IBM Multi-Factor Authentication for z/OS, V1.3 expands authentication options for creating a layered defense

IBM Europe Software Announcement ZP17-0546
October 3, 2017

Table of contents
OverviewOverviewTechnical informationTechnical information
Key prerequisitesKey prerequisitesOrdering informationOrdering information
Planned availability datePlanned availability dateTerms and conditionsTerms and conditions
DescriptionDescriptionPricesPrices
Program numberProgram numberAnnouncement countriesAnnouncement countries
PublicationsPublications


(Corrected on November 7, 2017)

The "Publications" section was revised.



At a glance

Top rule

IBM® Multi-Factor Authentication for z/OS® raises the level of assurance of your mission-critical systems with a flexible and tightly integrated multi-factor authentication solution. The Multi-Factor Authentication for z/OS product and z/OS Security Server RACF® help to create a layered defense by requiring selected IBM z/OS users to authenticate with multiple authentication factors:

  • Something they know: A password or security question
  • Something they have: An ID badge or cryptographic token device
  • Something they are: Such as a fingerprint or other biometric

Multi-Factor Authentication for z/OS, V1.3 supports many token types:

  • RSA SecurID hard and soft tokens
  • IBM TouchToken app for Time-based One-time Passwords (TOTP)
  • PassTicket support and application-level granularity
  • Smart card certificate-based authentication (one of the supported types is Personal Identity Verification/Common Access Cards (PIV/CAC))
  • Generic RADIUS support
  • SafeNet RADIUS support
  • RSA SecurID RADIUS support
  • Generic TOTP support

Multi-Factor Authentication for z/OS also supports:

  • Running multiple instances of the Multi-Factor Authentication Web Services started task in a sysplex
  • The ability to configure Multi-Factor Authentication to operate in a strict PCI-compliant mode
  • New integration through a new SAF API that enables Express® Logon Facility to work with Multi-Factor Authentication
  • Compound authentication, which allows the specification of more than one authentication factor in the authentication process


Back to topBack to top

Overview

Top rule

Multi-Factor Authentication for z/OS, V1.3 (IBM MFA) is enhanced with new functionality and support.

New RADIUS-based factors

In addition to the existing RSA SecurID support, IBM TouchToken support, and Personal Identity Verification and Common Access Card support, IBM now includes support for three new RADIUS-based factors:

  • A generic RADIUS factor that enables interoperability with generic RADIUS servers
  • A SafeNet RADIUS factor that is designed to operate with Gemalto SafeNet Authentication Service servers
  • An RSA SecurID RADIUS factor that is optimized to communicate with RSA Authentication Manager servers using the RADIUS protocol

The support for generic RADIUS and Gemalto SafeNet is available for Multi-Factor Authentication for z/OS, V1.2 with the PTF for APAR PI82734.

Generic TOTP support

The time-based, one-time password factor has been enhanced to support more generic TOTP token applications. This introduces support for standard-compliant TOTP third-party applications that run on Android and Microsoft™ Windows™ devices.

Compound In-band Authentication support

In some cases, it may be desirable to authenticate with both an IBM MFA credential and a RACF password. If this support is activated, the user enters their token code and their RACF password or password phrase into the password phrase field of applications.

The support for Compound In-band Authentication is available for Multi-Factor Authentication for z/OS, V1.2 with the PTF for APAR PI86469.

IBM MFA Express Logon Facility support

New integration has been provided, through a new SAF API, that enables Express Logon Facility users to interface with the IBM MFA smart card support. This enhancement requires the presence of a user's smart card when authenticating. It prevents RACF user ID-only authentication attempts.

The support for Express Logon Facility is available with the PTF for APAR PI86470.

High-Availability IBM MFA Web Services support

IBM MFA now supports running multiple instances of the IBM MFA Web Services started task in a sysplex. Thus if an LPAR running IBM MFA Web Services has to be rebooted or is otherwise out of service for planned maintenance, users can continue to preauthenticate with IBM MFA Web Services on one of the remaining instances running within the sysplex. Additionally, this eliminates the need to explicitly configure the host name of the LPAR for IBM MFA Web Services and IBM TouchToken registration.

