If you choose to have the user register their own certificates, you must approve the
certificate before the user can use it to log in.
About this task
You must approve the certificate that is presented by a user to be sure it is correct and
approved for the specific user. The user cannot use the certificate to log in with the PIV/CAC card
until you complete this process. The user can enroll only one certificate.To approve user
certificates, complete the following steps:
Procedure
-
In the IBM MFA GUI, click the User
Provisioning tab.
-
Select an existing user.
-
Click Check user information.
The Policies table shows all of the policies that are assigned to the user.
-
Click + in the Policies section.
The All Policies table shows all of the available policies.
-
Select a policy that has the certificate authentication method.
-
Click Confirm.
The Authentication Methods table shows the configured authentication methods for the
policy.
-
Select the certificate authentication method.
-
Click Check provisioning information.
-
You are prompted for the user-specific authentication method settings. Do not upload a
certificate.
-
Click Confirm.
The registration state is set to OPEN.
-
Set Active to On for the authentication method.
-
Instruct the user to begin the IBM MFA certificate
authentication logon process at the web server login page:
https://server:port/AZFCERT1/enroll
where port is the server authentication port.
-
On the Available Authentication Policies page, instruct the user to click Open
Certificate Enrollment Interface.
-
On the Certificate AZFCERT1 Enrollment page, instruct the user to click Begin
Certificate Enrollment.
-
The user must select the certificate they want to use to log in and enter their valid
PIN.
-
If successful, the user receives a message indicating the certificate enrollment succeeded and
to await further instruction from the administrator.
-
In the IBM MFA GUI, select the user again.
-
Click Check user information.
-
Select the certificate authentication method.
-
Click Check provisioning information.
-
Examine the user certificate and set the registration state to APPROVED if it is correct.
-
Click Confirm.
-
Set Active to On for the authentication method.
-
Instruct the user to return to the web server login page and log in.
-
On the Available Authentication Policies page, instruct the user to now click Begin
Certificate-based Authentication.
-
The user must select the certificate they want to use to log in and enter their valid
PIN.
-
On the Cache Token Credential page, instruct the user to copy the generated cache token
credential and use it to log in to the application.