Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) allows increased diligence in verifying the identity of users who seek access to . Mainframe authentication capabilities are designed to prevent data breaches and address compliance requirements. Access is only granted after successfully presenting two or more pieces of evidence, or factors. Typically, this evidence would consist of something that you know, have, are, or that is related to your location.
ce18
Multi-factor authentication (MFA) allows increased diligence in verifying the identity of users who seek access to
CA Endevor
. Mainframe authentication capabilities are designed to prevent data breaches and address compliance requirements. Access is only granted after successfully presenting two or more pieces of evidence, or factors. Typically, this evidence would consist of something that you know, have, are, or that is related to your location.
This section shows examples of the steps that are required to use
CA Endevor
in an environment where MFA is set up for the following security products:
  • RACF
    ®
  • CA Top Secret
  • CA ACF2
Configure MFA for
CA Endevor
ISPF and Batch Interfaces
If you exclusively use ISPF (classic or quick-edit), or batch interfaces, no special steps are required.
CA Endevor
relies on TSO, JES, or both to handle authentication.
CA Endevor
 Web Services, Eclipse UI, and EINE
To use
CA Endevor
Web Services, or any interfaces that are built on top of
CA Endevor
Web Services, extra configuration is needed. This requirement is due to the stateless nature of Web Services. Examples of interfaces that are built on top of Web Services include:
  • CA Endevor
    Client for CA Eclipse
  • CA Brightside Plug-in for
    CA Endevor
  • CA Endevor
    to Git integrations
For
CA Endevor
Interface for Natural Environment (EINE), you must change the C1DEFLTS table. This is due to client/server architecture similarities compared to that of Web Services.
Follow these steps:
  1. Enter the following value in the C1DEFLTS table type=MAIN section to enable MFA support:
    MFAAPPL=ENDEVOR
    MFA support allows the Tomcat server to ask for a PassTicket generated for
    CA Endevor
    by the security product. The PassTicket is then used to construct a JWT token. The JWT token is then used, after the initial authentication, to prove your identity to
    CA Endevor
    .
    In the case of
    CA Endevor
    Interface for Natural Environment, the EINE server is permitted to ask for a PassTicket that is generated for
    CA Endevor
    by the security product. No JWT token is constructed because the PassTicket is used to prove your identity to
    CA Endevor
    .
    Values other than ENDEVOR, blanks, or omission of the MFAAPPL parameter all mean MFA support is turned off.
  2. Define a resource named ENDEVOR in the APPL class in your security product, and provide access to all users who should be able to access
    CA Endevor
    through:
    • CA Endevor
      Client for CA Eclipse
    • CA Brightside Plug-in for
      CA Endevor
    • CA Endevor
      to Git integrations
    • CA Endevor
      Integration for the Natural Environment
    • Once the resource is defined, access to the resource is required, even for users who do not use MFA credentials when accessing
      CA Endevor
      through these interfaces.
    • All APPL resources are protected in CA ACF2 by default, even if not explicitly defined
    • All security rules that govern user access to resources managed by
      CA Endevor
      still apply. Access to the class merely allows a user to use the interfaces that are listed.
  3. Define a PassTicket for ENDEVOR with replay protection turned off by following the product-specific instructions that follow in this article.
    You have successfully configured MFA for the following interfaces:
    • CA Endevor
      Interface for Natural Environment (EINE)
    • CA Endevor
      Client for CA Eclipse
    • CA Brightside Plug-in for
      CA Endevor
    • CA Endevor
      to Git integrations
Configure MFA using RACF, CA Top Secret, and CA ACF2
The following procedures show examples of how to set up MFA in RACF, CA Top Secret, and CA ACF2. Consult your security administrator before proceeding, as they may need to modify these processes to fit your particular environment and standards.
Configure MFA for RACF
Use the PTKTDATA resource class to define profiles that contain the encryption key that is used for generating and validating PassTickets.
