IBM Z Software
This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
This request is not something we would do in the zMFA product.
TN3270 Kerberos authentication allows users to access mainframe systems using a TN3270 terminal emulator, leveraging Kerberos for secure authentication. This method provides single sign-on capabilities and enhanced security compared to traditional password-based methods. Kerberos relies on a trusted third-party, the Key Distribution Center (KDC), to verify user identities and issue tickets for accessing protected resources.
How it works:
1. Client Request:
The TN3270 client (terminal emulator) initiates a connection to the mainframe and requests authentication.
2. Kerberos Authentication:
The client then interacts with the Kerberos Key Distribution Center (KDC) to obtain a Ticket-Granting Ticket (TGT).
3. Ticket Verification:
The TGT is used to request a service ticket for accessing the specific TN3270 server.
4. Session Establishment:
The mainframe, after verifying the service ticket, establishes a secure session with the client.
Benefits of using Kerberos for TN3270:
Single Sign-On (SSO):
Users log in once to the Kerberos realm and can access multiple TN3270 sessions without re-entering credentials.
Enhanced Security:
Kerberos uses strong cryptography and mutual authentication, making it more secure than traditional password-based methods.
Centralized Authentication:
Kerberos provides a centralized authentication system, simplifying user management and access control.
Support for Multi-Factor Authentication (MFA):
IBM's documentation shows Kerberos can be integrated with MFA solutions for added security.
TN3270 and Kerberos Configuration:
Client-side:
The TN3270 client needs to be configured to use Kerberos and interact with the KDC.
Server-side:
The TN3270 server needs to be configured to trust Kerberos authentication and verify the service tickets.
KDC Setup:
The Kerberos Key Distribution Center (KDC) needs to be set up and configured with user and service principals.
Example:
A user with a Kerberos principal logs into their workstation using their password. The workstation then uses this login to obtain a TGT from the KDC. When the user starts a TN3270 session, the client uses the TGT to request a service ticket for the TN3270 server. The server verifies the ticket and allows the user to access the mainframe.