IBM Multi-Factor Authentication for z/OS works with RACF Security Server infrastructure to create a layered defense

IBM United States Software Announcement 216-069
February 16, 2016


Table of contents
OverviewOverviewPublicationsPublications
Key prerequisitesKey prerequisitesTechnical informationTechnical information
Planned availability datePlanned availability dateOrdering informationOrdering information
DescriptionDescriptionTerms and conditionsTerms and conditions
Statements of general directionStatements of general directionPricesPrices
Program numberProgram numberOrder nowOrder now


Top rule
At a glance
Bottom rule

IBM® Multi-Factor Authentication for z/OS® raises the level of assurance of your mission-critical systems with a flexible and tightly integrated multi-factor authentication solution. The Multi-Factor Authentication for z/OS product and z/OS Security Server RACF® help to create a layered defense by requiring selected IBM z/OS users to authenticate with multiple authentication factors:

  • Something they know: A password or security question
  • Something they have: An ID badge or cryptographic token device


Back to topBack to top

Top rule
Overview
Bottom rule

The most common method for authenticating users to IBM z/OS systems is by the use of passwords or password phrases. Unfortunately, passwords can be compromised or shared, which can increase risk of compromised data. Users may inadvertently pick common passwords or write them down, which can lead to a compromised password and hence the data the user has access to.

Clients are looking for ways to reduce risk and close some of the potential ways that a user’s credentials can be compromised, which can help raise the authentication assurance level of their z/OS systems by requiring additional authentication factors for users.

Multi-Factor Authentication for z/OS helps to fill this need and can help raise the assurance level of users authenticating to z/OS applications. Multi-Factor Authentication for z/OS helps security administrators enforce a policy that requires authentication with multiple factors during the logon process.

This new product is designed to provide support for authenticating with different factors and to centralize the specific knowledge of how to handle an authentication factor centralized within the Multi-Factor Authentication product.

Multi-Factor Authentication is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF. The Security Administrator defines what authentication factors are valid for a given z/OS instance and has control on a granular z/OS User ID level as to what users are subject to require stronger authentication. The z/OS Security Server RACF enablement for Multi-Factor Authentication for z/OS consists of updates to the RACF database, RACF commands, callable services, logon processing, and RACF utilities.

Multi-Factor Authentication for z/OS and the RACF enablement infrastructure are planned to support the following third-party authentication systems for different user populations:

  • RSA® SecurID® Tokens, including hardware-based or software-based tokens

With the Multi-Factor Authentication for z/OS solution, RACF administrators can store authentication data used by Multi-Factor Authentication data in the RACF database, define and alter MFA data in RACF with RACF commands, and unload nonsensitive MFA fields in the RACF database with DBUNLOAD utility.

The design of this integrated solution is intended to help clients accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.



Back to topBack to top

Top rule
Key prerequisites
Bottom rule
  • z/OS Security Server RACF with PTF for APAR OA48359, when available
  • RSA Authentication Manager 8.1 for RSA SecurID exploitation


Back to topBack to top

Top rule
Planned availability date
Bottom rule

March 25, 2016



Back to topBack to top

Top rule
Description
Bottom rule

Configuring RACF for MFA

z/OS Security Server RACF supports integration with Multi-Factor Authentication for z/OS, which provides for a higher level of authentication assurance for z/OS applications.

In order to begin using Multi-Factor Authentication with z/OS Security Server RACF, a number of configuration steps must be completed. Multi-Factor Authentication for z/OS should be installed as described in the Multi-Factor Authentication for z/OS product publications. Similarly, install the IBM RACF PTFs that provide the infrastructure services used by Multi-Factor Authentication for z/OS. The supported authentication factors must be defined and RACF users must be altered to add MFA data with the RACF ALTUSER command.

An MFA factor is defined to RACF by creating a profile in the MFADEF class with the name FACTOR.<FactorName>. Supported authentication factors are named in the Multi-Factor Authentication for z/OS product documentation.

