MFA: Configuring a userid

MFA 2 Minutes

Other posts on MFA:

Ive put all of the RACF statements to configure the MFA parameters for a userid in a file. You can then cut and paste, or delete the ones you do not need.

The job to create the userid USERJ

//IBMUSERU JOB 1,MSGCLASS=H,RESTART=S1 
//* Job to do set up  userid coonfigure all attr and give policy 
//  JCLLIB ORDER=COLIN.MFA.JCL4 
// EXPORT SYMLIST=(*) 
// INCLUDE MEMBER=PARMS 
// SET USERID=AZFUSER 
// SET POLICY1=OOBTOTP 
// SET POLICY2=OOBTOUS 
// SET POLICY3=OOBTOUS 
// SET POLICY4=OOBTOUS 
// SET RSAUSER='??????' 
// SET RADUSER='??????' 
// SET ALTUSER='??????' 
// SET WINDOW='??????' 
//* 
//* DEFINE THE STUFF NEEDED FOR STC 
//S1  EXEC PGM=IKJEFT01,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD *,SYMBOLS=(JCLONLY) 
//  INCLUDE MEMBER=USERTSO 
//  INCLUDE MEMBER=USERAZF 
//  INCLUDE MEMBER=USERPOL

Define a TSO userid member USERTSO

This deletes and defines the userid specified in the USERID variable in the JCL. If you already have a userid then you do not need to use this member.

DELUSER &USERID 
ADDUSER &USERID DFLTGRP(TEST) OWNER(SYS1) - 
         NAME('MFA  TEST') PASSWORD(PASSW0RD) 
ALU &USERID TSO( - 
  ...

*LU &USERID PASSWORD(PASSW0RD) NOEXPIRED 
PERMIT ACCT# CLASS(ACCTNUM) ID(&USERID) ACCESS(READ)

Define the MFA parameters, member USERAZF

This member has one definition active – the rest are commented out. I find it easier to comment out/remove stuff than type in lots of data.

//         DD   *,SYMBOLS=JCLONLY 
ALU &USERID MFA(FACTOR(AZFYUBI1) NOACTIVE NOPWFALLBACK NOTAGS) 
ALU &USERID MFA(FACTOR(AZFYUBI1)  TAGS(REGSTATE:OPEN)) 
* ALU &USERID MFA(FACTOR(AZFYUBI1)  ACTIVE                  ) 
                                                                 
* ALU &USERID MFA(FACTOR(AZFPASS1)  ACTIVE                  ) 
....

Define the policies for the userid, member USERPOL

//         DD   *,SYMBOLS=JCLONLY 
ALU &USERID MFA(ADDPOLICY(&POLICY1)) 
ALU &USERID MFA(ADDPOLICY(&POLICY2)) 
ALU &USERID MFA(ADDPOLICY(&POLICY3)) 
ALU &USERID MFA(ADDPOLICY(&POLICY4)) 
                                                
LU &USERID MFA

Registering a userid

With some policies you have to enter parameter to register the userid, for example userid, password and TOTP.

I found if the password had expired I could not register. I had to logon (to TSO), change my password, then register.

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published