Getting Started with z pass: A Complete Introduction

By /

Okay, here’s a comprehensive article on getting started with z/OS Pass (zPass), clocking in at around 5000 words. It’s designed to be a complete introduction for someone new to the concept.

Getting Started with z/OS Pass (zPass): A Complete Introduction

Introduction

In the ever-evolving landscape of enterprise computing, security remains paramount. IBM’s z/OS, the cornerstone of many mission-critical applications for large organizations, has long been renowned for its robust security features. z/OS Pass (zPass), also referred to as Multi-Factor Authentication for z/OS (MFA for z/OS) in some documentation and contexts, is a relatively recent, yet crucial, addition to this security arsenal. It represents a significant step forward in protecting z/OS systems from unauthorized access by implementing a modern, standards-based approach to multi-factor authentication.

This comprehensive guide is designed to provide a complete introduction to z/OS Pass. We’ll cover everything from the fundamental concepts of MFA to the practical steps of configuring and using zPass in your z/OS environment. Whether you’re a systems programmer, security administrator, or simply someone curious about enhancing z/OS security, this article will provide you with the foundational knowledge you need.

1. Understanding Multi-Factor Authentication (MFA)

Before diving into the specifics of zPass, it’s essential to have a solid understanding of multi-factor authentication (MFA) itself.

  • What is MFA? MFA is a security mechanism that requires users to provide two or more independent verification factors to gain access to a resource. This is in contrast to traditional single-factor authentication, which typically relies solely on a password.

  • Why is MFA Important? Passwords, even complex ones, are vulnerable to various attacks, including phishing, brute-force attacks, and credential stuffing (using stolen credentials from other breaches). MFA significantly mitigates these risks by requiring additional, independent factors. Even if an attacker compromises one factor (e.g., a password), they still cannot gain access without possessing the other factor(s).

  • Types of Authentication Factors: MFA typically leverages three categories of factors:

    • Something You Know: This is the most common factor, usually a password or PIN.
    • Something You Have: This is a physical object in the user’s possession, such as a smartphone (for one-time passwords or push notifications), a security token (hardware or software), or a smart card.
    • Something You Are: This refers to biometric factors, such as a fingerprint, facial recognition, or iris scan.

  • MFA in the Enterprise: MFA is increasingly becoming a standard security practice in enterprise environments, driven by regulatory compliance requirements (e.g., PCI DSS, HIPAA, GDPR) and the growing threat landscape.

2. Introduction to z/OS Pass (MFA for z/OS)

z/OS Pass is IBM’s implementation of multi-factor authentication specifically designed for the z/OS operating system. It’s a comprehensive solution that integrates with existing z/OS security infrastructure, primarily RACF (Resource Access Control Facility), to provide a layered security approach.

  • Key Features of z/OS Pass:

    • Standards-Based Authentication: zPass leverages industry-standard protocols like RADIUS (Remote Authentication Dial-In User Service) and TOTP (Time-Based One-Time Password) to ensure interoperability and flexibility.
    • Integration with RACF: zPass seamlessly integrates with RACF, the primary security manager for z/OS. This allows you to leverage existing user profiles and security policies, minimizing disruption to your existing environment.
    • Support for Various Authentication Factors: zPass supports a wide range of authentication factors, including:
      • One-Time Passwords (OTPs): Generated by authenticator apps (e.g., Google Authenticator, Microsoft Authenticator, IBM Verify) or hardware tokens.
      • Push Notifications: Sent to a registered mobile device, requiring user approval to grant access.
      • Security Keys (FIDO2/WebAuthn): Hardware security keys that provide a highly secure and phishing-resistant authentication method.
      • Certificate-Based Authentication: Using digital certificates to verify user identity.
      • PassTickets: A z/OS-specific mechanism that generates a temporary, single-use credential. zPass can be used to enhance the security of PassTicket generation.
    • Flexible Configuration Options: zPass offers granular control over authentication policies, allowing you to customize the requirements based on user roles, resource sensitivity, and risk levels.
    • Auditing and Reporting: zPass provides comprehensive auditing and reporting capabilities, allowing you to track authentication events and identify potential security threats.
    • Support for Various z/OS Interfaces: zPass can be used to protect various z/OS interfaces, including:
      • TSO/E (Time Sharing Option/Extensions): The primary interactive interface for z/OS.
      • z/OS UNIX System Services: The UNIX-like environment within z/OS.
      • CICS (Customer Information Control System): A transaction processing system.
      • IMS (Information Management System): A database and transaction management system.
      • WebSphere Application Server for z/OS: A Java application server.
      • FTP (File Transfer Protocol): For secure file transfers.
      • z/OS Management Facility (z/OSMF): A web-based interface for managing z/OS.

