Multifactor AuthenticationVMA with RSA).pdfThe RSA SecurID® solution is the world’s leading...
Transcript of Multifactor AuthenticationVMA with RSA).pdfThe RSA SecurID® solution is the world’s leading...
Multifactor Authentication
RSA ez/Token
A two-factor RSA SecurID authentication solution.
Allow users to authenticate using RSA SecurID tokens to
the zSeries Server or any other application currently using
RACF authentication.
©2018 Vanguard Integrity Professionals, Inc.
Introduction to Vanguard VTAM Multifactor
Authentication
Problem: Integrating Multifactor products into the
logon process like Session Managers can be
cumbersome using One Time Passwords (OTP’s).
Replay of a OTP is not allowed and cumbersome for
the end-user to use over and over again for multiple
logons.
VMA Provides a front-end Portal to integrate
Multifactor logon to z/OS and then allows RACF
USERID and PASSWORD combinations to be used
after validation by a multifactor product.
SESSION
AUTHENTICATION
VMA SESSION
USER ID
PASSWORD
TOKEN
USER LOGS ON TO VMA
YES
RACF z/OS
PASSWORD
SUCCESSFULTOKEN
SUCCESSFUL
Token Enabled User Logs on to VMA Portal
VANGUARD
Session Manager
VMA LOGON PROCESSING
IAMEZSTC VIPMANN
RACF
RACF Password Processing
YES
YES
HOST 2 LOGON
HOST 3 LOGON
HOST 4 LOGON
HOST 5 LOGON
HOST 6 LOGON
USER ID
PASSWORD
FAIL LOGIN
Supported Features
• VTAM Logon Portal
• Multi-Vendor support: RSA, DUO, PINGID, OAUTH etc.
• Multiple technologies supported (Hard and Soft Tokens)
• LU2 (SNA over TCPIP) and LUO type terminals
1. Logon to VMA Portal Multifactor
2. Continue to follow on APPLID (TSO, Session MGR etc.)
3. Now Use “ONLY” USERID and Password
4. Logon to Next APP.
5. USE USERID and Password
TOKEN PROVIDERS SUPPORTED
YUBiKEY
OAUTH
HOTP
TOTP
RSA SecurID
SafeSign
Actividentity
DUO Trusted Access
PING Identity
RSA SecurID
The RSA SecurID® solution is the world’s leading two-factor
user authentication system, relied on by thousands of
organizations worldwide to protect valuable network resources.
RSA SecurID® two-factor authentication is based on:
One: Something you know (a password or PIN)
Two: Something you have (an authenticator)
Providing a much more reliable level of user authentication than reusable passwords.
www.rsasecurity.com
RSA SecurID Solution
Secure Mobile & Remote Access Solutions
• Industry’s leading authentication technology
• 20 million users
• Broadest choices of authentication form factors
• Scales to support millions of users
• Provides investment protection through integration with 300 leading applications
And now the boring stuff
• Installation
• Team Requirements
• Hardware Requirements
• Product Requirements
• ETC
Installation Team
• IBM z/OS Systems Programmer
• IBM RACF® Administrator
• RSA account Manager
Installation Steps
• Add maintenance
• Collect information
- RSA information
- User selection
- Job selection
- Audit Requirements
• Setup IAMEZTSV
• Setup Vanguard RSA Agent Host
Set IAMEZTSV
• The Identity and Access Manager Server runs as a persistent started
task named IAMEZTSV. The IAMEZTSV started task is a service
provider for Vanguard ez/PivCard, Vanguard ez/SignOn, Vanguard
ez/Token, Vanguard Tokenless Authentication, Revoke Resume
Notification (RRN) and Password Synchronization. This started task
can support multiple LPARs sharing the same RACF database.
VIPTOKEN Member Customization
• SECURID parameters in the VIPOKEN MEMBER
• SECURID=Y
• SECURID_REQUIRED_RACF_PSWD=Y
• SECURID_PSWD_DELIM=/
• SECURID_TIMEOUT=5
• SECURID_AUTH_CLASS=FACILITY
• SECURID_IRRSXT00_EXIT=Y
• SECURID_EXCLUDE_LOG=Y|N
• SECURID_CSDATA_FLDNAME=
• SECURID_AGENT_LIST=I=nnn.nnn.nnn.nnn:ddddd
• SECURID_EXCL_JNAME=jobname1
• SECURID_INCL_JNAME=jobname1
• SECURID_TRACE=racf_userid_mask
• SYSOUT=H
• ENFORCE_VMA=Y
What to Exclude or Include
• INCLUDE/EXCLUDE List
• SECURID_INCL_JNAME=job-name
• SECURID_INCL_JNAME=job-name
- ALLTSOF (covers all TSO sessions)
Note: Exclude is process first.
Who is Using RSA
• Define the Users to be Authenticated through RSA Security
• Read access to SECURID.ENABLE
• User Defined Class Profiles
• SECURID.ENABLE
• Optional:
- SECURID.SUCCESSFUL.LOGON
- SECURID.FAILED.LOGON
- SECURID.EXCLUDED.LOGON
ALIAS Processing (Optional)
• Vanguard ez/Token supports the use of alias user IDs (defined in
RACF) so that a RACF user ID can be mapped to a user identity
defined in RSA Security Manager.
• This features requires Custom Fields in RACF be enabled
Set Up Vanguard FASTEXIT (Optional)
• Recommended for task id or other ID which will never be under
MULTIFACTOR control
• i.e STC’s
• Provides for the quickest processing of these users in the RACINIT
processing.
VMA Optional
• VIPTOKWN
- ENFORCE_VMA=Y
• VTAM Session Management Exit
- ISTEXCAA
• VMAASCSO WARN OR ENFORCE
• VMAAMFA STC
• VMAOPTS
- TIME and duration of Authentication
- WTO message options
Live Demo?
Questions?
Thank You