Re: Free MFA for IBM i -- MIDRANGE-L

There are numerous columns related to TOTP in the user profile which appear
both in DSPUSRPRF to an outfile and by the SQL views. I do not see the
TOTP key as one of these. I'm assuming that it's some internal field, like
the password is. I have numerous LPARs. These are not simply H/A lpars.
So neither a software based replication product nor any derivation of Power
H/A apply. For example, I have
Dev
DevHA (software based replication)
ERP
ERPHA (software based replication)
Test
Dominolpar for testing
DominoProdCluster1
DominoProdCluster2
DominoProdCluster3
DominoWebCluster1
DominoWebCluster2
Archivelpar
SafeGuardedCopy
Hostlpar (will be replaced with a SAN when that P9 is upgraded)

Using IBM Security Verify Governance - Identity Manager I can change my
password on Windows and it propagates it to all those (and elsewhere).
When we create a new user we tell it which particular lpars to create it on
and the work is done. The only additional work is adding them to the right
authorization list and setting their menu options on the ERP lpar (not
*MENU objects).
I'm taking it that the TOTP setup will be a manual process each individual
user will have to do?
i guess I need to get my head around that the TOTP key is not like a
password and doesn't change all the time.
I'm assuming that the TOTP key will be handled by the software based
replication on the 2 applicable lpars (well, when they say they are ready
for 7.6).

On Thu, Apr 10, 2025 at 2:36 AM Tim Rowe <timmr@xxxxxxxxxx> wrote:

Greetings, First… MFA is not free, its included 😊 Built into the
operating system and the user profile objects.

Question - Can the TOTP be the same for the ‘same’ profile across each
system ? Yes. The first step of course is the owner of that profile
needs to set their Key in their User profile and their client authenticator
app. Since just like the password, the TOTP key part of the user profile
object. The code to update the profiles will update the password and totp
key on the same profile on the target system. Within the Navigator, there
is a feature to ‘copy’ a created user profile to a target system. You can
select one or more user profiles, and send those profiles to any number of
end point target systems. The TOTP key is included with this copy.

Thanks Tim

[Logo Description automatically generated]Tim Rowe - timmr@xxxxxxxxxx
<mailto:timmr@xxxxxxxxxx>
STSM – Application Development & Systems Management
IBM i ISV Council
IBM i Development Lab, Rochester MN
507-250-1293

ACS - http://ibm.biz/IBMi_ACS
Navigator - http://ibm.biz/IBMi_Nav4i

We sync the passwords on all lpars of IBM i (and Windows, etc) with IBM
Security Verify Governance - Identity Manager.? Can the TOTP match on all
LPARs also?

Dunno, it's product question that should be asked to IBM.
I use powerHA to sync the profiles attributes between the cluster
machines, same question.
But we are at the first releases of such system, let's see how it will
evolve in terms of API and tooling....

But I can see that somebody couldn't like to pass around between machines
what's basically a shared secret password from a design standpoint, that -
compared to a the standard user hashed password - is reversable
cryptography, so the trust exchange between the machines should be well
designed in case and very strict security wise (if that would be the
case...)

***************************************
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.