Top Secret

Hi,

From the CA AAM and CA Top Secret documentation, we can see, that CA AAM supports TSO and batch. There is no sign of FTP and SSH. Both channels are using TCP facility. Is it possible to implement them for SSH and FTP clients ?

If yes, what is the difference than TSO from implementation point of view?

Thank you,

Erdem.

I have it working with FTP on a test LPAR.  We won't implement in production unless CA adds TSS password + Radius passcode support.

Currently, the radius passcode completely replaces the TSS password. Setup for other facilities would be similar.

Assuming you already have MFASTC setup and running...

To get it working with FTP, we used TSS MODI MFA(RADIUS(FACILITY)). 

The started task acid for the FTP server then needs TSS PER(stcid) IBMFAC(IRR.RFACTOR.USER) ACCESS(READ). 

Assuming FTP is the facility name, individual user acid needs TSS PER(userid) CASECMFA(TSSMFA.RAD.FTP) ACCESS(USE).

User also needs this (assuming you use RADIUS_GENERIC as factor ID) ,

TSS ADD(userid) MFACTOR(RADIUS_GENERIC) MFADATA(RADIUSNAME:user-radius-ID) MFACTIVE(FACILITY)

There was some testing here, steps below. If you have any issues please open a support case and supply 

1. TSS LIST of ACID DATA(MFA) and DATA(ALL)

2. MFASTC log file (the log file in MFASTC USS directory)

3. Console dump of Top Secret

FTP test

1. Added to user the facility TCP →
TSS ADD(acid) FACILITY(TCP)
2. Permitted user CASECMFA resource for facility of TCP →
TSS PERMIT(acid) CASECMFA(TSSMFA.RAD.TCP) ACCESS(USE)
3. Enabled MFA on target LPAR (XE15) →
TSS MODIFY MFA(RADIUS(FACILITY))

This was the logon flow:
1) Log onto TSO on the sending LPAR (XE14)
2) Entered into OMVS session from TSO 6
3) Issued FTP command to establish connection for target LPAR (XE15)
e.g., FTP USK215MX
4) Entered your user ID (TSS user ID defined on LPAR XE15 – target system))
5) Entered your MFA passcode
6) Got successful connection