The support for High-Availability IBM MFA Web Services is available with the PTF for APAR PI82735.

Bulk provisioning support

IBM MFA now includes scripts that enable a large number of users to be easily provisioned. In particular, this simplifies provisioning PIV/CAC users who can be provisioned and enabled immediately, eliminating the self-service provisioning step available in IBM MFA V1.2. Note that the self-service provisioning capability is still available for sites that are unable to use the new bulk provisioning capability.

Strict PCI compliance support

IBM MFA now includes the ability to configure IBM MFA to operate in a strict PCI-compliant mode. When this mode is activated, messages that "leak" information are not returned and the out-of-band preauthentication process always requires entry of all factor credential data before returning any information about the preauthentication attempt.



Back to topBack to top

Key prerequisites

Top rule

  • z/OS Security Server RACF
  • RSA Authentication Manager 8.1 for RSA SecurID exploitation
  • SafeNet Authentication Service 3.5.4, or later


Back to topBack to top

Planned availability date

Top rule

November 17, 2017

Availability of programs with encryption algorithm in France is subject to French government approval.



Back to topBack to top

Description

Top rule

Configuring RACF for IBM MFA

z/OS Security Server RACF supports integration with IBM MFA, which provides for a higher level of authentication assurance for z/OS applications.

In order to begin using IBM MFA with z/OS Security Server RACF, a number of configuration steps must be completed. IBM MFA should be installed as described in the IBM MFA product publications. Similarly, install the IBM RACF PTFs that provide the infrastructure services used by IBM MFA. The supported authentication factors must be defined, and RACF users must be altered to add IBM MFA data with the RACF ALTUSER command.

An IBM MFA factor is defined to RACF by creating a profile in the MFADEF class with the name FACTOR.. Supported authentication factors are named in the IBM MFA product documentation.

IBM MFA factor data can be added to z/OS users by using the ALTUSER command to alter their respective RACF user profiles. This helps the z/OS security administrator plan the phasing in of multi-factor authentication on their z/OS systems.

When a user has an active IBM MFA factor and attempts to log on, RACF will call IBM MFA to evaluate the credentials during the user authentication process.

Accessibility by people with disabilities

A US Section 508 Voluntary Product Accessibility Template (VPAT), containing details about accessibility compliance, can be found on the Product accessibility information website.



Back to topBack to top

Reference information

Top rule

For information about the IBM Z family servers, see the following announcements:

  • Hardware Announcement ZG17-0017, dated July 17, 2017 (IBM z14)
  • Hardware Announcement ZG15-0001, dated January 14, 2015 (IBM z13®)
  • Hardware Announcement ZG15-0001, dated January 14, 2015 (IBM z13s™)
  • Hardware Announcement ZG12-0262, dated August 28, 2012 (IBM zEnterprise® EC12)
  • Hardware Announcement ZG13-0195, dated July 23, 2013 (IBM zEnterprise BC12)

For information about the latest z/OS announcement, see Software Announcement ZP17-0316, dated July 17, 2017 .



Back to topBack to top

Program number

Top rule

Program number VRM Program name
5655-162 1.3.0 IBM Multi-Factor Authentication for z/OS
5655-163 1.1.0 IBM Multi-Factor Authentication for z/OSS&S

Product identification number

Multi-Factor Authentication for z/OS

Program PID number Subscription and Support PID number
5655-162 5655-163


Back to topBack to top

Education support

Top rule

Here is a partial list of courses that are currently available and planned for z/OS education:

