IBM Security Z Security

 View Only

  • 1.  How to display MFA data from RACF database

    IBM Champion
    Posted Fri January 19, 2024 09:41 AM

    MFA stores information in the RACF database under CLASS(MFADEF)  FACTOR.AZFSTC .   I can see if if I browse the RACF database.

    How do I display it?
    tso rlist MFADEF FACTOR.AZFSTC MFA MFPOLICY 

    does not display it

    ISPF panel ICHP28   and option for MFPPOLICY (but no MFA!) does not display it

    In the RACF database it looks like (in hex)

        c        MFA        MFADEF  -FACTOR.AZFSTC Ø  Ò{"stcInitialTraceLevel":0,"cache
    0000800000001DCC44444010DCCCCC446CCCEDD4CECEEC0800EC7AA8C98A889E9888D8A8977F6788888
    000030030002C46100000060461456000613369B1962332001D0F23395939133913535553FA0BF31385

    It is not dumped with PGM=IRRDBU00 

    Does anyone have any comments on how I can display this?

    Colin



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: How to display MFA data from RACF database

    Posted Mon January 22, 2024 04:23 AM

    Hi Colin

    The only method I'm aware of to access all MFA-related information in the RACF database is to use the (64-bit only) RACF callable service, IRRSFA64 (see: https://www.ibm.com/docs/en/zos/3.1.0?topic=descriptions-r-factor-irrsfa64-authentication-factor-service).



    ------------------------------
    Andrew Mattingly
    ------------------------------

    Original Message


  • 3.  RE: How to display MFA data from RACF database

    IBM Champion
    Posted Tue January 23, 2024 03:34 AM

    Andrew,
    Thanks for this information.... I was only curious, so this sounds like too much work!.
    Rob, 
    I dont have  zSecure because  I run on an ADCD system and do not get this product

    Colin



    ------------------------------
    Colin Paice
    ------------------------------

    Original Message


  • 4.  RE: How to display MFA data from RACF database

    IBM Champion
    Posted Wed January 24, 2024 01:50 PM

    The documentation says I need to bind with IRRSAF64  stub, but I cannot find this stub in sys1.csslib ( where the other stubs are available).  Is it available anywhere?



    ------------------------------
    Colin Paice
    ------------------------------

    Original Message


  • 5.  RE: How to display MFA data from RACF database

    Posted Thu January 25, 2024 01:43 AM

    Hi Colin,

    I think your problem is a spelling mistake - the entry point is IRRSFA64, not IFFSAF64 (i.e. SFA, not SAF), and the IRRSFA64 stub is present in SYS1.CSSLIB, going back to z/OS 2.4 (and probably 2.3, but I've moved on :))

    I can provide some sample code (in C), which calls IRRSFA64, if that would be helpful.

    Kind regards

    Andrew.



    ------------------------------
    Andrew Mattingly
    ------------------------------

    Original Message


  • 6.  RE: How to display MFA data from RACF database

    IBM Champion
    Posted Sat January 27, 2024 10:14 AM

    Hi Andrew,

    Thanks for pointing out my spelling mistake...  it all works now.

    I'm writing a blog on using the RACF callable services.  I think it wood be good to use the comx/comy structures when calling a service, but I cannot see how  to pass it, for example irrsfa64(comy).  Is this possible?   Ive tried lots of things but it passes the address of comy , instead of comy.  Is it possible to use this.

    I am having to use

    IRRSFA64( workarea, // WORKAREA 
                 pALET1  , // ALET 
                 pSAF_RC, // SAF RC 

    instead.

    Colin



    ------------------------------
    Colin Paice
    ------------------------------

    Original Message


  • 7.  RE: How to display MFA data from RACF database

    IBM Champion
    Posted Mon January 22, 2024 04:28 AM
    Edited by Rob van Hoboken Mon January 22, 2024 04:33 AM

    zSecure users will be happy to see a slew of MFA fields and integration in the user details display and general resource segment data

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 8.  RE: How to display MFA data from RACF database

    Posted Mon January 22, 2024 09:26 AM
    Edited by Sander De Graaf Mon January 22, 2024 09:27 AM

    I encountered this profile last friday; The MFA 2.3 documentation writes to create this profile. I wondered what kind of "factor" it was, because the profile starts with "FACTOR." Reading now that it has "hidden" data; I hope that it's the settings from AZFEXEC; or else where would that be stored?

    The fields that Rob talks about, will unfortunately not help for this particular profile; but are very useful.

    ------------------------------
    Sander De Graaf
    ------------------------------

    Original Message


  • 9.  RE: How to display MFA data from RACF database

    Posted Wed January 31, 2024 08:41 PM

    Hi Sander,

    The data associated with the FACTOR.AZFSTC profile is indeed for the "STC" configuration as set via AZFEXEC.

    Creating a profile under the FACTOR namespace in the MFADEF class allows a sufficiently-authorized IRRSFA64 caller to:

    • associate arbitrary blobs of binary data (settings) with the profile
    • associate Factor Tag Data (string name/value pairs, in a named section) with specific User IDs

    FACTOR.AZFSTC was the first 'non-traditional' profile in the FACTOR namespace, and has been used since the initial release of the product.  It's used to hold settings data, but isn't associated with any user tags.

    Z MFA 2.3 supports new FACTOR namespace profiles: AZFMETAS, AZFFALBK, and AZFOIDC1.  Each has its purpose, and each is also somehow 'non-traditional' relative to things like AZFTOTP1, etc.

    Regards,

    -Jared



    ------------------------------
    Jared Hunter
    Strategic Architect, Security
    Rocket Software, Inc.
    ------------------------------

    Original Message