You must configure the IBM® MFA for IBM Security Verify Access settings.
- If you have not already installed the IBM Security AppX Installer, navigate to https://exchange.xforce.ibmcloud.com/hub/extension/ad8f86525d3a9c1186c1bce524edc9c3 in a browser and download and install it. Log in with an IBM ID if you have not already done so.
The IBM Security AppX Installer enables configuration of your IBM Security Verify Access appliance for use with partner applications published on the IBM Security App Exchange.
- Navigate to IBM Security Verify Access
Extension for Multi-factor Authentication API in a browser. Log in with an IBM ID if you have not already done so.
Follow the provided
links on the page to download the software and review the documentation.
Pay close attention to the documented
Oauth configuration parameters for running the installer script. These
parameters begin with the prefix --oauth
(for example
--oauthproxy
) and they define the back channel interface that is used by IBM MFA to perform OTP authentication.
- Ensure that backchannelcomplete.json complies with the
following syntax:
{"username":"@USERNAME@","status":"success"}
The following
syntax is also valid. (The example is wrapped for format requirements.)
{"username":"@USERNAME@","authenticationMechanismTypes":"@AUTHNMECHTYPES@",
"status":"success"}
- On the IBM MFA server, you must have already
configured PKCS#11 tokens. You must have already configured an AT-TLS profile, as described in Configure an AT-TLS profile. This procedure builds upon that
existing profile by defining an AT-TLS outbound rule in Step 7.
About this task
Configuration data for IBM Security Verify Access is stored in the RACF® database. The IBM Security Verify Access configuration data include settings related to the
AZFISAM1 authentication load module.
-
Log in to the IBM Security Verify Access local management interface
(LMI).
-
Navigate to .
-
Configure the authentication context in the browser.html file:
<td>
<select name="authnctx">
<option value="server-authnctx">Arbitrary text
that describes your server</option>
</select>
</td>
where
server-authnctx must match that of the
Authentication
Context on the
IBM MFA server.
-
A pending change message is displayed at the top of the main pane. Click Click
here to review the changes or apply them to the system.
-
In the Deploy Pending Changes page:
-
To view the details of changes that are made to a particular module, click the link to that
module.
-
To deploy the changes, click Deploy.
-
To abandon the changes, click Roll Back.
-
To close the pop-up page without any actions against the changes, click
Cancel.
-
Add the root CA public certificate of the IBM Security Verify Access server as a CERTAUTH in the z/OS keyring you created in Configure an AT-TLS profile.
-
Configure an AT-TLS outbound rule. The rule must allow the IBM MFA services AZF#IN00 started task to negotiate the client side
of a server-authentication TLS connection with the IBM Security Verify Access
server. The
HandshakeRole
role is Client
.
If the connection port for the IBM Security Verify Access server is not
otherwise used by the IBM MFA services AZF#IN00 started
task, you can scope the outbound rule to the port number.
Note: The code fragment is for example purposes only and is not complete. See
SYS1.SAZFSAMP(AZFTTLSX) for sample AT-TLS rule definitions for IBM MFA.
TTLSRule AZFClientRule
{
Jobname AZF* a
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort? b
Direction Outbound c
Priority 255
TTLSEnvironmentActionRef eActAZFClient
TTLSGroupActionRef AZFGroupAction1
TTLSConnectionActionRef AZFConnAction1
}
TTLSConnectionAction AZFConnAction1
{
TTLSCipherParmsRef AZFCipherParms
TTLSConnectionAdvancedParmsRef AZFConnAdvParms1
CtraceClearText Off
Trace 255
}
:
:
Callout Notes:
- The
Jobname
directive indicates that the rule applies only to connections made
from the started task.
- The
RemotePortRange
indicates the port on which IBM Security Verify Access server is listening.
- The
Direction Outbound
directive indicates that the rule applies to outgoing
connections.
-
Execute AZFEXEC and choose AZFISAM1.
-
Provide the following:
-
See Configure IBM MFA Compound In-Band for
information about configuring IBM MFA Compound In-Band.
-
Press F3 to save your changes and exit.
If you change the PKCS#11 token name
or key label values, you must re-enter the client secret value.