MFA factor data can be added to z/OS users by using the ALTUSER command to alter their respective RACF user profiles. This helps the z/OS security administrator plan the phasing in of multi-factor authentication on their z/OS systems.

When a user has an active MFA factor and attempts to log on, RACF will call Multi-Factor Authentication for z/OS to evaluate the credentials during the user authentication process.



Back to topBack to top

Top rule
Statements of general direction
Bottom rule

IBM Multi-Factor Authentication for z/OS support for PIV/CAC Cards and IBM TouchToken Authentication Factors Tokens

IBM intends to provide support for additional authentication factors that users can use to authenticate to z/OS. These factors will include Personal Identity Verification (PIV)/Common Access Cards (CAC) that are commonly used to authenticate in the Public Sector for access information systems. IBM also intends to introduce the IBM TouchToken authentication factor, which is a Timed One Time use Password (TOTP) generator that enables strong authentication for users that carry iOS devices.

IBM Security zSecure™ support for IBM Multi-Factor Authentication for z/OS

In the future, IBM plans to enhance the IBM Security zSecure suite to support IBM Multi-Factor Authentication for z/OS. This support is intended to simplify administration by helping to enforce authentication policy, providing alert notifications, and reporting on authentication audit events and compliance. IBM Security zSecure capabilities help prevent privileged user threats, simplify administration, automate auditing, and reduce operational risk.

IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remain at our sole discretion.



Back to topBack to top

Top rule
Reference information
Bottom rule

For information about the IBM z Systems™ servers, refer to the following announcements:

  • IBM z13™ Hardware Announcement 115-001, dated January 14, 2015
  • IBM z13s Hardware Announcement 116-002, dated February 16, 2016
  • IBM zEnterprise® EC12 Hardware Announcement 113-119, dated July 23, 2013
  • IBM zEnterprise BC12 Hardware Announcement 113-121, dated July 23, 2013
  • IBM zEnterprise 196 Hardware Announcement 111-121, dated July 12, 2011
  • IBM zEnterprise 114 Hardware Announcement 111-136, dated July 12, 2011
  • IBM z/OS V2.2 Software Announcement 215-267, dated July 28, 2015
  • IBM z/OS V2.1 Software Announcement 213-292, dated July 23, 2013



Back to topBack to top

Top rule
Program number
Bottom rule
Program number VRM Program name
5655-162 1.1.0 IBM Multi-Factor Authentication for z/OS
5655-163 1.1.0 IBM Multi-Factor Authentication for z/OS S&S

Product identification number

Multi-Factor Authentication for z/OS

Program PID number Subscription and Support PID number
5655-162 5655-163


Back to topBack to top

Top rule
Education support
Bottom rule

IBM training provides education to support many IBM offerings. Descriptions of courses for IT professionals and managers can be found on the IBM authorized training website.

Call IBM training at 800-IBM-TEACH (426-8322) for catalogs, schedules, and enrollments.

Here is a partial list of classroom courses that are currently available and planned for z/OS education:

  • z/OS V2.2 Review and Migration (ESC7G)
  • Introduction to z/OS Environment (ES05G)
  • Fundamental System Skills for z/OS (ES10G)
  • z/OS Facilities (ES15G)
  • z/OS System Operators (ES27G)
  • z/OS Installation Using ServerPac (ES41G)
  • Basics of z/OS RACF Administration (ES19G)
  • z/OS Management Facility Implementation and Use (ESB1G)


Back to topBack to top

Top rule
Offering Information
Bottom rule

Product information is available on the IBM Offering Information website.



Back to topBack to top

Top rule
Business Partner information
Bottom rule

If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld® ID and password are required (use IBM ID).