  • How z/OS Pass Works:

    1. User Initiation: A user attempts to access a z/OS resource (e.g., logs on to TSO).
    2. Primary Authentication: The user provides their primary credentials (usually a user ID and password) to RACF.
    3. RACF Check: RACF verifies the primary credentials.
    4. zPass Trigger: If MFA is required for the user or resource, RACF triggers zPass.
    5. MFA Challenge: zPass, through a configured MFA server (e.g., IBM MFA, a third-party RADIUS server), challenges the user for the additional authentication factor(s).
    6. User Response: The user provides the required factor(s) (e.g., enters an OTP, approves a push notification, or uses a security key).
    7. MFA Server Verification: The MFA server verifies the provided factor(s).
    8. Access Granted/Denied: If the verification is successful, the MFA server informs RACF, and access is granted. If verification fails, access is denied.

3. Planning Your z/OS Pass Implementation

Before deploying z/OS Pass, careful planning is crucial to ensure a smooth and successful implementation. Consider the following aspects:

  • Identify Target Users and Resources:

    • Which users require MFA? (e.g., system administrators, privileged users, users accessing sensitive data).
    • Which resources need to be protected by MFA? (e.g., TSO, CICS, specific datasets, applications).
    • Prioritize your rollout. Start with a small group of users and resources, then gradually expand.

  • Choose Authentication Factors:

    • Consider the security requirements of your environment and the usability preferences of your users.
    • Evaluate the cost and complexity of implementing different factors.
    • Ensure that the chosen factors are supported by your chosen MFA server.

  • Select an MFA Server:

    • IBM MFA: IBM provides its own MFA solution, which is tightly integrated with z/OS and RACF. This is often the recommended choice for a streamlined deployment.
    • Third-Party RADIUS Server: You can use a third-party RADIUS server that complies with the RADIUS standard. This provides flexibility but may require more configuration.
    • Azure MFA (with RADIUS Extension): If you use Azure Active Directory, you can leverage Azure MFA with a RADIUS extension to integrate with z/OS.

  • Network Configuration:

    • Ensure that your z/OS system can communicate with the chosen MFA server.
    • Configure firewall rules to allow the necessary network traffic (usually UDP port 1812 for RADIUS).

  • RACF Configuration:

    • You’ll need to configure RACF to enable MFA and define the authentication policies.
    • This involves creating RACF profiles and defining MFA factors for users.

  • User Training and Communication:

    • Provide clear and concise training to your users on how to use the new MFA system.
    • Communicate the rollout plan and any expected changes to the user experience.

  • Testing and Validation:

    • Thoroughly test your zPass implementation in a test environment before deploying it to production.
    • Verify that MFA is working correctly for all target users and resources.
    • Test fallback mechanisms in case of MFA server unavailability.

  • Disaster Recovery:

    • Plan and implement a disaster recovery plan for the MFA infrastructure, to ensure continuity of service.

4. Installing and Configuring z/OS Pass (IBM MFA Example)

This section provides a detailed, step-by-step guide to installing and configuring z/OS Pass using IBM MFA as the authentication server. While the specific steps may vary slightly depending on your z/OS version and configuration, this provides a general framework.

Prerequisites:

  • z/OS system with RACF installed and configured.
  • IBM MFA server installed and configured (refer to IBM documentation for specific installation instructions).
  • Network connectivity between the z/OS system and the IBM MFA server.
  • Appropriate user IDs and permissions to perform the necessary configuration tasks.
  • Authenticator apps (e.g., Google Authenticator, Microsoft Authenticator, IBM Verify) installed on users’ mobile devices (if using OTPs).

Steps:

  1. Configure the IBM MFA Server:

    • Define Authentication Methods: Configure the authentication methods you want to use (e.g., TOTP, push notifications).
    • Create Policies: Define authentication policies that specify which authentication methods are required for different users or groups.
    • Register Users: Register users with the IBM MFA server and associate them with their chosen authentication methods. This usually involves providing the user’s z/OS user ID and enrolling their device (e.g., scanning a QR code with an authenticator app).
    • Configure RADIUS Client: Configure the z/OS system as a RADIUS client on the IBM MFA server. This involves specifying the z/OS system’s IP address and a shared secret.

