IBM Z Software
This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
This RFE is also satisfied by CICS Transaction Server for z/OS V5.5 which is GA today 14th December 2018.
This RFE is also satisfied by CICS Transaction Server for z/OS V5.5 which is announced today 2nd October 2018 and which has a planned availability date of 14th December 2018.
For more information see the CICS TS V5.5 announcement letter https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/2/897/ENUS218-352/index.html&request_locale=en
Support in Explorer to exploit PI87691 is provided in CICS Explorer 5.4.0.4 or later.
CICS TS 5.4 apar PI87691 provides MFA support for CMCI and Explorer. Further enhancements to this will be provided by PI92676
This is something we would like to address. The RFE is being moved into 'Planned for Future release' status. Please note:
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
I have my Explorer screen setup with 3 views open at a time, this solution would require me to input my RSA token 3 or 4 times just to get the screen to load the after the initial connection. Which means that it would take 3 – 4 minutes as a new token is only available every minute. This time would also not include the additional queries that will be done to populate a large query as the Explorer doesn't load all the data at once. I don't think it is an ideal solution. I would most likely get too frustrated having to wait for 1 minute intervals for new tokens that I would abandon using the Explorer and move on to using something like Mainview or logging directly onto the regions themselves to do what I need to do.
reentering PIN etc. Ugh. No. You need to get up to speed with appropriate authentication techniques/methods (sorry for being blunt, but I need for you to "get" this message):
a) 1 of 4: Extend the credential field from 8 to 100
b) 2 of 4: Adjust initial user authentication: if 8 or less perform password authentication, if 9 or more perform phrase authentication OR if using CICS API, just use EC VERIFY PHRASE
c) 3 of 4: Do NOT store/save the user credential. Period. Never, No No. Do not pass Go. Read my lips.
d) 4 of 4: Any subsequent backend authentications should use a PassTicket and NOT replay the initial credential (which you no longer save/store). Credentials for 2FA are one time use only, and it is more than a good practice not to store/save passwords in any way, (as CICS already does not do). The security manager is the only system that should be storing such things.
a. So yes, additional setup will be required in order to generate tickets.
e) Suggest if this seems challenging/complex, you engage IBM RACF support in Poughkeepsie (Ross Cooper would be a good start)
Regards, Simon
Thanks for this! One question that we've been considering: Currently you enter the password and RSA PIN concatenated in one long string. I don't think we have the technical capability to do anything better yet, but we were wondering whether it would be better, if Explorer knows that you're using MFA somehow, to split the input so that you have the option of saving your password and only re-entering the RSA PIN each time (then we would do the concatenation before submitting).
Your thoughts, please? Helpful, unhelpful, unexpected, undesirable...?
We NEED an authentication solution that does not replay credentials. we want to authenticate our CICS sysprogs using a 2FA solution, and need CICS explorer to authenticate with user provided credentials just once. If subsequent authentication is needed, use PassTickets