On July 23, 2019 IBM z/OS V2.4 and IBM Security zSecure V2.4 were announced.  These announcements reference support for JSON Web Tokens (JWT) in connection to IBM Z Multi-Factor Authentication (MFA; V2 has been available since May 2019) logon flows. z/OS Security Server RACF has provided new function updates[1] for z/OS V2.2 and V2.3 for these Identity Tokens. This article looks at the rapid developments of the last few years around multi-factor authentication on IBM Z.


Background

Password security is a function as much of user education (e.g., do not use the same password on a strongly protected work account as on your favorite personal gaming website of unknown protection, so that a compromise of the latter password does not expose the security of your work system) as of technical controls such as making it harder for a cracker to run a brute-force attack (e.g., through longer passwords, stronger encryption, enforcing better password quality through rules, allowing more different characters in a password, and controlling the security of the security database).

It is not a surprise therefore that password technology has proven to be susceptible to theft, and therefore business risk, via a wide range of hacking techniques. As unwanted access to user accounts can result in lost revenue, shattered customer confidence and costly compliance penalties, a stronger authentication method has become something to consider for organizations and businesses.

A multi-factor authentication system requires that multiple authentication factors be presented during logon to verify a user's identity. Each authentication factor must be from a separate category of credential types:

• Something they know, such as a password or the answer to a security question
• Something they have, such as an ID badge or a cryptographic token device
• Something they are: a bio-metric attribute such as a fingerprint

By requiring multiple authentication factors, a user's account cannot be compromised even if one of their factors is discovered.


Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. The IBM z14 enables the ultimate data protection of pervasive encryption – while being open and connected in the cloud to speed innovation at lower cost. z/OS V2R4 is designed to provide policy-based encryption options that take full advantage of the improvements in the z14 platform and can help clients protect their critical business data. The encryption capabilities and policies apply both to data at rest and to data in flight.

Resource Access Control Facility (RACF) is the foundational IBM package for protecting IBM Z. When an access check occurs in a resource manager (that is, a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).

IBM Z Multi-Factor Authentication (IBM Z MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process. It is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF to help clients create a layered defense, accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.

IBM Security zSecure suite builds on the security support in IBM Z, z/OS, and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. Most of the products run on the z/OS operating system. The zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, and MQ.

IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password (so that the administrator does not know it).  IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). The Access Monitor component of zSecure Admin can also see security events that are not being logged and summarize all access requests. The RACF Offline component of zSecure Admin allows making updates to a RACF database that is not active, so as to be able to analyze the effective security changes after reorganizing security rules before activating them using the Access Monitor data. 

IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment.  IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. The IBM Security zSecure Adapters for SIEM send enriched SMF information to security information and event management (SIEM) solutions such as IBM QRadar SIEM. With the exception of zSecure CICS Toolkit, updates for multi-factor authentication have been provided to all zSecure for z/OS components.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for QRadar SIEM is called the CARLa Auditing and Reporting Language (CARLa).


Multi-factor authentication developments on IBM Z

Mainframe support for multi-factor authentication was introduced with the IBM Multi-Factor Authentication for z/OS V1.1 (5655-162) product in the first quarter of 2016. This was enhanced in rapid iterations until the current IBM Z Multi-Factor Authentication V2.0 (5655-MA1).

The iterations can perhaps most easily be seen from the RACF technote documents for RACF Multi-Factor Authentication support[2] and for RACF Identity Token (IDT) support[1]. The introduction in the first quarter of 2016 was followed by IBM Touch Token support in the second quarter, out-of-band authentication in the fourth quarter, compound authentication a year later, enhanced compound authentication in the second quarter of 2018, and support for Identity Tokens in the second quarter of this year. (There is of course a lot more that can be said about the MFA product and its functional integrations.)

The most recent support level--Identity Tokens, which carry various claims that contain authentication state information--allows z/OS applications and RACF to link together multiple authentication API calls, providing a framework for better integration between applications and MFA.


Support in IBM Security zSecure

The original MFA announcement contained the following statement of direction: "In the future, IBM plans to enhance the IBM Security zSecure suite to support IBM Multi-Factor Authentication for z/OS. This support is intended to simplify administration by helping to enforce authentication policy, providing alert notifications, and reporting on authentication audit events and compliance. IBM Security zSecure capabilities help prevent privileged user threats, simplify administration, automate auditing, and reduce operational risk."

The first toleration fix went out in the first quarter of 2016, and this was rapidly followed by new function in the second quarter, and more function in following releases.

zSecure V2.4 provides the following:

• Profile display functions in zSecure Admin and zSecure Audit to select on and show the available MFA information
• Profile display functions in zSecure Visual to select on, show, and modify MFA data
• Display of SETROPTS settings in menu options AU.S and RA.S to show what MFA support is available
• Formatting of SMF record type 83 subtype 7 (MFA events) for zSecure Audit, zSecure Alert, and zSecure Adapters for SIEM as well as annotating the authentication method used with other relevant security events
• The Access Monitor component of zSecure Admin also shows the authentication method used
• zSecure Command Verifier supports relevant RACF command keywords and allows definition of policy profiles to protect them
• The RACF Offline component of zSecure Admin prevents invocation of MFA during offline work
• The CARLa Auditing and Reporting Language (CARLa) has relevant fields in the ACCESS, RACF, SMF, and SYSTEM report types

To easily find which users use MFA , this command can be used in the RA.U (RACF Administration - Users) interactive display:

• XF M MF

The XF (exclude-and-find) primary command limits the records shown to those that match the search argument.
The search string is "M" and the search is limited to the "MF" column on the display.
This column shows "M" in the first position when a user has at least one active MFA factor (and does not have the PROTECTED attribute, which would prevent logging on).
This column shows "F" in the second position if the user is allowed to fall back to using a password or pass phrase when the MFA server cannot be reached.


Maintenance

A fix category IBM.Function.Multi-FactorAuthentication (MFA/K) exists and it is recommended to regularly run REPORT MISSINGFIX for this category to pick up additional recommended maintenance.

At the time of writing, the most recent zSecure APAR is OA57892 to allow zSecure releases below V2.4 to work with the RACF database template updates for Identity Token support (which are available as maintenance for z/OS V2.2 and V2.3). You can look here for details.


If you have any questions, please post them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

[1] You can download the Identity Token information from ftp://ftp.software.ibm.com/s390/zos/racf/pdf/oa55926.pdf
[2] You can download the Multi-Factor Authentication information from ftp://ftp.software.ibm.com/s390/zos/racf/pdf/oa48359.pdf

Edit: zSecure Manager for RACF z/VM 2.5.1 now provides MFA support on z/VM.