Course code Course title Course type
ESC8G z/OS 2.3 Review and Migration Classroom
ESCS8G z/OS 2.3 Review Digital
ESE0G Blockchain on z Systems® Classroom
ES05 Introduction to z/OS Environment Classroom
ES10 Fundamental System Skills for z/OS Classroom
ES15 z/OS Facilities Classroom
ES27 z/OS System Operators Classroom
ES41 z/OS Installation Using ServerPac Classroom
ES54 Basic z/OS Tuning Using the Workload Manager (WLM) Classroom
ES19 Basics of z/OS RACF Administration Classroom
OP05 Introducing z/OS UNIX® System Services Classroom
ES90 Advanced Parallel Sysplex® Operations and Recovery Classroom
ES42 Parallel Sysplex Implementation Workshop Classroom
ESB1 z/OS Management Facility Implementation and Use Classroom
ES52 z/OS REXX Programming Workshop Classroom

IBM training provides education to support many IBM offerings. Descriptions of courses for IT professionals and managers can be found on the IBM Training and Skills website.

Contact your IBM representative for course information.



Back to topBack to top

Offering Information

Top rule

Product information is available on the IBM Offering Information website.



Back to topBack to top

Publications

Top rule

The product documentation includes these publications:

Title Order number
IBM Multi-Factor Authentication for z/OS Program Directory V1.3.0 GI13-4316-30
IBM Multi-Factor Authentication for z/OS Installation and Customization SC27-8447-30
IBM Multi-Factor Authentication for z/OS User's Guide SC27-8448-30

IBM Knowledge Center provides access to the IBM MFA documentation in HTML format at the z/OS Welcome Page.

z/OS Internet Library provides access to the IBM MFA documentation in PDF format at the z/OS Internet Library website.



Back to topBack to top

Services

Top rule

Global Technology Services

Contact your IBM representative for the list of selected services available in your country, either as standard or customized offerings, for the efficient installation, implementation, or integration of this product.



Back to topBack to top

Technical information

Top rule

Specified operating environment

Hardware requirements

IBM MFA requires one of the following Z family servers:

  • IBM z14
  • IBM z13
  • IBM z13s
  • IBM zEnterprise EC12 (zEC12)
  • IBM zEnterprise BC12 (zBC12)

Software requirements

IBM MFA requires:

  • z/OS V2.1 Security Server RACF 2.1, or later, with PTFs for APAR OA53002
  • For generic RADIUS support, access to an external server that supports the RADIUS PAP protocol
  • For SafeNet support, access to an external Gemalto SafeNet Authentication Service server
  • For RSA SecurID exploitation, access to an external RSA Authentication Manager 8.1 server
Limitations

Authentication requests using IBM MFA are expected to be slower than non-IBM MFA authentication requests. At the very least, IBM MFA authentication will incur extra path length when calling Multi-factor Authentication Services. Depending on the factor type, there may be additional considerations such as network calls to external authentication servers. Non-IBM MFA authentication requests should have little to no noticeable performance degradation.

See the Terms and conditions section of this announcement or the License Information document that is available on the IBM Software License Agreement website.

Planning information

Packaging

The IBM MFA product package is distributed with the following:

  • IBM Multi-Factor Authentication for z/OS Installation and Customization (SC27-8447-05)
  • IBM z®/OS User's Guide (SC27-8448-05)

Security, auditability, and control

The IBM MFA product is closely integrated with z/OS Security Server RACF and centralizing authentication factor information in the RACF database. IBM MFA relies on the RACF Security Administrator to identify which users are subject to requiring IBM MFA policy. IBM MFA relies on the integrity, security, and the auditability features and functions of z/OS and the Z platform hardware.

The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.



Back to topBack to top

Ordering information

Top rule

Consult your IBM representative.

The programs in this announcement all have Value Unit-Based pricing.

Program number Program name Value Unit exhibit
5655-162 IBM Multi-Factor Authentication for z/OS VUE023

For each z Systems IPLA program with Value Unit pricing, the quantity of that program needed to satisfy applicable IBM terms and conditions is referred to as the required license capacity. Your required license capacity is based upon the following factors:

  • The z Systems IPLA program you select.
  • The applicable Value Unit Exhibit.
  • The applicable terms.
  • Whether your current mainframes are full capacity or sub-capacity.