BP Attachment for Announcement Letter 216-069


Back to topBack to top

Top rule
Publications
Bottom rule

The product documentation includes these publications:

Title Order number
IBM Multi-Factor Authentication for z/OS Program Directory V1.1.0 GI13-4316-00
IBM Multi-Factor Authentication for z/OS Installation and Customization SC27-8447-00
IBM Multi-Factor Authentication for z/OS User's Guide SC27-8448-00

IBM Knowledge Center provides access to the IBM Multi-Factor Authentication documentation in HTML format at the z/OS Welcome page, effective March 25, 2016.

IBM Publications Center provides access to the IBM Multi-Factor Authentication documentation in PDF format at the IBM Publications Center website, effective March 25, 2016.



Back to topBack to top

Top rule
Services
Bottom rule

Software Services

IBM Software Services has the breadth, depth, and reach to manage your services needs. You can leverage the deep technical skills of our lab-based, software services team and the business consulting, project management, and infrastructure expertise of our IBM Global Services team. Also, we extend our IBM Software Services reach through IBM Business Partners to provide an extensive portfolio of capabilities. Together, we provide the global reach, intellectual capital, industry insight, and technology leadership to support a wide range of critical business needs.

To learn more about IBM Software Services or to contact a Software Services sales specialist, go to the IBM Software Services website.



Back to topBack to top

Top rule
Technical information
Bottom rule

Specified operating environment

Hardware requirements

IBM Multi-Factor Authentication for z/OS requires one of the following IBM z Systems servers:

  • z13™
  • z13s
  • zEnterprise EC12
  • zEnterprise BC12
  • zEnterprise 196
  • zEnterprise 114

Software requirements

IBM Multi-Factor Authentication for z/OS requires:

  • z/OS V2.1 with z/OS Security Server with PTFs for APAR OA48359 or z/OS V2.2 with z/OS Security Server with PTFs for APAR OA48359
  • RSA Authentication Manager 8.1

The program's specifications and specified operating environment information may be found in documentation accompanying the program, if available, such as a readme file, or other information published by IBM, such as an announcement letter. Documentation and other program content may be supplied only in the English language.

Limitations

Authentication requests using MFA are expected to be slower than non-MFA authentication requests. At the very least, MFA authentication will incur extra path length when calling Multi-factor Authentication Services. Depending on the factor type, there may be additional considerations such as network calls to external authentication servers. Non-MFA authentication requests should have little to no noticeable performance degradation.

Refer to Usage restrictions in the Terms and conditions section of this announcement, or to the License Information document that is available on the IBM Software License Agreement website .

Planning information

Packaging

The IBM Multi-Factor Authentication for z/OS product package is distributed with the following:

  • IBM Multi-Factor Authentication for z/OS Installation and Customization (SC27844700)
  • IBM z/OS User's Guide (SC27844800)

Direct customer support

For technical support or assistance, contact your IBM representative or go to the IBM Support Portal website.

Security, auditability, and control

The Multi-Factor Authentication for z/OS product is closely integrated with z/OS Security Server RACF and centralizing authentication factor information in the RACF database. Multi-Factor Authentication for z/OS relies on the RACF Security Administrator to identify which users are subject to requiring MFA policy. Multi-Factor Authentication for z/OS relies on the integrity, security, and the auditability features and functions of z/OS and the z Systems™ hardware.

The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.



Back to topBack to top

Top rule
Ordering information
Bottom rule

The program in this announcement has Value Unit-Based pricing.

