user ID and password credential, that need special attention when one time use passwords are in effect:
  1. IBM MQ Explorer has the capability to store passwords in an obfuscated format on the local machine for login at a later time. This capability must be disabled by having explorer prompt for a password each time a connection is made to the z/OS queue manager.To do this, use the following procedure:
    1. Select Queue Managers.
    2. From the list displayed, choose the queue manager you require and right click that queue manager.
    3. Select Connection Details from the menu list that appears.
    4. Select Properties from the next menu list and choose the Userid tab.

      Ensure that you select the prompt for password radio button.

  2. Various operations in the IBM MQ Explorer, such as browsing messages on queues, testing subscriptions, and so on, start a new thread which authenticates to IBM MQ using the credential first used at logon. Since the password credential cannot be re-used, we cannot use these operations.

There are two possible workarounds at the MFA configuration level for these issues:

  • Use the application ID exclusion of MFA to exclude the IBM MQ tasks from MFA processing altogether. To do this, issue the following commands:
    1. RDEFINE MFADEF MFABYPASS.USERID.chinuser
      where chinuser is the channel initiator address space level user Id (associated with the channel initiator through the STC class) 
    2. PERMIT MFABYPASS.USERID.chinuser CLASS MFADEF ACCESS(READ) ID(explorer user)

    For more information on this approach, see Bypassing IBM MFA for applications.

  • Use Out-of-band support on MFA, which was introduced with IBM MFA 1.2. With this approach, you pre-authenticate to the IBM MFA web server, and in addition to your user ID and password, specify additional authentication as determined through the policy. IBM MFA server generates a cache token credential that you then specify on the IBM MQ Explorer authentication dialogue. The security administrator can allow this credential to be replayed for a reasonable period of time, so enabling normal IBM MQ Explorer use.

For more information on this approach see Introduction to IBM MFA.

Parent topic: Set up security on z/OS