Other posts on MFA:
- Multi Factor Authentication(MFA): Planning.
- MFA: installation and configuration
- MFA: Configuring a userid
- MFA: displaying information
- MFA: configuring Timed One Time Password (TOTP)
- MFA: Using a password
- MFA configuring a policy for out of band authentication
- MFA: configuring Yubikey
- MFA: setting up Linux as an authenticator to generate a TOTP password
- MFA: messages
What is a Timed One Time Password?
You can have a hardware dongle, or an authenticator app on your phone (or other device) configured with a secret key. You can request the dongle or app to generate a temporary password which is valid for a period, typically 30 seconds or one minute. With this validity period it makes it hard for other people to use this password to get access to your system.
In theory the application to take the secret and generate a code should be simple to implement, but not all of the MFA parameters work will all authentication applications, for example some applications only support SHA-1, and do not support SHA256. You need to configure MFA and the userid to use parameters which work with your choice of authentication app.
The AZFEXEC configuration tool allows you to specify
- SHA-1, SHA256, SHA384 SHA512
You can configure a user to have SHA1, SHA256, SHA384, SHA512. Some authentication applications only support SHA1.
If you get it wrong, you can reset the userid, add the correct tags, and get the user to reactivate the userid.
Follow the documentation
The documentation is pretty good.
I defined the resources
// DD *,SYMBOLS=JCLONLY
RLIST MFADEF FACTOR.AZFTOTP1
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFTOTP1
RLIST FACILITY IRR.RFACTOR.USER
RDEF MFADEF FACTOR.AZFTOTP1 OWNER(&OWNER)
RDEF FACILITY IRR.RFACTOR.MFADEF.AZFTOTP1 OWNER(&OWNER)
RDEF FACILITY IRR.RFACTOR.USER UACC(NONE)
SETROPTS RACLIST(MFADEF) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
and
// DD *,SYMBOLS=JCLONLY
PERMIT IRR.RFACTOR.MFADEF.AZFTOTP1 ACCESS(ALTER) CLASS(FACILITY) -
ID(&ADMIN)
PERMIT IRR.RFACTOR.MFADEF.AZFTOTP1 ACCESS(READ) CLASS(FACILITY) -
ID(&STC)
PERMIT IRR.RFACTOR.USER ACCESS(UPDATE) CLASS(FACILITY) ID(&STC)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(&STC) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(MFADEF) REFRESH
RLIST FACILITY IRR.RFACTOR.MFADEF.AZFTOTP1 ALL
RLIST FACILITY IRR.RFACTOR.USER ALL
RLIST MFADEF FACTOR.AZFTOTP1 MFA ALL
I followed Additional system programming steps for TOTP and used AZFEXEC to configure AZFTOTP1.
I used the following values
- PKCS#11 Token Name: MFATOKEN
- Key Label: I let it default to what was used previously
- Use Single-key Encryption: I let it default to Y
- REALM: I used MYREALM. Once you have MFA configured you may wish to revisit this
- Initial Trace Level: default
- Digest Algorithm: 2 (SHA256). Some authenticator apps do not support all algorithm. You can change this on a per user basis
- Token Code Length: 1 (6 Digit). Some authenticator apps only support a length of 6
- Token Period: 2 (30 seconds). Some authenticator apps only support 30 seconds
- Window:1 (default)
- Compound In-band Authentication: This is to use more than one factor to logon.
- During initial set up and testing I set this to N. Once this worked, I set it to Y
- Credential Order: 1. I logged on with 123456:PASSW0RD
- Factor Separator: I used the default ( see the above line 123456>:<PASSW0RD)
- Suspension Threshold: 10. This was set to the default value “0”,
- Initial Trace level: default
Start the IBM MFA services started task
As part of the base MFA configuration I had already done the steps in Start the IBM MFA services started task.
Restart the MFA started tasks.
Task AZF#IN00 now produces message
AZF2109I Authenticator initialized : entry 0x206E40A8, name AZFTOTP1 (strong).
Restart the MFAweb server task (AZF#IN01)
Configure a user
I used
// DD *,SYMBOLS=JCLONLY
* RESET THE MFA ATTRIBUTES
ALU &TOTPUSER MFA(NOPWFALLBACK)
ALU &TOTPUSER MFA(FACTOR(AZFTOTP1) NOACTIVE )
ALU &TOTPUSER MFA(FACTOR(AZFTOTP1) NOTAGS )
ALU &TOTPUSER MFA(DELPOLICY( OOBCERT ) )
ALU &TOTPUSER MFA(DELPOLICY( OOBTOTP ) )
ALU &TOTPUSER MFA(FACTOR(AZFTOTP1) ACTIVE TAGS(REGSTATE:OPEN))
ALU &TOTPUSER MFA(FACTOR(AZFTOTP1) NOACTIVE )
LU &TOTPUSER MFA
The LU output has
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS ALLOWED
FACTOR = AZFTOTP1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:OPEN
Activate the user
Use the web site https://xx.xx.xx.xx:6793/AZFTOTP1/genericStart to start the activation. This prompts for your userid and password. If they are correct and the userid has been configured correctly it will display a QR code.
Use your authentication app to add a userid, by scanning the QR code. If successful, the app will generate a code. Enter this code in the web page to complete the activation.
Initial set up and testing
During initial testing, you can use just the 6 digit code to logon, for example to TSO. Once this is working you can use the AZFEXEC panels to configure AZFTOTP1 to enable Compound In-band Authentication, where you will need the One Time Password, plus your (TSO) password. You can specify if you want the format 123456:passw0rd or passw0rd:123456.
For TSO to take the TOTP and password, TSO will need to configured to support passwords greater than 8 characters long (passphrase support). The IKJTSOxx needs.
LOGON PASSPHRASE(ON)
For those applications which do not accept long password you will need to set up an Out of Band policy.
Define a simple Out of Band policy for just the TOTP
// DD *,SYMBOLS=JCLONLY
RDEL MFADEF POLICY.OOBTOTP
RDEF MFADEF POLICY.OOBTOTP OWNER(&OWNER) -
MFPOLICY(FACTOR(AZFTOTP1) TOKENTIMEOUT(60) REUSE(N))
SETROPTS RACLIST(MFADEF) REFRESH
RLIST MFADEF POLICY.OOBTOTP MFPOLICY
RDELETE FACILITY IRR.RFACTOR.POLICY.OOBTOTP
RDEF FACILITY IRR.RFACTOR.POLICY.OOBTOTP UACC(READ) -
OWNER(&OWNER)
SETROPTS RACLIST(FACILITY) REFRESH