Ordering z/OS through the internet

Shopz provides an easy way to plan and order your z/OS ServerPac or CBPDO. It will analyze your current installation, determine the correct product migration, and present your new configuration based on z/OS. Additional products can also be added to your order (including determination of whether all product requisites are satisfied). For more details and availability, go to the Shopz website.

Charge metric

Pricing Metric Description

Program name Program number Pricing metric description
IBM Multi-Factor Authentication for z/OS 5655-162 Per Value Unit
IBM Multi-Factor Authentication for z/OSS&S 5655-163 Per Value Unit


User Value Unit (UVU)

UVU is a unit of measure by which the program can be licensed. UVU Proofs of Entitlement (PoEs) are based on the number and type of users for the given program. Licensee must obtain sufficient entitlements for the number of UVUs required for licensee's environment as specified in the program-specific table. The UVU entitlements are specific to the program and type of user and may not be exchanged, interchanged, or aggregated with UVU entitlements of another program or type of user. Refer to the program-specific UVU table.

Basic license

To order, specify the program product number and the appropriate license or charge option. Also, specify the desired distribution medium. To suppress shipment of media, select the license-only option in CFSW.

Program name: IBM Multi-Factor Authentication for z/OS

Program PID: 5655-162

Entitlement identifier Description License option/Pricing metric
S017ZB1 IBM Multi-Factor Authentication for z/OS Basic OTC, per Value Unit
  IBM Multi-Factor Authentication for z/OS MultiVersion Measurement NC
Orderable supply ID Language Distribution medium
S017V1K US English 3590 Tape

Subscription and Support PID: 5655-163

Entitlement identifier Description License option/Pricing metric
S017ZB2 IBM Multi-Factor Authentication for z/OS S&S Basic MSC, per Value Unit
  IBM Multi-Factor Authentication for z/OS S&S No charge, decline SW S&S
  IBM Multi-Factor Authentication for z/OS S&S MultiVersion Measurement S&S NC
Orderable supply ID Language Distribution medium
S017V1G US English Paper

Subscription and Support

To receive voice technical support via telephone and future releases and versions at no additional charge, Subscription and Support must be ordered. The capacity of Subscription and Support (Value Units) must be the same as the capacity ordered for the product licenses.

To order, specify the Subscription and Support program number (PID) referenced above and the appropriate license or charge option.

IBM is also providing Subscription and Support for these products via a separately purchased offering under the terms of the IBM International Agreement for Acquisition of Software Maintenance. This offering:

  • Includes and extends the support services provided in the base support to include technical support via telephone.
  • Entitles you to future releases and versions, at no additional charge. Note that you are not entitled to new products.

When Subscription and Support is ordered, the charges will automatically renew annually unless cancelled by you.

The combined effect of the IPLA license and the Agreement for Acquisition of Software Maintenance gives you rights and support services comparable to those under the traditional ICA S/390® and System z® license or its equivalent. To ensure that you continue to enjoy the level of support you are used to in the ICA business model, you must order both the license for the program and the support for the selected programs at the same Value Unit quantities.

Customized offerings

Product deliverables are shipped only through CBPDO, ServerPac, SystemPac, FunctionPac, and ProductPac®.

All of these customized offerings are offered for internet delivery in countries where Shopz product ordering is available. Internet delivery reduces software delivery time and allows you to install software without the need to handle tapes. For more details on internet delivery, go to the Help section on the Shopz website.

You choose the delivery method when you order the software. IBM recommends internet delivery. In addition to internet and DVD, the supported tape delivery options include:

  • 3590
  • 3592

Most products can be ordered in ServerPac, SystemPac, FunctionPac, and ProductPac the month following their availability in CBPDO. z/OS can be ordered through CBPDO, ServerPac, and SystemPac at general availability. Many products will also be orderable in a Product ServerPac without also having to order the z/OS operating system or subsystem. Shopz and CFSW will determine the eligibility based on product requisite checking. For more details on the product ServerPac, go to the Help section on the Shopz website.

For additional information about the Product ServerPac option, refer to Software Announcement ZP12-0358, dated July 7, 2012.