Program number Program name Value Unit exhibit
5655-162 IBM Multi-Factor Authentication for z/OS VUE023

For each z Systems IPLA program with Value Unit pricing, the quantity of that program needed to satisfy applicable IBM terms and conditions is referred to as the required license capacity. Your required license capacity is based upon the following factors:

  • The z Systems IPLA program you select
  • The applicable Value Unit Exhibit
  • The applicable terms
  • Whether your current mainframes are full capacity or sub-capacity

Value Unit Exhibit VUE023

Value Units based on users are determined by the following table:

Usage Level, cumulative Minimum users Maximum users Value Units/1,000 users Value Units breakover points (trunchion) Value Units to users
1 1 5,000 1,000 5,000 1.00
2 5,001 15,000 500 10,000 0.50
3 15,001 50,000 300 20, 500 0.30
4 50,001 150,000 200 40, 500 0.20
5 150,001 500,000 150 93,000 0.15
6 500,001 1,000,000 100 143,000 0.10
7 1,000,001   50   0.05

Charge metric

Pricing Metric Description

Program name Program number Pricing metric description
IBM Multi-Factor Authentication for z/OS 5655-162 Per Value Unit
IBM Multi-Factor Authentication for z/OS S&S 5655-163 Per Value Unit


User Value Unit (UVU)

UVU is a unit of measure by which the program can be licensed. UVU Proofs of Entitlement (PoEs) are based on the number and type of users for the given program. Licensee must obtain sufficient entitlements for the number of UVUs required for licensee's environment as specified in the program specific table. The UVU entitlements are specific to the program and type of user and may not be exchanged, interchanged, or aggregated with UVU entitlements of another program or type of user. Refer to the program specific UVU table.

Basic license

To order, specify the program product number and the appropriate license or charge option. Also, specify the desired distribution medium. To suppress shipment of media, select the license-only option in CFSW.

Program name: IBM Multi-Factor Authentication for z/OS

Program PID: 5655-162

Entitlement identifier Description License option/Pricing metric
S017ZB1 IBM Multi-Factor Authentication for z/OS Basic OTC, per Value Unit

Orderable supply ID Language Distribution medium
S017V1K US English 3590 Tape

Subscription and support PID: 5655-163

Entitlement identifier Description License option/Pricing metric
S017ZB2 IBM Multi-Factor Authentication for z/OS S&S Basic ASC, Per Value Unit
    No charge, decline SW S&S
Orderable supply ID Language Distribution medium
S017V1G US English Paper

Subscription and Support

To receive voice technical support via telephone and future releases and versions at no additional charge, Subscription and Support must be ordered. The capacity of Subscription and Support (Value Units) must be the same as the capacity ordered for the product licenses.

To order, specify the Subscription and Support program number (PID) referenced above and the appropriate license or charge option.

IBM is also providing Subscription and Support for these products via a separately purchased offering under the terms of the IBM International Agreement for Acquisition of Software Maintenance. This offering:

  • Includes and extends the support services provided in the base support to include technical support via telephone.
  • Entitles you to future releases and versions, at no additional charge. Note that you are not entitled to new products.

When Subscription and Support is ordered, the charges will automatically renew annually unless cancelled by you.

The combined effect of the IPLA license and the Agreement for Acquisition of Software Maintenance gives you rights and support services comparable to those under the traditional ICA S/390® and System z® license or its equivalent. To ensure that you continue to enjoy the level of support you are used to in the ICA business model, you must order both the license for the program and the support for the selected programs at the same Value Unit quantities.

Customized Offerings

Product deliverables are shipped only through CBPDO and ServerPac. These customized offerings are offered for Internet delivery in countries where Shopz product ordering is available. Internet delivery reduces software delivery time and allows you to install software without the need to handle tapes. For more details on Internet delivery, go to the Help section on the Shopz website.

You choose the delivery method when you order the software. IBM recommends Internet delivery. In addition to Internet and DVD, the supported tape delivery options include:

  • 3590
  • 3592

Most products can be ordered in ServerPac the month following their availability in CBPDO. z/OS can be ordered through CBPDO and ServerPac at general availability. Many products will also be orderable in a Product ServerPac without also having to order the z/OS operating system or subsystem.

Shopz and CFSW will determine the eligibility based on product requisite checking. For more details on the product ServerPac, go to the Help section on the Shopz website.

For additional information about the Product ServerPac option, refer to Software Announcement 212-272, dated July 7, 2012.

