IBM Support

IBM Security zSecure support for IBM Multi-Factor Authentication for z/OS (APAR numbers OA49576, OA50009, OA50011, OA50012, OA50284)



To enable future support for IBM Multi-Factor Authentication (MFA) for z/OS, some basic enhancements have been provided in IBM Security zSecure suite Versions 2.2.0, 2.1.1, and 2.1.0.

MFA support is intended to simplify administration by helping to enforce authentication policy, providing alert notifications, and reporting on authentication audit events and compliance. IBM Security zSecure capabilities help prevent privileged user threats, simplify administration, automate auditing, and reduce operational risk.


Documentation updates
The current basic enhancements for MFA have resulted in several documentation updates for the following zSecure publications:

  • IBM Security zSecure Admin and Audit for RACF User Reference Manual
  • IBM Security zSecure CARLa Command Reference
  • IBM Security zSecure Command Verifier User Guide
  • IBM Security zSecure Messages Guide

See the attached PDF file for the documentation updates:

Note: Referenced topics that have not changed are not included in this document. You can find them in the publication that the chapter applies to.

Using zSecure RACF-Offline, you can issue RACF commands against an offline or inactive RACF database. With the introduction of IBM Multi-Factor Authentication for z/OS (MFA) services, several RACF commands interact with the MFA server. Based on the information provided by these RACF commands, the MFA server might update information that is related to the affected user. When issuing RACF commands in the offline environment, such interaction is undesirable and might lead to consistency errors. For this reason, the following functions are currently not supported in the RACF-Offline environment:
  • Adding, removing, or changing MFA information in a USER profile.
  • Deleting users that have MFA information.

MFA-related updates for QRadar SIEM
The MFA-related SMF records for QRadar SIEM did not result in zSecure documentation updates.
The following fields pertaining to SMF Type 80 records were made available to QRadar:
authenticator Specifies the authentication method that was used for a successful authentication.
compCode Specifies the job or step completion code of an authentication request.

The following aids are available to assist in planning for and applying all relevant maintenance at once:
  • A technote from the RACF team about support for multi-factor authentication in conjunction with the new IBM Multi-factor Authentication for z/OS product.
  • If you have RACF-Offline and you install the RACF PTF for MFA, then the RACF-Offline PTF for MFA will automatically be installed as well, because the RACF PTFs provide ++ VER statements in the version control program System Modification Program Extended (SMP/E) specifications.
  • To pick up additonal recommended maintenance, it is good practice to regularly run REPORT MISSINGFIX for the following category that has been defined: IBM.Function.Multi-FactorAuthentication (MFA/K).

Related information

MFA works with RACF Security Server infrastructure to c
IBM Security zSecure suite V2.2.0 documentation
IBM Security zSecure suite V2.1.1 documentation
IBM Security zSecure suite V2.1.0 documentation
OA48359: New function - Multi-Factor Authentication sup
OA49576: Installation Support for RACF offline (5655T01
OA50009: zSecure Admin/Audit (5655T0100)
OA50011: Command Verifier Base Parser (5655T0700)
OA50012: Command Verifier Policy Routines (5655T07CV)
OA50284: ACF2

Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security zSecure Command Verifier
Security IBM Security zSecure suite
Security IBM Security zSecure Audit for RACF
Security IBM Security zSecure Adapters for QRadar SIEM

Document information

More support for: IBM Security zSecure Admin

Software version: 2.1, 2.1.1, 2.2

Operating system(s): z/OS

Reference #: 1976903

Modified date: 03 May 2016