Multi-Factor Authentication (single use token) prevents transfer from SYSVIEW options for DB2

Document ID : KB000115339
Last Modified Date : 12/10/2018
Show Technical Document Details
Issue:
In a production environment using Multi-factor authentication with single use tokens.
After you logon to SYSVIEW via VTAM or TSO interface and you then select a function from the DB2 screen, you get the following error message.
"DB20006E+Agent BTSTDB1S1111R20 request START failed - XNet reason 00000121 User ID verify error"
I believe this is because SYSVIEW is saving the password that was used to logon to SYSVIEW, so that it can use it to logon to SYSVIEW for DB2.
That will not work because it is a single use token.
The second concern is how is the password value protected within SYSVIEW. If this value is a password then it would be a security concern if it could be retrieved from storage in SYSVIEW.
Resolution:
SYSVIEW does not store passwords, or in this case single use tokens.
For the DB2 connectivity, we call a authorized service to generate a single use passticket that is used to logon to the DB2 XNET agent.
The service generates the passticket using only the User's logon ID, and the application name (APPL) being logged on to.
The single use token is not used as input to generating a passticket.
The passticket is apparently being generated successfully, otherwise the user would have seen a 'DB20043E Passticket generation failed.' message in SYSVIEW.
I don't know much about MFA, but I did find some information at: 
http://www.redbooks.ibm.com/redpapers/pdfs/redp5386.pdf 
Section 6.4 describes configuring IBM MFA to allow the use of a PassTicket only after a successful IBM MFA logon, or to use only the PassTicket and not an IBM MFA logon.
 
 However, It is not the IBM MFA,
It is a product from Vanguard Integrity Professionals called EzToken and it does not support passtickets.
 
Customer reviewed the documentation a few times and the product does not support passtickets.
Passwords or tokens are not stored.