Production of software product orders will begin on the planned general availability date.

  • CBPDO shipments will begin one week after general availability.
  • ServerPac shipments will begin two weeks after general availability.



Back to topBack to top

Top rule
Terms and conditions
Bottom rule

The information provided in this announcement letter is for reference and convenience purposes only. The terms and conditions that govern any transaction with IBM are contained in the applicable contract documents such as the IBM International Program License Agreement, IBM International Passport Advantage® Agreement, and the IBM Agreement for Acquisition of Software Maintenance.

Licensing

IBM International Program License Agreement including the License Information document and Proof of Entitlement (PoE) govern your use of the program. PoEs are required for all authorized use.

This software license includes Software Subscription and Support (also referred to as Software Maintenance).

Agreement for Acquisition of Software Maintenance

The following agreement applies for Software Subscription and Support (Software Maintenance) and does not require customer signatures:

  • IBM Agreement for Acquisition of Software Maintenance (Z125-6011)

These programs are licensed under the IBM Program License Agreement (IPLA) and the associated Agreement for Acquisition of Software Maintenance, which provide for support with ongoing access to releases and versions of the program. These programs have a one-time license charge for use of the program and an annual renewable charge for the enhanced support that includes telephone assistance (voice support for defects during normal business hours), as well as access to updates, releases, and versions of the program as long as support is in effect.

License Information number

GI13-4317-00

The program's License Information will be available for review on the License Information documents website.

Limited warranty applies

Yes

Limited warranty

IBM warrants that when the program is used in the specified operating environment, it will conform to its specifications. The warranty applies only to the unmodified portion of the program. IBM does not warrant uninterrupted or error-free operation of the program or that IBM will correct all program defects. You are responsible for the results obtained from the use of the program.

IBM provides you with access to IBM databases containing information on known program defects, defect corrections, restrictions, and bypasses at no additional charge. For further information, see the IBM Software Support Handbook.

IBM will maintain this information for at least one year after the original licensee acquires the program (warranty period).

Program support

Enhanced support, called Subscription and Support, includes telephone assistance, as well as access to updates, releases, and versions of the program as long as support is in effect. You will be notified of discontinuance of support with 12 months' notice.

Money-back guarantee

If for any reason you are dissatisfied with the program and you are the original licensee, you may obtain a refund of the amount you paid for it, if within 30 days of your invoice date you return the program and its PoE to the party from whom you obtained it. If you downloaded the program, you may contact the party from whom you acquired it for instructions on how to obtain the refund.

For clarification, note that for programs acquired under any of IBM's On/Off Capacity on Demand (On/Off CoD) software offerings, this term does not apply since these offerings apply to programs already acquired and in use by you.

Volume orders (IVO)

No

Passport Advantage applies

No

Software Subscription and Support applies

Yes. During the S&S period, for the unmodified portion of a program, and to the extent problems can be recreated in the specified operating environment, IBM will provide the following:

  • Defect correction information, a restriction, or a bypass.
  • Program updates: Periodic releases of collections of code corrections, fixes, functional enhancements and new versions and releases to the program and documentation.
  • Technical assistance: A reasonable amount of remote assistance by telephone or electronically to address suspected program defects. Technical assistance is available from the IBM support center in the organization's geography.

Additional details regarding Technical Assistance, that includes IBM contact information, are provided in the IBM Software Support Handbook.

S&S does not include assistance for:

  • The design and development of applications
  • Organization's use of program in other than their specified operating environment, or
  • Failures caused by products for which IBM is not responsible under the IBM Agreement for Acquisition of Software Maintenance.

S&S is provided only if the program is within its support timeframe as specified in the Software Support Lifecycle policy for the program.

Yes. All distributed software licenses include Software Subscription and Support (also referred to as Software Maintenance) for a period of 12 months from the date of acquisition, providing a streamlined way to acquire IBM software and assure technical support coverage for all licenses. Extending coverage for a total of three years from date of acquisition may be elected.

