Configure SecurID Authentication API parameters

Execute AZFEXEC to configure the SecurID Authentication API parameters.

Before you begin

You copied the AZFEXEC member to a data set in your SYSEXEC concatenation in Copy SAZFEXEC(AZFEXEC) and customized the HLQ in Customize AZFEXEC.

Procedure

  1. Execute AZFEXEC.
  2. Choose AZFSIDP3.
  3. Enter the data set values:
    Table 1. AZFSIDP3 Factor Attributes
    Setting Description
    PKCS#11 Token Name The name of the PKCS#11 token to be used for cryptographic operations. You created this token in Configuring a PKCS#11 token.
    Key Label The name of the key label that is used to encrypt user registration information. The PKCS#11 key label has a limit of 32 characters. The value you specify for PKCS#11 key label is used if it already exists and is created if it does not exist.
    REST Service URL 1 Enter the URL of the primary RSA SecurID Authentication API instance, including port and base path. The protocol must be HTTPS. For example, https://host:port/mfa/v1_1/. The hostname must be sufficiently qualified for web clients to resolve the hostname. Must be set.
    REST Service URL 2 Enter the URL of the secondary RSA SecurID Authentication API instance, including port and base path. The protocol must be HTTPS. For example, https://host:port/mfa/v1_1/. The hostname must be sufficiently qualified for web clients to resolve the hostname. This is required only if you have multiple servers. The hostname must be sufficiently qualified for web clients to resolve the hostname.
    REST Service URL 3 Enter the URL of the tertiary RSA SecurID Authentication API instance, including port and base path. The protocol must be HTTPS. For example, https://host:port/mfa/v1_1/. The hostname must be sufficiently qualified for web clients to resolve the hostname. This is required only if you have multiple servers. The hostname must be sufficiently qualified for web clients to resolve the hostname.
    Client ID Enter the Authentication Agent name for the IBM® MFA server you configured in the RSA Authentication Manager.
    Access Key Enter the Access Key from the RSA Authentication Manager.
    Timeout The amount of time the connection between IBM MFA and the RSA server can remain inactive before the session is timed out.
    Initial Trace Level The trace level used for tracing events within the AZFSIDP3 plug-in. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is zero.
  4. Define an AT-TLS rule to handle outbound traffic to the RSA REST Service URL and port, as described in Configure an AT-TLS profile.
  5. See Configure IBM MFA Compound In-Band for information about configuring IBM MFA Compound In-Band.
  6. Save and verify the changes.