Original Message:
Sent: Fri July 04, 2025 08:24 AM
From: Hideyuki Yahagi
Subject: IBM i 7.6 MFA implementation
I finally got around to trying MFA on IBM i 7.6 and report back. I would appreciate it if you could point out any errors or misunderstandings in the content.
1. First, make a plan.
- Consider whether enhanced security through MFA is necessary for your business. In many cases, increased security will result in reduced usability.
- There are a great many techniques for strengthening IBM i (and other server/client) security. Consider which techniques to apply and evaluate in what order and in what way, depending on your company's security policy.
- Related to security, IBM also offers a number of software and services.
- Security ToolKit for IBM i (SECTOOLS) : This tool has been provided as standard since the AS/400. It is *strongly* recommended that the menu option 60 (Configure System Security command) not be executed.
- IBM i Security Quick Check : The article is available at "IBM Offers Free Security Check for IBM i." Unfortunately, it did not work in the DBCS (Japanese) environment, so I do not know the details. (Reported to IBM in 2021.)
- IBM PowerSC : "SC" stands for security and compliance. The latest PowerSC runs on the IBM i and does not require any other OS or partition.
- If MFA is determined to be necessary for IBM i, consider whether to use IBM i 7.6 MFA, PowerSC MFA, or other methods such as ISV solutions.
- IBM i 7.6 standard MFA considerations.
- MFA on IBM i 7.6 requires a Power10 server and a release-up of the OS.
- IBM i 7.6 MFA does not support two-step authentication. Therefore, it is not an authentication process using email or SMS, which is used by many social networking services such as Box.
2. Preparation for TOTP implementation
- Read the RedBook "IBM i 7.6 Features and Functionality" carefully.
- The configuration work on the IBM i side requires changing the system value QPWDLVL from 0/1 to 2, re-IPL, preparing for TOTP (making sure individual user passwords have been moved to level 4), and then changing QPWDLVL again from 2 to 4 and re-IPL.
- In the IBM-provided Q* user profile, change the password for USRPRFs used in interactive such as QSECOFR, QSYSOPR, and QPGMR. If the QSECOFR password is cleared and you can no longer sign on, you will need to initialize it using the "Resetting the QSECOFR user profile password and TOTP key" procedure.
- Since low-level passwords are cleared when QPWDLVL is set to 4, the SAVSECDTA should be obtained in advance; the SAVSECDTA obtained when QPWDLVL was 0 with QPWDLVL at 2 could be restored.
- The sign-on screen is now in English after setting QPWDLVL to 4. For MFA, change QDSIGNON3. Note that the source file is QSYS/QAWTSSRC, which is different from the previous one. (ref: https://www.ibm.com/docs/en/i/7.6.0?topic=display-file-source-signon-screen)
- There are relatively many preparatory items on the client side. Migration to Level 4 passwords, generation of TOTP keys on the IBM i, installation and configuration of the TOTP client, and an update of Access Client Solutions to 1.1.9.8 are required.
- Client-side software that supports TOTP includes the following. I have confirmed the operation with Authy (Android) and Google authenticator (Chrome Extension) myself.
- Download and install ACS 1.1.9.8 (2025-04-01) or later from the IBM website.
- Create a TOTP Setup Guide and update the existing Operation and Operating Procedures Manual.
3. Apply TOTP.
- Below is an example of the procedure for applying TOTP for a user.
- Example of "Hard Way - CL Command and 5250 Green Screen"
- Administrator: Verify that the password level is 4.
- User: Ensure that client software supporting TOTP is installed on the smartphone or Windows and that the ACS is 1.1.9.8 or later.
- User: Execute the command CHGTOTPKEY TOTPKEY (*GEN) and save the displayed screen by Copy&Paste, etc.
- Administrator: Execute command CHGUSRPRF USRPRF (user name) AUTHMTH (*TOTP).
- User: Verify that the additional factor (TOTP) appears in the ACS sign-on window or 5250 sign-on screen and that the user can sign on by entering the 6-digit number displayed in the client software into the additional factor.
- Example of "Easy Way - IBM Navigator for i"
- (Same as CL/5250)
- (Same as CL/5250)
- Access http://(IP address of your IBM i):2002/Navigator/ from a web browser. (It is unclear how to switch languages in Navigator, so it is not clear if the terms are translated correctly.)
- Sign on with your user ID and password from the "Welcome" screen.
- Click on System.