  2. Configure RACF for zPass:

    • Enable MFA Feature: Enable the MFA feature in RACF. This is typically done using the SETROPTS command:

      SETROPTS MFA(ACTIVE)

    • Define MFA Factors: Define the MFA factors that you want to use in RACF. This involves creating profiles in the MFADEF class:

      RDEFINE MFADEF factor_name UACC(NONE)

      Replace factor_name with a descriptive name for the factor (e.g., IBM_MFA_TOTP). You may need to define multiple factors if you’re using different authentication methods.

    • Associate Factors with Users: Associate the defined MFA factors with individual users or groups using the ALU (Alter User) or AG (Alter Group) command:

      ALU userid MFA(FACTOR(factor_name) ACTIVE)
      or
      ALTGROUP groupid MFA(FACTOR(factor_name) ACTIVE)
      Replace userid or groupid with the appropriate user or group ID, and factor_name with the name of the defined MFA factor.

    • Define MFA Policies (Optional): You can create more granular MFA policies using the MFAPOLICY class. This allows you to specify different MFA requirements based on various criteria, such as:

      • Application: Require MFA for specific applications (e.g., CICS, IMS).
      • Resource: Require MFA for access to specific resources (e.g., datasets, files).
      • Time of Day: Require MFA only during certain hours.
      • Location: Require MFA based on the user’s location (e.g., IP address range).

      Example of defining an MFAPOLICY:
      RDEFINE MFAPOLICY policy_name UACC(NONE) APPL(CICS*) FACTOR(IBM_MFA_TOTP)

      This policy would require users accessing CICS applications (with names starting with “CICS”) to use the IBM_MFA_TOTP factor.

    • Configure Fallback (Optional but Recommended): Configure a fallback mechanism in case the MFA server is unavailable. This is usually done by defining a FALLBACK option for the user or group in their MFA profile. Common fallback options include:

      • NONE: No fallback is available; access is denied.
      • PASSWORD: Allow the user to fall back to password authentication.
      • RACFPASS: Allow authentication if a special SAF return code is present (can be used with custom exits).
      • Consider the security implications of the fallback options.

      ALU userid MFA(FACTOR(factor_name) ACTIVE FALLBACK(PASSWORD))

  3. Configure z/OS Applications for MFA:

    • TSO/E: TSO/E typically integrates with zPass automatically once RACF is configured. You may need to configure specific TSO/E logon procedures or exits to handle MFA challenges.
    • z/OS UNIX: The login utility in z/OS UNIX usually integrates with zPass automatically.
    • CICS: You’ll need to configure CICS to use the RACF PassTicket feature and enable MFA for PassTicket generation. This involves modifying CICS system initialization parameters and potentially writing CICS exit programs.
    • IMS: Similar to CICS, IMS requires configuration to use PassTickets and enable MFA for PassTicket generation.
    • Other Applications: Refer to the documentation for your specific applications to determine how to integrate them with zPass. Many applications use PassTickets, which can be secured with zPass.

  4. Configure z/OS Communications Server (for RADIUS):

    • Update your BPXPRMxx parmlib member. Add or verify a NETWORK DOMAINNAME(AF_INET) DOMAINNUMBER(2) statement, if one does not already exist.
    • Update or create a RESOLVER configuration. This will allow your z/OS system to resolve the hostname of your RADIUS server. This is usually done in a dataset allocated to the RESOLVER DD statement in your TCPIP started task.

  5. Test the Configuration:

    • Log on to TSO/E as a user who is configured for MFA.
    • You should be prompted for your primary credentials (user ID and password).
    • After successful primary authentication, you should be prompted for the MFA factor (e.g., enter an OTP from your authenticator app).
    • Verify that you can successfully log on after providing the correct MFA factor.
    • Test the fallback mechanism (if configured) by simulating an MFA server outage.
    • Test access to other applications (CICS, IMS, etc.) that are configured for MFA.

5. Using z/OS Pass (User Perspective)

From a user’s perspective, using z/OS Pass involves a few additional steps compared to traditional single-factor authentication:

  1. Initial Enrollment: The first time a user is required to use MFA, they’ll typically need to enroll their device or choose their authentication method. This usually involves:

    • Scanning a QR Code: For OTP-based authentication, the user will scan a QR code displayed on the screen with their authenticator app.
    • Entering a Secret Key: Alternatively, the user may be provided with a secret key to manually enter into their authenticator app.
    • Registering a Mobile Device: For push notifications, the user will register their mobile device with the MFA server.
    • Installing a Certificate: For certificate-based authentication, the user will install a digital certificate on their workstation.

