Configuring for CICS Explorer sign-on with Multi-Factor Authentication

To support CICS Explorer® sign-on with multi-factor authentication (MFA), you must configure the WUI region to use the CMCI JVM server.

Before you begin

  • You must have IBM® Multi-Factor Authentication for z/OS® or an equivalent product configured with RACF to support multi-factor authentication. If you use an alternative external security manager (ESM), see your vendor for details.
  • MFA is supported by CICS Explorer Version 5.4.0.4 or later. Ensure that users install the supported CICS Explorer version before they use MFA to log in.
  • MFA is supported by CICS TS V5.4 with APAR PI87691 or later. Ensure that your WUI region and CMAS are running at the same CICS level that is CICS TS V5.4 with APAR PI87691 or later. For information about CICS level considerations for setting up your CICSPlex® SM topology, see Designing your CICSPlex SM environment.
  • Your WUI region must have been configured to enable the use of CMCI with CICSPlex SM. For more information, see Optional parameters for the WUI.
Restriction: SMSS regions do not support the CMCI JVM server, and therefore do not support MFA login from CICS Explorer.

About this task

The CMCI JVM server runs in the WUI region and handles CMCI requests.

Figure 1 illustrates the workflow of CICS Explorer sign-on authentication with an MFA token.

Figure 1. CICS Explorer sign-on authentication workflow
This figure shows the authentication process to verify a user who performs an MFA log-in from CICS Explorer. The process is explained in the following paragraphs.
  1. When a user logs on from CICS Explorer, CICS Explorer passes the user credentials to the CMCI JVM server. The user credentials can be a user ID and password, a passticket, an MFA token or a certificate.
  2. The CMCI JVM server validates the user credentials and generates an LTPA token.
  3. The CMCI JVM server replies to CICS Explorer with the response and the LTPA token.

In subsequent requests, CICS Explorer will use the LTPA token to authenticate the user.

Note: Although a JVM server is used for the transport and authentication of CMCI, most of the processing still occurs in the CICS core; therefore, do not expect increased specialty engine offload from the CMCI JVM server.

To configure CICS to support CICS Explorer sign-on with MFA, complete the following procedure.

Procedure

  1. Configure the CMCI JVM server.
  2. Enable CICS Explorer users to authenticate through the CMCI JVM server.
    You must give CICS Explorer users access to authenticate with the CMCI JVM server, including the authority to use CMCI.
    1. Take a copy of the CLIST EYU$CMCI in SEYUSAMP.
    2. Update the copy with your WUI region userid, applid and a list of groups or userids of CICS Explorer users.
    3. Run the CLIST.
  3. For the WUI region, set the feature toggle to use the CMCI JVM server in place of the existing CMCI.
    To do so, add the following line to the feature toggle file of the WUI region:
    com.ibm.cics.cmci.jvmserver=true

    For detailed instructions, see Specifying feature toggles.

What to do next

You can test whether CICS Explorer users can log on successfully with an MFA token:
  1. Start the WUI region with an INITIAL start.
  2. Connect to the WUI region from CICS Explorer with a userid and MFA token.

If you want to limit which levels of CICS Explorer that can connect to the CMCI JVM server, you can define a CICS Explorer white list to the CMCI JVM server. Follow the procedure in Defining a CICS Explorer allow list to CMCI JVM server.