Verify MFA-readiness for IBM Db2 Administration Foundation

In this blog we outline a few simple checks to verify that your system is configured correctly for using MFA with IBM Db2 Administration Foundation.

If any of the checks fail, your system is not ready for MFA with Db2 Administration Foundation. Please see https://www.ibm.com/docs/en/umsfz/1.2.0?topic=references-configuring-multifactor-authentication-ums for more details.

Verify passticket configuration for Db2 for z/OS

Determine the Db2 for z/OS passticket application name

Issue Db2 command -DISPLAY DDF
Make a note of: 

• LUNAME and GENERICLU from message DSNL083I
• IPNAME from message DSNL084I

The application name is:

• IPNAME if present
• otherwise GENERICLU if present
• otherwise the second part of LUNAME 

If it is a data sharing group the IPNAME or GENERICLU must be the same across all members.

In the example below the passticket application name is "RS01IDS2": 

DSNL080I  !I9A2 DSNLTDDF DISPLAY DDF REPORT FOLLOWS:                          
DSNL081I STATUS=STARTD                                                        
DSNL082I LOCATION           LUNAME            GENERICLU         WLB           
DSNL083I RS01IDS2           -NONE             -NONE             DFLT          
DSNL084I TCPPORT=3900  SECPORT=3903  RESPORT=3901  IPNAME=RS01IDS2            
DSNL085I IPADDR=::x.x.x.x                                                
DSNL086I SQL    DOMAIN=-NONE                                                  
DSNL086I RESYNC DOMAIN=x.rocketsoftware.com                                
DSNL087I ALIAS              PORT  SECPORT STATUS WLB                          
DSNL088I IDS2ALIAS          3904  3905    STATIC DFLT                         
DSNL089I MEMBER IPADDR=::y.y.y.y                                         
DSNL105I CURRENT DDF OPTIONS ARE:                                             
DSNL106I PKGREL = COMMIT                                                      
DSNL099I DSNLTDDF DISPLAY DDF REPORT COMPLETE                                 

Verify RACF passticket resources

Issue RACF command:
rlist PTKTDATA <application name> all SSIGNON      

This resource must be defined and there must be a SSIGNON section.

Issue RACF command:
rlist PTKTDATA IRRPTAUTH.<application name>.* all    

Users that generate passtickets need UPDATE permission and users that validate passtickets must have READ permission.
In general, only started task users need access and no access is required for regular users. 

Thus the resource must be defined and the following users must have the following permissions:

• Db2 STC user must have (at least) READ
• MFA STC user must have READ
• Zowe/UMS STC user must have UPDATE
• SQL Tuning Service STC user must have UPDATE 

If everything is configured correctly up to this point, you can go ahead and configure UMS and Zowe for MFA and single-sign on - see step 4 here https://www.ibm.com/docs/en/umsfz/1.2.0?topic=references-configuring-multifactor-authentication-ums. 

Then go ahead and test all features for non-MFA users.

Verify passticket configuration for IBM MFA

Verify that passtickets are allowed as an factor for IBM MFA

Issue RACF command:
RLIST MFADEF FACTOR.AZFPTKT1

This resource must be defined. 
If not defined, see more details here https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-using-mfa-passtickets.

Verify that passtickets is an allowed factor for the IBM MFA users

Issue RACF command:
LU <MFA user> MFA

In the "MULTIFACTOR AUTHENTICATION INFORMATION" section you should see passtickets listed as an allowed factor

FACTOR = AZFPTKT1        
  STATUS = ACTIVE        
  FACTOR TAGS =          
     ...

If AZFPTKT1 is listed, this user is able to use Db2 Administration Foundation.

If AZFPTKT1 is not listed, please see more details and instructions here https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-using-mfa-passtickets.

#IBMChampion#db2z/os#Security