Configuring for CICS Explorer sign-on with Multi-Factor Authentication
To support CICS Explorer® sign-on with multi-factor authentication (MFA), you must configure the WUI region to use the CMCI JVM server.
Before you begin
- You must have IBM® Multi-Factor Authentication for z/OS® or an equivalent product configured with RACF to support multi-factor authentication. If you use an alternative external security manager (ESM), see your vendor for details.
- MFA is supported by CICS Explorer Version 5.4.0.4 or later. Ensure that users install the supported CICS Explorer version before they use MFA to log in.
- MFA is supported by CICS TS V5.4 with APAR PI87691 or later. Ensure that your WUI region and CMAS are running at the same CICS level that is CICS TS V5.4 with APAR PI87691 or later. For information about CICS level considerations for setting up your CICSPlex® SM topology, see Designing your CICSPlex SM environment.
- Your WUI region must have been configured to enable the use of CMCI with CICSPlex SM. For more information, see Optional parameters for the WUI.
Restriction: SMSS regions do not support the CMCI JVM server, and therefore do not
support MFA login from CICS Explorer.
About this task
The CMCI JVM server runs in the WUI region and handles CMCI requests.
Figure 1 illustrates the workflow of CICS Explorer sign-on authentication with an MFA token.
![This figure shows the authentication process to verify a user who performs an MFA log-in from CICS Explorer. The process is explained in the following paragraphs.](../graphics/mfa-signon-diagram-01.png)
- When a user logs on from CICS Explorer, CICS Explorer passes the user credentials to the CMCI JVM server. The user credentials can be a user ID and password, a passticket, an MFA token or a certificate.
- The CMCI JVM server validates the user credentials and generates an LTPA token.
- The CMCI JVM server replies to CICS Explorer with the response and the LTPA token.
In subsequent requests, CICS Explorer will use the LTPA token to authenticate the user.
Note: Although a JVM server is used for the transport and authentication of CMCI, most of the
processing still occurs in the CICS core; therefore, do not expect increased specialty engine
offload from the CMCI JVM server.
To configure CICS to support CICS Explorer sign-on with MFA, complete the following procedure.
Procedure
What to do next
You can test whether CICS Explorer users
can log on successfully with an MFA token:
- Start the WUI region with an INITIAL start.
- Connect to the WUI region from CICS Explorer with a userid and MFA token.
If you want to limit which levels of CICS Explorer that can connect to the CMCI JVM server, you can define a CICS Explorer white list to the CMCI JVM server. Follow the procedure in Defining a CICS Explorer allow list to CMCI JVM server.