Within CA TPX, session signon using MFA fails for application without passticket.

Document ID : KB000073106
Last Modified Date : 05/04/2018
Show Technical Document Details
Issue:
For an application (TSO) that is not set up for pass ticket, selecting the session for this application fails after signing on to CA TPX with multi-factor authentication (MFA) pin and token:
IKJ56708I INVALID CURRENT PASSWORD 
IKJ56703A REENTER THIS OPERAND - 


Also no ACL, using G command to start session.
Signon works with a simple password as it always has, but not when using passcode (pin and token).
Environment:
CA TPX for z/OS
Cause:
Within Profile Maintenance, the Application Session Options for this TSO session had specified: Session data: &userid/&pswd 

Including &pswd within Session data or an ACL will not work for an application that is not enabled to use pass tickets when the user has signed on to TPX using multi-factor authentication.

By definition in this scenario, the MFA passcode entered to sign on to CA TPX is no longer valid for a subsequent application signon.
Resolution:
Remove &pswd from session data for MFA users, at user or profile level.
  • NOTE >>>Users will be required to enter passcode on TSO logon panel - password, new token, PIN, etc. 
The recommended solution is to enable pass tickets for applications. 
  • With pass ticket enabled for an application, existing SessionData (user level) or Session data (profile level) that uses &userid/&pswd will then be valid for all users, multi-factor and non-multi-factor. 
Additional Information:
  • It is advisable to implement pass tickets successfully prior to enabling multi-factor authentication (CA AAM or IBM-MFA).
  • Note that SAMT must match the SMRT Security System.
  • For TSO, verify that PASSPHRASE(ON) is set within IKJTSOxx in LOGON section.