Approving user certificates

If you choose to have the user register their own certificates, you must approve the certificate before the user can use it to log in.

About this task

Note: This procedure requires the user to log in to the IBM® MFA server system with a user name and password, which may not be appropriate for all users. In this case, register the certificate on behalf of the user, as described in Enabling users for PIV/CAC or X.509 Certificate authentication.
You must approve the certificate that is presented by a user to be sure it is correct and approved for the specific user. The user cannot use the certificate to log in with the PIV/CAC card until you complete this process. The user can enroll only one certificate.

To approve user certificates, complete the following steps:

Procedure

  1. In the IBM MFA GUI, click the User Provisioning tab.
  2. Select an existing user.
  3. Click Check user information.
    The Policies table shows all of the policies that are assigned to the user.
  4. Click + in the Policies section.
    The All Policies table shows all of the available policies.
  5. Select a policy that has the certificate authentication method.
  6. Click Confirm.
    The Authentication Methods table shows the configured authentication methods for the policy.
  7. Select the certificate authentication method.
  8. Click Check provisioning information.
  9. You are prompted for the user-specific authentication method settings. Do not upload a certificate.
  10. Click Confirm.
    The registration state is set to OPEN.
  11. Set Active to On for the authentication method.
  12. Instruct the user to begin the IBM MFA certificate authentication logon process at the web server login page:
    https://server:port/AZFCERT1/enroll
    
    where port is the server authentication port.
  13. On the Available Authentication Policies page, instruct the user to click Open Certificate Enrollment Interface.
  14. On the Certificate AZFCERT1 Enrollment page, instruct the user to click Begin Certificate Enrollment.
  15. The user must select the certificate they want to use to log in and enter their valid PIN.
  16. If successful, the user receives a message indicating the certificate enrollment succeeded and to await further instruction from the administrator.
  17. In the IBM MFA GUI, select the user again.
  18. Click Check user information.
  19. Select the certificate authentication method.
  20. Click Check provisioning information.
  21. Examine the user certificate and set the registration state to APPROVED if it is correct.
  22. Click Confirm.
  23. Set Active to On for the authentication method.
  24. Instruct the user to return to the web server login page and log in.
  25. On the Available Authentication Policies page, instruct the user to now click Begin Certificate-based Authentication.
  26. The user must select the certificate they want to use to log in and enter their valid PIN.
  27. On the Cache Token Credential page, instruct the user to copy the generated cache token credential and use it to log in to the application.