Multifactor Authentication

RSA ez/Token

A two-factor RSA SecurID authentication solution.

Allow users to authenticate using RSA SecurID tokens to

the zSeries Server or any other application currently using

RACF authentication.

©2018 Vanguard Integrity Professionals, Inc.

Introduction to Vanguard VTAM Multifactor

Authentication

Problem: Integrating Multifactor products into the

logon process like Session Managers can be

cumbersome using One Time Passwords (OTP’s).

Replay of a OTP is not allowed and cumbersome for

the end-user to use over and over again for multiple

logons.

VMA Provides a front-end Portal to integrate

Multifactor logon to z/OS and then allows RACF

USERID and PASSWORD combinations to be used

after validation by a multifactor product.

SESSION

AUTHENTICATION

VMA SESSION

USER ID

PASSWORD

TOKEN

USER LOGS ON TO VMA

YES

RACF z/OS

PASSWORD

SUCCESSFULTOKEN

SUCCESSFUL

Token Enabled User Logs on to VMA Portal

VANGUARD

Session Manager

VMA LOGON PROCESSING

IAMEZSTC VIPMANN

RACF

RACF Password Processing

YES

YES

HOST 2 LOGON

HOST 3 LOGON

HOST 4 LOGON

HOST 5 LOGON

HOST 6 LOGON

USER ID

PASSWORD

FAIL LOGIN

Supported Features

• VTAM Logon Portal

• Multi-Vendor support: RSA, DUO, PINGID, OAUTH etc.

• Multiple technologies supported (Hard and Soft Tokens)

• LU2 (SNA over TCPIP) and LUO type terminals

1. Logon to VMA Portal Multifactor

2. Continue to follow on APPLID (TSO, Session MGR etc.)

3. Now Use “ONLY” USERID and Password

4. Logon to Next APP.

5. USE USERID and Password

TOKEN PROVIDERS SUPPORTED

YUBiKEY

OAUTH

HOTP

TOTP

RSA SecurID

SafeSign

Actividentity

DUO Trusted Access

PING Identity

RSA SecurID

The RSA SecurID® solution is the world’s leading two-factor

user authentication system, relied on by thousands of

organizations worldwide to protect valuable network resources.

RSA SecurID® two-factor authentication is based on:

One: Something you know (a password or PIN)

Two: Something you have (an authenticator)

Providing a much more reliable level of user authentication than reusable passwords.

www.rsasecurity.com

RSA SecurID Solution

Secure Mobile & Remote Access Solutions

• Industry’s leading authentication technology

• 20 million users

• Broadest choices of authentication form factors

• Scales to support millions of users

• Provides investment protection through integration with 300 leading applications

And now the boring stuff

• Installation

• Team Requirements

• Hardware Requirements

• Product Requirements

• ETC

Installation Team

• IBM z/OS Systems Programmer

• IBM RACF® Administrator

• RSA account Manager

Installation Steps

• Add maintenance

• Collect information

- RSA information

- User selection

- Job selection

- Audit Requirements

• Setup IAMEZTSV

• Setup Vanguard RSA Agent Host

Set IAMEZTSV

• The Identity and Access Manager Server runs as a persistent started

task named IAMEZTSV. The IAMEZTSV started task is a service

provider for Vanguard ez/PivCard, Vanguard ez/SignOn, Vanguard

ez/Token, Vanguard Tokenless Authentication, Revoke Resume

Notification (RRN) and Password Synchronization. This started task

can support multiple LPARs sharing the same RACF database.

VIPTOKEN Member Customization

• SECURID parameters in the VIPOKEN MEMBER

• SECURID=Y

• SECURID_REQUIRED_RACF_PSWD=Y

• SECURID_PSWD_DELIM=/

• SECURID_TIMEOUT=5

• SECURID_AUTH_CLASS=FACILITY

• SECURID_IRRSXT00_EXIT=Y

• SECURID_EXCLUDE_LOG=Y|N

• SECURID_CSDATA_FLDNAME=

• SECURID_AGENT_LIST=I=nnn.nnn.nnn.nnn:ddddd

• SECURID_EXCL_JNAME=jobname1

• SECURID_INCL_JNAME=jobname1

• SECURID_TRACE=racf_userid_mask

• SYSOUT=H

• ENFORCE_VMA=Y

What to Exclude or Include

• INCLUDE/EXCLUDE List

• SECURID_INCL_JNAME=job-name

• SECURID_INCL_JNAME=job-name

- ALLTSOF (covers all TSO sessions)

Note: Exclude is process first.

Who is Using RSA

• Define the Users to be Authenticated through RSA Security

• Read access to SECURID.ENABLE

• User Defined Class Profiles

• SECURID.ENABLE

• Optional:

- SECURID.SUCCESSFUL.LOGON

- SECURID.FAILED.LOGON

- SECURID.EXCLUDED.LOGON

ALIAS Processing (Optional)

• Vanguard ez/Token supports the use of alias user IDs (defined in

RACF) so that a RACF user ID can be mapped to a user identity

defined in RSA Security Manager.

• This features requires Custom Fields in RACF be enabled

Set Up Vanguard FASTEXIT (Optional)

• Recommended for task id or other ID which will never be under

MULTIFACTOR control

• i.e STC’s

• Provides for the quickest processing of these users in the RACINIT

processing.

VMA Optional

• VIPTOKWN

- ENFORCE_VMA=Y

• VTAM Session Management Exit

- ISTEXCAA

• VMAASCSO WARN OR ENFORCE

• VMAAMFA STC

• VMAOPTS

- TIME and duration of Authentication

- WTO message options

Live Demo?

Questions?

Thank You