After publishing “Strengthening Enterprise Security with IBM Multi-Factor Authentication,” I’m excited to share part two: my hands-on experience implementing and using multi-factor authentication (MFA) on z/OS.
Before discussing the practical aspects, it’s important to note that the majority of IBM MFA configuration work happens on the RACF (Resource Access Control Facility) side.
IBM MFA is not enabled by default on z/OS—it must be explicitly configured based on an organization’s security requirements. While z/OS offers built-in authentication mechanisms like RACF, IBM MFA enhances this by introducing multiple authentication factors, such as tokens, certificates, or biometric inputs.
To get started with IBM MFA on z/OS, you’ll need to coordinate with your RACF administrator. The administrator is responsible for setting up MFA and configuring the user IDs that will use it.
In this article, I’ll walk through three basic authentication methods I’ve tested—primarily using TN3270 terminal sessions and GUI-based applications that communicate with the mainframe.
Method 1: Using RSA SecurID Token
This method involves logging in using a time-based token generated by the RSA SecurID app.
Steps:
- Coordinate with RACF Admin:
Request MFA setup on the relevant z/OS LPAR. The admin will configure IBM MFA and RACF policies accordingly. - User ID Configuration:
The RACF admin associates your TSO user ID with the selected MFA method (RSA in this case). RACF will invoke IBM MFA during the login process. - Install RSA App:
Download the RSA SecurID Software Token app on your mobile device. The admin will provide a custom URL to import your token—this URL links the app to your TSO user ID. - Log In Using Token:
Access the configured LPAR via TN3270. In place of your TSO password, enter the RSA token generated by the app.
Example screen:
- Authentication Confirmation:
After pressing ENTER, you’ll see a confirmation-like message ICH70008I, indicating that MFA was used for authentication.
Note: You can also use the time-based token for GUI-based applications that communicate with the mainframe.
Method 2: RSA RADIUS (Token + Password Combo)
This approach combines the RSA SecurID token with your traditional TSO password in a specific format, using RADIUS protocol behind the scenes.
Password Format Options:
- Token#:TSOpassword
- or (depending on config) TSOpassword: Token#
Example:
If your token is 12345678 and your password is “mypassword”, then your login credentials would be:
12345678:mypassword
Steps:
It’s the same as Method 1, except that in Step 4, you enter the token and password together instead of just the token.
Once submitted, you’ll see a similar IBM MFA confirmation message upon successful login.
This method can also be used with TN3270 and GUI-based tools.
Method 3: Certificate-Based Authentication (Digital Certificates)
Certificate-based MFA is typically used for browser-based applications (HTTPS) or specific applications like z/OSMF or REST API interactions—it’s not supported for TN3270 logon.
This method uses SSL/TLS client certificates, which are typically stored in:
- A browser certificate store
- A local keystore used by an application (e.g., Java keystore)
Steps:
- Request a Client Certificate:
Ask the RACF admin for a client certificate associated with your TSO user ID. - Receive Certificate + Password:
The admin will provide a PKCS#12 (.p12 or .pfx) file and a password to import it into your environment (browser, keystore, or tool). - Import and Use the Certificate in Applications:
You can now import and use this certificate in:- z/OSMF (via browser): Configure your browser to present the client certificate when accessing z/OSMF.
- REST API tools (e.g., Postman): Import the certificate into your tool’s SSL settings.
- Java or other language-based applications using HTTPS REST APIs: Load the certificate into your application’s keystore for secure communication.
- Application Integration (Java and Others):
If you’re building a Java (or any other language) application that communicates with z/OS over REST APIs, you can implement X.509 client certificate authentication by configuring the application to present the certificate during the TLS handshake. The mainframe server (typically a z/OS HTTP server or API Gateway) will validate the certificate before allowing access.
This type of MFA is also known as digital certificate or smart card certificate authentication.
Conclusion
These hands-on experiences show that IBM MFA on z/OS is flexible and powerful, capable of integrating with both legacy terminal sessions and modern GUI/API-based applications. While the initial setup requires coordination with RACF administrators, once configured, it significantly strengthens access control.
Mohammad Afroz Alam is a seasoned mainframe professional. He works as a product developer at BMC Software India, Pune. He began his career as an application developer, dedicating a decade to application maintenance and enhancement before transitioning to product development.
His expertise bridges traditional mainframe technologies and modern development practices.
Outside work, he enjoys spending time with his family and is a proud father to two daughters, aged 10 and 1.