- Click on "My Work" in the left pane and select "My MFA" -> "Manage My MFA Key" from the pull-down menu.
- On the "Manage My MFA Key screen", select "Generate and save an MFA key and recovery key for this user profile" and click "Next".
- The "Validate MFA Key and Save Recovery Key" screen appears. When using a Windows TOTP application such as Google Authenticator, set the MFA key shown in "1. Saved MFA Key" on the screen in the TOTP application. When using a smartphone TOTP application like Authy, read the QR code displayed on the Navigator screen with the TOTP application.
- (Same as CL/5250)
- (Same as CL/5250)
The following is a list of points that I noticed when I configured TOTP.
- Since there is no two-step authentication by SMS or e-mail, there is more work on the client side.
- In the "System Admin Steps" section of "3.3.2 System Admin Role in configuring MFA" in the aforementioned RedBook, "Enable TLS for the system network servers" is listed, but MFA can be used without configuring TLS. IBM seems to want to apply TLS to all possible communications, but not all users need the strongest security.
- RedBook calls IBM Navigator for i the "Easy Way," but I believe that CL and 5250 are more practical in many cases.
- Many tasks can be automated with CL commands. For example, the CHGUSRPRF command can be used to change passwords to level 4 in one go. Also, a user could execute CHGTOTPKEY TOTPKEY(*GEN) from the 5250 screen menu, followed by CHGUSRPRF USRPRF(the user) AUTHMTH(*TOTP) on a CL with Adopted Authority, and configure MFA at the user's convenience.
- It is risky to open Navigator to users if permissions are not fully controlled.
- Additional considerations were necessary when using the system in a Japanese environment (Code Page 290). For example, when setting the password to level 4 with the CHGUSRPRF command, the English lowercase letters did not seem to be set correctly unless CHGJOB CCSID (5035) was executed beforehand. Also, the 5250 sign-on screen was in English and the source had to be changed and recreated.
I am not a security specialist, so if you can point out anything inappropriate, that would be helpful to those considering MFA for IBM i 7.6.
------------------------------
Hideyuki Yahagi
Technical Advisor
iS Technoport, Tokyo
Original Message:
Sent: Sun April 20, 2025 02:59 AM
From: Rohit Chauhan
Subject: IBM i 7.6 MFA implementation
Hello @Hideyuki Yahagi,
Absolutely, i agree with you regarding the consideration on the user side along with the system side that needs to keep in mind before implementing MFA. This is one of the primary enhancements to the IBM i 7.6 release is the ability to leverage Multi-factor Authentication (MFA) in a native manner for a user profile. We do have a new draft version of Redbook released on IBM i 7.6 where all the new functions and features are elaborated including Multi-factor Authentication.
Please take a look here. IBM i 7.6 features and function
------------------------------
Rohit Chauhan
Senior Technical Specialist
Norway
Original Message:
Sent: Fri April 11, 2025 09:06 AM
From: Hideyuki Yahagi
Subject: IBM i 7.6 MFA implementation
I have read the IBM documentation on MFA and it seems to lack a client side implementation. MFA on IBM i is Out-of-the-box, but H/W and S/W for this functionality on the client needs to be considered.
For example, to sign on with TOTP, the "client generator application" must share an MFA key with IBM i and have the ability to generate a 6-digit TOTP. For this reason, it is necessary to install and configure Authy for smartphones and Google/Microsoft Authenticator for Windows, as well as other well-known ones.
In addition, there may be the following considerations.
- To use TOTP, the system value QSECURITY must be at least 40 and QPWDLVL must be 4. Most users are using QSECURITY at 40 and above, and the transition from 30 to 40 should pose almost no problem. However, changing the QPWDLVL to 4 is not that easy and the plan should be based on the procedures presented by IBM.
- The MFA (TOTP) mechanism is tightly integrated into IBM i, which may limit the implementation of MFA. In the MFA system commonly used on websites, authentication is performed with a user ID and password, and an e-mail or SMS with a six-digit number is sent to the user to log in. If there is an API on the IBM i to generate 6-digit MFA tokens and combined with the QIBM_QSY_AUTH exit program, this may be possible.
I am a layman in MFA and may have a wrong understanding of IBM i MFA as well. I'm hoping that IBM (or an MFA specialist) can provide us with a document that specifically describes the entire use case.
------------------------------
Hideyuki Yahagi
Technical Advisor, iS Technoport
Tokyo, Japan
------------------------------