From the CA AAM and CA Top Secret documentation, we can see, that CA AAM supports TSO and batch. There is no sign of FTP and SSH. Both channels are using TCP facility. Is it possible to implement them for SSH and FTP clients ?
If yes, what is the difference than TSO from implementation point of view?
I have it working with FTP on a test LPAR. We won't implement in production unless CA adds TSS password + Radius passcode support.
Currently, the radius passcode completely replaces the TSS password. Setup for other facilities would be similar.
Assuming you already have MFASTC setup and running...
To get it working with FTP, we used TSS MODI MFA(RADIUS(FACILITY)).
The started task acid for the FTP server then needs TSS PER(stcid) IBMFAC(IRR.RFACTOR.USER) ACCESS(READ).
Assuming FTP is the facility name, individual user acid needs TSS PER(userid) CASECMFA(TSSMFA.RAD.FTP) ACCESS(USE).
User also needs this (assuming you use RADIUS_GENERIC as factor ID) ,
TSS ADD(userid) MFACTOR(RADIUS_GENERIC) MFADATA(RADIUSNAME:user-radius-ID) MFACTIVE(FACILITY)
There was some testing here, steps below. If you have any issues please open a support case and supply
1. TSS LIST of ACID DATA(MFA) and DATA(ALL)
2. MFASTC log file (the log file in MFASTC USS directory)
3. Console dump of Top Secret
1. Added to user the facility TCP → TSS ADD(acid) FACILITY(TCP) 2. Permitted user CASECMFA resource for facility of TCP → TSS PERMIT(acid) CASECMFA(TSSMFA.RAD.TCP) ACCESS(USE) 3. Enabled MFA on target LPAR (XE15) → TSS MODIFY MFA(RADIUS(FACILITY))
This was the logon flow:1) Log onto TSO on the sending LPAR (XE14)2) Entered into OMVS session from TSO 63) Issued FTP command to establish connection for target LPAR (XE15) e.g., FTP USK215MX4) Entered your user ID (TSS user ID defined on LPAR XE15 – target system))5) Entered your MFA passcode6) Got successful connection