For an application (TSO) that is not set up for pass ticket, selecting the session for this application fails after signing on to CA TPX with multi-factor authentication (MFA) pin and token:
IKJ56708I INVALID CURRENT PASSWORD
IKJ56703A REENTER THIS OPERAND -
Also no ACL, using G command to start session.
Signon works with a simple password as it always has, but not when using passcode (pin and token).
CA TPX for z/OS
Within Profile Maintenance, the Application Session Options for this TSO session had specified: Session data: &userid/&pswd
Including &pswd within Session data or an ACL will not work for an application that is not enabled to use pass tickets when the user has signed on to TPX using multi-factor authentication.
By definition in this scenario, the MFA passcode entered to sign on to CA TPX is no longer valid for a subsequent application signon.
Remove &pswd from session data for MFA users, at user or profile level.
The recommended solution is to enable pass tickets for applications.
- NOTE >>>Users will be required to enter passcode on TSO logon panel - password, new token, PIN, etc.
- With pass ticket enabled for an application, existing SessionData (user level) or Session data (profile level) that uses &userid/&pswd will then be valid for all users, multi-factor and non-multi-factor.
- It is advisable to implement pass tickets successfully prior to enabling multi-factor authentication (CA AAM or IBM-MFA).
- Note that SAMT must match the SMRT Security System.
- For TSO, verify that PASSPHRASE(ON) is set within IKJTSOxx in LOGON section.