Configure IBM MFA web services started task
The IBM® MFA web services component includes the TOTP registration function, certificate authentication, and out-of-band authentication. You must configure the IBM MFA web services started task settings if you want to use these features.
Procedure
- Execute AZFEXEC and enter STC to configure IBM MFA web services.
-
Provide the following in the web services started task section:
Table 1. Web Services Started Task Setting Allowed Values Description Server Authentication Port Valid port number Enter the port number on which the web server is listening. The port must match the one configured for AT-TLS. This port must be configured with server authentication (HandshakeRole is Server) in the AT-TLS configuration.
Mutual Authentication Port Valid port number Enter the port number, or zero. The mutual authentication port is required only if "Enable certificate authentication" is set to Y. Certificate authentication requires that AT-TLS be configured for client (mutual) authentication on a dedicated port. The port must match the one configured for AT-TLS. This port must be configured with client authentication (HandshakeRole is ServerWithClientAuth, ClientAuthType is Required) in the AT-TLS configuration.
Document Root Document root location The document root for the IBM MFA web services started task. Enter the default of /usr/lpp/IBM/azfv2r2/htdocs, or your chosen value.
Customized Document Root Document root location The document root from which to serve translated messages and HTML, as described in Translating and customizing IBM MFA messages and HTML. PKCS#11 Token Name Actual PKCS#11 token name Enter the name of the PKCS#11 token to be used for cryptographic operations. You created this token in Configuring a PKCS#11 token. Important: If the AZFTOTP1 settings do not contain a token name, the token name you specify on this panel is used when creating an AZFTOTP1 user session-object when a user registers. If you change the token name, all AZFTOTP1 user registrations will become inaccessible, and users must re-register.Enable Client Token Display Y|N Enter Y or N. When this setting is Y, the CTC is displayed. When this setting is N, the CTC is masked for additional security to prevent it from being observed. The default is Y.
The user has the option to display a masked CTC on the IBM MFA Out-of-Band page if needed.
Enable Out of Band Services Y|N Enter Y or N. The default is N.
Set this to Y if you plan to use IBM MFA Out-of-Band as described in Configure IBM MFA web service started task for IBM MFA Out-of-Band.
Enable TOTP Registration Services Y|N Enter Y or N. The default is N.
Set this to Y if you plan to use TOTP as described in Configuring IBM MFA for TOTP.
Enable Certificate Authentication Y|N Enter Y or N. The default is N.
Set this to Y if you plan to use Certificate Authentication as described in Configuring IBM MFA certificate authentication.
Certificate authentication requires that out-of-band services also be enabled. Therefore, if set to Y, "Enable out of band services" must also be set to Y.
Enable Password Change Y|N Enter Y or N. The default is Y.
If set, Enable Out-of-Band Services must also be set to Y.
See Changing a user password with web interface for a description of this feature.
Enable Password Reset Y|N Enter Y or N. The default is Y.
If set, Enable Out-of-Band Services must also be set to Y.
See Resetting a user password for a description of this feature.
Enable YubiKey Enrollment Y|N This value specifies whether the YubiKey enrollment service is enabled. Possible values are Y or N. The default is N. See Configure Yubico OTP for more information.
Initial Trace Level 0 through 3 Choose the initial trace level. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is 0. - Press F3 to save your changes and exit.