Follow these steps:
  1. Define resource ENDEVOR in class APPL and give access to group NDVRGRP:
    RDEFINE APPL ENDEVOR UACC(NONE) PERMIT ENDEVOR CL(APPL) ACCESS(READ) ID(NDVRGRP) SETROPTS RACLIST(APPL) REFRESH
    A profile is added for each APPLID that receives signons with PassTickets.
  2. Confirm that the PTKTDATA class is activated. If it is not, use the following command to: ACTIVATE
    SETROPTS CLASSACT(PTKTDATA) SETROPTS RACLIST(PTKTDATA) SETROPTS GENERIC(PTKTDATA)
  3. Define a PassTicket to be used by
    CA Endevor
    , with replay protection off
    RDEFINE PTKTDATA ENDEVOR SSIGNON(KEYMASKED(
    yourkey
    )) APPLDATA('NO REPLAY PROTECTION') UACC(NONE) SETROPTS RACLIST(PTKTDATA) REFRESH
    Replay protection must be turned off if you want to use MFA. Turning off replay protection has an impact only on
    CA Endevor
    , and has no impact on the security of any other applications on your system.
  4. Grant
    CA Endevor
    STCs (user defined in .cfg file in Tomcat, or the Tomcat server userid) the authority to create PassTickets
    RDEF PTKTDATA IRRPTAUTH.ENDEVOR.* UACC(NONE) PERMIT IRRPTAUTH.ENDEVOR.* CL(PTKTDATA) ID(
    ServerUserGroup
    ) ACCESS(UPDATE) SETROPTS RACLIST(PTKTDATA) REFRESH
    For more information about setting up PassTickets for RACF, refer to RACF Security Administrator's Guide.
Configure MFA for CA Top Secret
  1. Ensure that the following NDT rules are implemented to define PassTicket with replay protection set to "off" for APPL=ENDEVOR owned by TSS:
    TSS ADDTO(NDT) PSTKAPPL(ENDEVOR) SESSKEY(................) SIGNMULTI TSS ADD(dept) PTKTDATA(IRRPTAUT)
    Turning off replay protection for PassTickets allows
    CA Endevor
    to avoid excessive PassTicket generation. Turning off replay protection has no impact on the security of any other applications on your system.
  2. Grant users access to the newly created resource:
    TSS PER(
    tsscomp1
    ) PTKTDATA(IRRPTAUTH.ENDEVOR.
    userid
    ) ACCESS(READ,UPDATE)
    The Resource can be permitted as one of the examples below, where
    applname
    is the Application Name that is defined in the NDT and
    userid
    is the User ID:
    • PTKTDATA(IRRPTAUTH.)
    • PTKTDATA(IRRPTAUTH.ENDEVOR.)
    • PTKTDATA(IRRPTAUTH.ENDEVOR.userid)
  3. (Optional) TSS Control Option:
    TSS Control Option causes TSS to issue security checks to ensure that the caller is authorized to the PassTicket generation service
    F TSS,PTKRESCK(YES) TSS PER(serverUserId) PTKTDATA(PTKTGEN.ENDEVOR) ACCESS(UPDATE)
Configure MFA for CA ACF2
Follow these steps:
  1. ACF2 automatically protects all APPL resources. Grant access to the
    CA Endevor
    resource of type APL to
    CA Endevor
    users as follows:
    SET RESOURCE(APL) RECKEY ENDEVOR ADD(UID(****************USER1) ALLOW) F ACF2,REBUILD(APL)
  2. Define PassTicket with replay protection off for
    CA Endevor
    :
    SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT ENDEVOR SSKEY(1ADEF39872EA423C) MULT-USE F ACF2,REBUILD(PTK),CLASS(P)
    Turning off replay protection for PassTickets allows
    CA Endevor
    to avoid excessive PassTicket generation. Turning off replay protection has no impact on the security of any other applications on your system.
  3. Grant
    CA Endevor
    STCs (user defined in .cfg file in Tomcat, or the Tomcat server userid) the authority to create PassTickets:
    SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT ENDEVOR SSKEY(1ADEF39872EA423C) MULT-USE F ACF2,REBUILD(PTK),CLASS(P)