Skip to main content

My Hands-on Experience with IBM Multi-Factor Authentication (MFA) on z/OS

Afroz Alam, senior product developer at BMC Software, outlines three authentication methods he tested

Afroz Alam June 9, 2025

After publishing my article “Introducing IBM MFA,” I’m now excited to share my hands-on experience with implementing and using multifactor authentication (MFA) on z/OS.

Before diving into the practical aspects, it’s important to highlight that the majority of IBM MFA configuration work happens on the Resource Access Control Facility (RACF) side.

IBM MFA is not enabled by default on z/OS—it must be explicitly configured based on an organization’s security requirements. While z/OS offers built-in authentication mechanisms like RACF, IBM MFA enhances this by introducing multiple authentication factors, such as tokens, certificates or biometric inputs.

To get started with IBM MFA on z/OS, you’ll need to coordinate with your RACF administrator, who is responsible for setting up MFA and configuring the user IDs that will use it.

In this article, I’ll walk through three basic authentication methods I’ve tested—primarily using TN3270 terminal sessions and GUI-based applications that communicate with the mainframe.

Method 1: Using RSA SecurID Token

This method involves logging in using a time-based token generated by the RSA SecurID app.

Steps:

  1. Coordinate with RACF Admin:
    Request MFA setup on the relevant z/OS LPAR. The admin will configure IBM MFA and RACF policies accordingly.
  2. User ID Configuration:
    The RACF admin associates your TSO user ID with the selected MFA method (RSA in this case). RACF will invoke IBM MFA during the login process.
  3. Install RSA App:
    Download the RSA SecurID Software Token app on your mobile device. The admin will provide a custom URL to import your token—this URL links the app to your TSO user ID.
  4. Log In Using Token:
    Access the configured LPAR via TN3270. In place of your TSO password, enter the RSA token generated by the app.
Figure 1: Example login screen.
  1. Authentication Confirmation:
    After pressing ENTER, you’ll see confirmation like message ICH70008I, indicating that MFA was used for authentication.
Figure 2: MFA confirmation message.

Note – You can also use the time-based token for GUI-based applications that communicate with the mainframe.

Method 2: RSA RADIUS (Token + Password Combo)

This approach combines the RSA SecurID token with your traditional TSO password in a specific format, using RADIUS protocol behind the scenes.

Password Format Options:

  • Token#:TSOpassword
  • or (depending on config) TSOpassword:Token#

Example:
If your token is 12345678 and your password is mypassword, then your login credential would be:

12345678:mypassword

Steps:

Same as Method 1, except that in Step 4, you enter the token and password together instead of just the token.

Once submitted, you’ll see a similar IBM MFA confirmation message upon successful login.

This method can also be used with TN3270 and GUI-based tools.

Method 3: Certificate-Based Authentication (Digital Certificates)

Certificate-based MFA is typically used for browser-based applications (HTTPS) or specific applications like z/OSMF or REST API interactions—it’s not supported for TN3270 logon.

This method uses SSL/TLS client certificates, which are typically stored in:

  • A browser certificate store
  • A local keystore used by an application (e.g., Java keystore)

Steps:

  1. Request a client certificate:
    Ask the RACF admin for a client certificate associated with your TSO user ID.
  2. Receive certificate and password:
    The admin will provide a PKCS#12 (.p12 or .pfx) file and a password to import it into your environment (browser, keystore, or tool).
  3. Import and use the certificate in applications:
    You can now import and use this certificate in:
    • z/OSMF (via browser): Configure your browser to present the client certificate when accessing z/OSMF.
    • REST API tools (e.g., Postman): Import the certificate into your tool’s SSL settings.
    • Java or other language-based applications using HTTPS REST APIs: Load the certificate into your application’s keystore for secure communication.
  4. Application Integration (Java and Others): If you’re building a Java (or any other language) application that communicates with z/OS over REST APIs, you can implement X.509 client certificate authentication by configuring the application to present the certificate during the TLS handshake. The mainframe server (typically a z/OS HTTP server or API Gateway) will validate the certificate before allowing access.

This type of MFA is also known as digital certificate or smart card certificate authentication.

Conclusion

These hands-on experiences show that IBM MFA on z/OS is flexible and powerful, capable of integrating with both legacy terminal sessions and modern GUI/API-based applications. While the initial setup requires coordination with RACF administrators, once configured, it significantly strengthens access control.

Related Articles See more

Articles

IBM Brings Server Design Changes to OpenSSH

Rob McNelly

June 6, 2025

Press Releases

M81 Launches Version 4.01 of Control for i, Revolutionizing Monitoring for IBM i Systems

June 4, 2025

Articles

A Guide to ClamAV Open-Source Anti-Malware for AIX

Chris Gibson

May 30, 2025

© 2025 TechChannel. All rights reserved

Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.