Production of software product orders will begin on the planned general availability date.

  • CBPDO shipments will begin one week after general availability.
  • ServerPac, SystemPac, FunctionPac, and ProductPac shipments will begin four weeks after general availability due to additional customization, and data input verification.



Back to topBack to top

Terms and conditions

Top rule

The information provided in this announcement letter is for reference and convenience purposes only. The terms and conditions that govern any transaction with IBM are contained in the applicable contract documents such as the IBM International Program License Agreement, IBM International Passport Advantage® Agreement, and IBM Agreement for Acquisition of Software Maintenance.

Licensing

IBM International Program License Agreement including the License Information document and Proof of Entitlement (PoE) govern your use of the program. PoEs are required for all authorized use.

This software license includes Software Subscription and Support (also referred to as Software Maintenance).

Agreement for Acquisition of Software Maintenance

The following agreement applies for Software Subscription and Support (Software Maintenance) and does not require customer signatures:

  • IBM Agreement for Acquisition of Software Maintenance (Z125-6011)

These programs are licensed under the IBM Program License Agreement (IPLA) and the associated Agreement for Acquisition of Software Maintenance, which provide for support with ongoing access to releases and versions of the program. These programs have a one-time license charge for use of the program and an annual renewable charge for the enhanced support that includes telephone assistance (voice support for defects during normal business hours), as well as access to updates, releases, and versions of the program as long as support is in effect.

License Information number

GI13-4317-00

See the License Information documents page on the IBM Software License Agreement website for more information.

Limited warranty applies

Yes

Limited warranty

IBM warrants that when the program is used in the specified operating environment, it will conform to its specifications. The warranty applies only to the unmodified portion of the program. IBM does not warrant uninterrupted or error-free operation of the program or that IBM will correct all program defects. You are responsible for the results obtained from the use of the program.

IBM provides you with access to IBM databases containing information on known program defects, defect corrections, restrictions, and bypasses at no additional charge. For further information, see the IBM Software Support Handbook.

IBM will maintain this information for at least one year after the original licensee acquires the program (warranty period).

Program technical support

Technical support of a program product version or release will be available for a minimum of two years from the general availability date, as long as your Software Subscription and Support (also referred to as Software Maintenance) is in effect.

This technical support allows you to obtain assistance (by telephone or electronic means) from IBM for product-specific, task-oriented questions regarding the installation and operation of the program product. Software Subscription and Support (Software Maintenance) also provides you with access to versions, releases, and updates (CD releases, Long Term Support Releases or fixes) of the program. You will be notified, through an announcement letter, of discontinuance of support with six months' notice. If you require additional technical support from IBM, including an extension of support beyond the discontinuance date, contact your IBM representative or IBM Business Partner. This extension may be available for a fee.

For additional information on the IBM Software Support Lifecycle Policy, see the IBM Software Support Lifecycle Policy website.

Money-back guarantee

If for any reason you are dissatisfied with the program and you are the original licensee, you may obtain a refund of the amount you paid for it, if within 30 days of your invoice date you return the program and its PoE to the party from whom you obtained it. If you downloaded the program, you may contact the party from whom you acquired it for instructions on how to obtain the refund.

For clarification, note that for programs acquired under any of IBM's On/Off Capacity on Demand (On/Off CoD) software offerings, this term does not apply since these offerings apply to programs already acquired and in use by you.

Volume orders (IVO)

No

Passport Advantage applies

No

Software Subscription and Support applies

Yes. During the Software Subscription and Support period, for the unmodified portion of a program, and to the extent problems can be recreated in the specified operating environment, IBM will provide the following:

  • Defect correction information, a restriction, or a bypass.
  • Program updates: Periodic releases of collections of code corrections, fixes, functional enhancements, and new versions and releases to the program and documentation.
  • Technical assistance: A reasonable amount of remote assistance by telephone or electronically to address suspected program defects. Technical assistance is available from the IBM support center in the organization's geography.

Additional details regarding Technical Assistance, which includes IBM contact information, are provided in the IBM Software Support Handbook.