While your Software Subscription and Support is in effect, IBM provides you assistance for your routine, short duration installation and usage (how-to) questions, and code-related questions. IBM provides assistance by telephone and, if available, electronic access, only to your information systems (IS) technical support personnel during the normal business hours (published prime shift hours) of your IBM support center. (This assistance is not available to your end users.) IBM provides Severity 1 assistance 24 hours a day, every day of the year. For additional details, go to the IBM Support Handbooks page.

Software Subscription and Support does not include assistance for the design and development of applications, your use of programs in other than their specified operating environment, or failures caused by products for which IBM is not responsible under this agreement.

For more information about the Passport Advantage® Agreement, go to the Passport Advantage and Passport Advantage Express® website.

Variable charges apply

No

Educational allowance available

Yes. A 15% education allowance applies to qualified education institution customers.



Back to topBack to top

Top rule
Statement of good security practices
Bottom rule

IT system security involves protecting systems and information through prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.



Back to topBack to top

Top rule
Prices
Bottom rule

For additional information and current prices, contact your local IBM representative.

Information on charges is available on the IBM Support Portal website.

Choose the option entitled Purchase/upgrade tools.

Program name: IBM Multi-Factor Authentication for z/OS

Program PID: 5655-162

Entitlement identifier Description License option/Pricing metric
S017ZB1 IBM Multi-Factor Authentication for z/OS Basic OTC, Per Value Unit

Subscription and Support PID: 5655-163

Entitlement identifier Description License option/Pricing metric
S017ZB2 SW Subscription and Support Reseller One Year Basic ASC, Per Value Unit
    No charge, decline SW S&S

IBM Global Financing

IBM Global Financing offers competitive financing to credit-qualified customers to assist them in acquiring IT solutions. Offerings include financing for IT acquisition, including hardware, software, and services, from both IBM and other manufacturers or vendors. Offerings (for all customer segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or go to the IBM Global Financing website for more information.

IBM Global Financing offerings are provided through IBM Credit LLC in the United States, and other IBM subsidiaries and divisions worldwide to qualified commercial and government customers. Rates are based on a customer's credit rating, financing terms, offering type, equipment type, and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension, or withdrawal without notice.

Financing from IBM Global Financing helps you preserve cash and credit lines, enables more technology acquisition within current budget limits, permits accelerated implementation of economically attractive new technologies, offers payment and term flexibility, and can help match project costs to projected benefits. Financing is available worldwide for credit-qualified customers.



Back to topBack to top

Top rule
Order now
Bottom rule

To order, contact your Americas Call Centers, local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner call 800-IBM-4YOU (426-4968). For more information, contact the Americas Call Centers.

Phone: 800-IBM-CALL (426-2255)

Fax: 800-2IBM-FAX (242-6329)

For IBM representative: callserv@ca.ibm.com

For IBM Business Partner: pwcs@us.ibm.com

Mail:
IBM Teleweb Customer Support
ibm.com® Sales Execution Center, Americas North
3500 Steeles Ave. East, Tower 3/4
Markham, Ontario
Canada L3R 2Z1
Reference:
LE001

The Americas Call Centers, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products.


Note: Shipments will begin after the planned availability date.
Trademarks

z Systems, zSecure, IBM z Systems, IBM z13 and z13 are trademarks of IBM Corporation in the United States, other countries, or both.

IBM, z/OS, RACF, PartnerWorld, Passport Advantage, zEnterprise, S/390, System z, Express and ibm.com are registered trademarks of IBM Corporation in the United States, other countries, or both.

RSA and SecurID are registered trademarks of EMC Corporation in the United States and/or other countries.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Additional terms of use are located at

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or visit the IBM worldwide contacts page

http://www.ibm.com/planetwide/us/

Share this page

Digg Linked In

Contact IBM

Feedback