IBM Z Security - Group home

For z/VM and Linux for z: more factors and improved security. IBM Z MFA 2.2 is available!


Most mainframe owners are very concerned about the security of their system. Are they still using userids and passwords to sign on to mainframe applications? If they are, then they aren’t as concerned about security as they might say. Multi-factor authentication is the way to mitigate the risk of stolen passwords. And the latest IBM Z MFA 2.2 is now available. It can protect applications on z/OS, z/VM and Linux for z. This blog will focus on z/VM and Linux for z. 
MFA 2.2 introduces new factors and usability improvements across z/VM and Linux for z. These are in addition to the dozens of factors already included within this offering.

New Factors

MFA 2.2 introduces two new factors. One that exploits the RSA REST API,  and the second is the introduction of Pluggable Access Manager (PAM) modules for Linux for z that are MFA enabled.


Recent RSA Authentication Manager servers (8.2 or later) support an HTTPS API called the SecurID Authentication API. This provides a superior ease of configuration vs. RSA-proprietary ACEv5 UDP protocol that’s leveraged for the existing z MFA factor:  AZFSIDP1. From a crypto perspective, this offers strong and industry-standard security for user credentials. For new customers that already use RSA SecurID, IBM recommends they start with this new factor that exploits the HTTPS REST API: AZFSIDP3.  

PAM for Linux for z

You can now protect Linux applications (like ssh) through the use of a PAM that is MFA enabled. RPMs that include this PAM are available for SLES or RHEL for Z.  It uses MFA web services to present an in-band authentication flow to PAM-enabled applications for Linux. It is enabled on a per-application basis by editing the PAM configuration and requires User ID synchronization between:
•       Linux User IDs (on the client where the application is calling PAM)
•       MFA User IDs (on the Linux server where MFA is running)

Usability Improvement

Masking or hiding a credential is now available for the web interface. When a user successfully satisfies an MFA policy via the out-of-band web interface, MFA issues a derived credential. This ”cache token credential” (CTC) was previously displayed in cleartext to the web browser user. Several customers complained about the clear value of this CTC. CTC masking, when enabled in STC settings, changes the end-user display so that the CTC value is initially hidden (but easily copied or revealed if requested. 


All of these functions and new operations are intended to get MFA widely deployed across all businesses. Make sure that your business is truly a security expert by deploying IBM z MFA 2.2.​ Documentation can be found here