Software Subscription and Support does not include assistance for:

  • The design and development of applications.
  • Your use of programs in other than their specified operating environment.
  • Failures caused by products for which IBM is not responsible under the IBM Agreement for Acquisition of Software Maintenance.

Software Subscription and Support is provided only if the program is within its support timeframe as specified in the Software Support Lifecycle policy for the program.

Yes. All distributed software licenses include Software Subscription and Support (also referred to as Software Maintenance) for a period of 12 months from the date of acquisition, providing a streamlined way to acquire IBM software and assure technical support coverage for all licenses. Extending coverage for a total of three years from date of acquisition may be elected.

While your Software Subscription and Support is in effect, IBM provides you assistance for your routine, short-duration installation and usage (how-to) questions, and code-related questions. IBM provides assistance by telephone and, if available, electronic access, only to your information systems (IS) technical support personnel during the normal business hours (published prime shift hours) of your IBM support center. (This assistance is not available to your end users.) IBM provides Severity 1 assistance 24 hours a day, every day of the year. For additional details, go to the IBM Support Handbooks page.

Software Subscription and Support does not include assistance for the design and development of applications, your use of programs in other than their specified operating environment, or failures caused by products for which IBM is not responsible under this agreement.

For more information about the Passport Advantage® Agreement, go to the Passport Advantage and Passport Advantage Express website.

IBM Operational Support Services - Support Line

No

Variable charges apply

No

Educational allowance available

Yes. When ordering through the program number process, a 15% education allowance applies to qualified education institution customers.

Education Software Allowance Program applies when ordering through the program number process.

ESAP available

Yes, to qualified customers

Multi-Version Measurement

Multi-Version Measurement (MVM) replaces the previously announced Migration Grace Period time limit of six months and allows unlimited time for clients to run more than one eligible version of a software program. Clients may run multiple versions of a program simultaneously for an unlimited duration during a program version upgrade. Clients may also choose to run multiple versions of a program simultaneously for an unlimited duration in a production environment. MVM does not extend support dates for programs withdrawn from service.

For more information about MVM, including requirements for qualification, see the MVM web page. For a list of eligible programs, see the IPLA Execution-Based web page.



Back to topBack to top

Statement of good security practices

Top rule

IT system security involves protecting systems and information through intrusion prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a regulatory compliant, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.



Back to topBack to top

Prices

Top rule

For all local charges, contact your IBM representative.

IBM Global Financing

IBM Global Financing offers competitive financing to credit-qualified customers to assist them in acquiring IT solutions. Offerings include financing for IT acquisition, including hardware, software, and services, from both IBM and other manufacturers or vendors. Offerings (for all customer segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or go to the IBM Global Financing website for more information.

IBM Global Financing offerings are provided through IBM Credit LLC in the United States, and other IBM subsidiaries and divisions worldwide to qualified commercial and government customers. Rates are based on a customer's credit rating, financing terms, offering type, equipment type, and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension, or withdrawal without notice.

Financing from IBM Global Financing helps you preserve cash and credit lines, enables more technology acquisition within current budget limits, can help accelerate implementation of economically attractive new technologies, offers payment and term flexibility, and can help match project costs to projected benefits. Financing is available worldwide for credit-qualified customers.



Back to topBack to top

Announcement countries

Top rule

All European, Middle Eastern, and African countries, except Islamic Republic of Iran, Sudan, and Syrian Arab Republic.

Trademarks

IBM z13s is a trademark of IBM Corporation in the United States, other countries, or both.

IBM, z/OS, RACF, Express, Global Technology Services, z Systems, Parallel Sysplex, Passport Advantage, IBM z13, zEnterprise, IBM z, S/390, System z and ProductPac are registered trademarks of IBM Corporation in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Reference to other products in this announcement does not necessarily imply those products are announced, or intend to be announced, in your country. Additional terms of use are located on

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or visit the IBM worldwide contacts page

IBM Directory of worldwide contacts

Contact IBM

Feedback