  2. Subsequent Logons: After enrollment, subsequent logons will involve the following steps:

    • Enter Primary Credentials: The user enters their z/OS user ID and password.
    • Provide MFA Factor: The user is prompted to provide their MFA factor.
    • OTP: The user opens their authenticator app and enters the currently displayed OTP.
    • Push Notification: The user receives a push notification on their mobile device and taps “Approve” to grant access.
    • Security Key: The user inserts their security key into a USB port and touches the button on the key.
    • Certificate: The user’s browser or application automatically presents their digital certificate for verification.
    • Access Granted: Upon successful verification of the MFA factor, the user is granted access to the z/OS resource.

6. Advanced Configuration and Considerations

  • PassTicket Enhancement: zPass can be used to strengthen the security of PassTickets. Instead of relying solely on the PassTicket generation algorithm, you can require MFA before a PassTicket is generated. This prevents attackers from generating valid PassTickets even if they compromise the PassTicket generation key.

  • Custom Exits: zPass allows you to write custom exit programs to implement more complex authentication logic or integrate with non-standard authentication methods. This provides significant flexibility but requires advanced z/OS programming skills.

  • Integration with Other Security Products: zPass can be integrated with other security products, such as IBM Security Verify Access (formerly IBM Security Access Manager), to provide a unified authentication experience across multiple platforms.

  • Geolocation and IP Restrictions IBM MFA and some third-party RADIUS solutions allow for IP address whitelisting/blacklisting and geolocation restrictions. These features allow for more granular control, further reducing attack vectors.

  • High Availability and Scalability: For large-scale deployments, it’s crucial to ensure high availability and scalability of the MFA server. This may involve deploying multiple MFA server instances in a clustered configuration.

  • Regular Expression Support in MFAPOLICY: Use regular expressions to create policies for a set of applications or users, to simplify administration.

  • AZFCKRC Parameter: AZFCKRC is a parameter in IBM MFA that specifies the SAF (System Authorization Facility) return code that IBM MFA should check for to determine whether a user is authorized to bypass MFA. This is used in conjunction with custom SAF exits.

7. Troubleshooting

  • Authentication Failures: If users are experiencing authentication failures, check the following:
    • RACF Configuration: Verify that RACF is correctly configured for MFA and that the user is associated with the correct MFA factors.
    • MFA Server Logs: Check the logs on the MFA server for any errors or warnings.
    • Network Connectivity: Ensure that there is network connectivity between the z/OS system and the MFA server.
    • User Device: Verify that the user’s device (e.g., smartphone, security key) is working correctly and that they are providing the correct MFA factor.
    • Time Synchronization: For TOTP-based authentication, ensure that the time on the z/OS system, the MFA server, and the user’s device is synchronized. Even small time discrepancies can cause OTP validation to fail.

  • RACF Errors Pay close attention to RACF error messages in the system log (SYSLOG). They can point to configuration errors or permission issues.

  • IBM MFA Server Issues: If using IBM MFA, check its status and logs. Common problems are certificate issues, service not started, or configuration problems with authentication methods.

8. Best Practices

  • Start Small: Begin with a pilot program involving a small group of users and resources before rolling out zPass to the entire organization.

  • Phased Rollout: Gradually expand the scope of your zPass implementation, adding more users and resources over time.

  • User Education: Provide thorough training and documentation to users on how to use zPass and the importance of MFA.

  • Regular Auditing: Regularly review audit logs to monitor authentication activity and identify potential security threats.

  • Policy Review: Periodically review and update your MFA policies to ensure they remain aligned with your organization’s security requirements.

  • Stay Updated: Keep your z/OS system, RACF, and MFA server software up to date with the latest security patches and releases.

  • Use Strong Shared Secrets: When configuring the RADIUS client (z/OS) and server, use a strong, randomly generated shared secret.

  • Limit Fallback Options: Avoid using FALLBACK(PASSWORD) unless absolutely necessary. If a fallback is required, consider RACFPASS with a well-designed custom exit for better control.

Conclusion

z/OS Pass (MFA for z/OS) is a critical component of a robust security strategy for any organization relying on z/OS. By implementing multi-factor authentication, you significantly reduce the risk of unauthorized access and protect your valuable data and applications. This comprehensive guide has provided a detailed introduction to zPass, covering the fundamental concepts, planning considerations, installation and configuration steps, user experience, advanced topics, troubleshooting, and best practices. By following these guidelines, you can successfully deploy zPass and enhance the security of your z/OS environment. Remember to always consult the official IBM documentation for the most up-to-date information and specific instructions related to your z/OS version and configuration.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top