Configuring IBM MFA cache token sharing

If you have a coupling facility (CF) configured you can optionally share the IBM MFA cache using the CF and cross system coupling facility (XCF) Note Pad Services. This section describes the configuration options.

Choosing a caching mode

IBM MFA provides three caching options for sharing IBM MFA CTC tokens in the sysplex:
Caching mode N
The cache is not shared between systems. This is the default.
Caching mode C
The token cache is shared using the coupling facility. This provides the maximum sharing level:
  • Cached tokens persist across failures of an instance of IBM MFA or a sharing system.
  • Validation of a token does not require interaction with other sharing systems.
  • All systems get the same result when validating a cached token.
  • Performance is not affected by the number of cached tokens, the number of sharing systems, or the responsiveness of sharing systems.
  • The token name space (assuming mixed case passwords are enabled) is 62**8.
Caching mode X
The token cache is shared using cross system coupling facility (XCF) server messaging. This meets basic sharing requirements.
  • Cached tokens persist until an instance of IBM MFA or a sharing system fails.
  • Validation of a token generated on a remote IBM MFA instance require an exchange of messages with the remote IBM MFA instance the first time the token is used. A valid remote token is then cached locally on that IBM MFA instance.
  • All systems might not get the same result when validating a cached token after a remote instance of IBM MFA has failed or if a messaging timeout occurs.
  • Performance might be affected by the number of cached tokens, the number of sharing systems, and the responsiveness of the sharing systems.
  • The token name space (assuming mixed case passwords are enabled) is 62**7.
Deciding between caching modes X and C

Consider the following typical use cases when deciding which caching mode to employ:

  • In a basic sysplex, caching mode X might meet your needs.
  • In a minimal parallel sysplex, you may choose either caching mode, but you will probably find that X meets your needs and is easier to implement.
  • In a true parallel sysplex, you may choose either caching mode, but you will probably find that the benefits of C are substantial.

XCF note pad

An XCF note pad is shared storage that can be accessed by programs throughout the sysplex. See z/OS MVS Setting Up a Sysplex for complete information on XCF Note Pad Services.

Determining if Note pad services are in use
You can use the following command to determine if Note Pad Services are currently in use:
D XCF,NOTEPAD
Note pad structure sizes

See z/OS MVS Setting Up a Sysplex for complete information on XCF Note Pad Services. In particular, see the section "Determining the sizes of the XCF note pad structures".

Note pad structure names
As described in z/OS MVS Programming: Sysplex Services Guide, the structure names for coupling facility structures to be used for XCF note pads can be of the following forms:
  • IXCNP_SYSXCFxx
  • IXCNP_ownerxx
where xx is the EBCDIC representation of a hexadecimal number in the range X'00' to X'FF', and owner is derived from the note pad name. To explicitly control the MFA CTC cache location preference or attributes, you can define an owner-specific note pad structure for MFA using the name IXCNP_AZFxx, where xx is any two characters, such as 00.

Duplexed cache

A duplexed structure will generally provide greater availability because the second copy makes it more resilient to failure than a simplex structure which has only one copy. However, a simplex structure will generally provide faster note request response times than a duplex. Duplexing preferences are described in z/OS MVS Programming: Sysplex Services Guide.

If you want the MFA CTC cache to be duplexed you must either:
  • Define all of the XCF default note pad structures, named IXCNP_SYSXCFxx, as duplexed.
  • Or, define all owner specific note pad structures for MFA as duplexed.