Preparation for implementation of CA Advanced Authentication Mainframe (AAM) or IBM?s Multi-Factor Authentication (MFA) support

Document ID : KB000009722
Last Modified Date : 14/02/2018
Show Technical Document Details

CA Top Secret Technical Documentation

Topic: Preparation for implementation of CA Advanced Authentication Mainframe or IBM Multi-Factor Authentication support


Release requirement: CA Top Secret r16.  Customers running CA Top Secret r15 or lower will need to upgrade to r16 across all LPARS before implementing CA Advanced Authentication Mainframe or IBM Multi-Factor Authentication.  Under no circumstances should an AAM or MFA implementation project begin until all LPARs have been successfully upgraded to CA Top Secret r16.


Steps to complete before leveraging CA Advanced Authentication Mainframe (AAM) or IBM Multi-FactorAuthentication (MFA):

Step 1: Implement CA Top Secret r16 including related toleration PTF RO92675 across all LPARs prior to beginning the implementation.

o   For ease of implementation RO92675 should be ACCEPTed via SMP/E prior to moving ahead to step 2.  This will allow sites to:

§  Successfully back out RO92696 should that become necessary.

§  Prevent problems should an LPAR unexpectedly be brought into a shared environment.


ALERT: If RO92675 is not ACCEPTed, make sure it is not RESTOREd while backing off any other maintenance.


Step 2: Install PTF RO92696 to bring in support for the AAM and MFA enhancement. 

  • This enhancement implements the following product changes:
    • Internal TSS security record elements in support of AAM and MFA
    • TSS command changes to allow MFA user and Control Option administration:
      • TSS ADD/REMOVE/PERMIT/REVOKE command updates
      • TSS MODIFY MFA Control Option updates
      • TSS LIST command output to allow display of user ACID AAM and MFA data
      • TSS MODIFY STATUS command output to allow display of AAM and MFA Control Option
    • TSSCFILE record types:
      • 5203    PWFALLBACK=
      • 5204    MFACTIVE=
      • 5206    TAGS=
      • 5207    Tag data continuation

ALERT: Attempting to implement AAM or MFA in a configuration where not all recommended maintenance has been applied can result in an unstable implementation and is highly discouraged.



Step 3: Begin implementation steps for AAM and MFA