Configure Certificate Authentication

You must configure Certificate Authentication to use this factor.

About this task

As part of the initial logon process, the user must select the certificate they want to use to log and complete Certificate Enrollment. You must either configure certificate enrollment automatic approval or approve the certificate presented by a user to be sure it is correct and approved for the specific user. The user cannot use the certificate to log on with IBM® MFA Certificate Authentication until you complete this process.

The certificate approval process you must follow is described in Approve user certificates.

You can configure Certificate Authentication to notify an administrator by email when a user enrolls a certificate.

Procedure

  1. Execute AZFEXEC and choose AZFCERT1 to configure Certificate Authentication.
  2. Provide the following:
    Table 1. AZFCERT1 Factor Attributes
    Setting Description
    SMTP Server Host Enter the host name or IP address of the Simple Mail Transfer Protocol (SMTP) server for outbound email.
    SMTP Server Port Enter the port of the SMTP server.
    SMTP User Id Enter the user ID you want to use to log in to the SMTP server.
    SMTP User Password Enter the password for the user ID you want to use to log in to the SMTP server.
    Administrator Email Address Enter the email address to be notified when a user enrolls a certificate.
    Sender Email Address Enter the email address used to send the email notification.
    Require Exact Certificate Possible values are Y or N. The default is N.

    By default, the client certificate must match the Subject DN and Issuer DN of the root CA certificate and a hash is created. This parameter addresses the use case where the user gets a new certificate and the hash does not match. If set to Y, the user certificate must match the hash as well as the Subject DN and Issuer DN of the root CA certificate.

    Enable Auto-Approval in Certificate Enrollment Service When this option is enabled, the certificate enrollment web service checks whether the ESM has already been configured to map the user-provided certificate to the SAF User ID attempting enrollment. If so, the user's REGSTATE is immediately set to APPROVED and the REVIEW state is skipped. The option values are as follows:
    • N - Never. Do not auto-approve user certificate enrollments. When a user completes self-service certificate enrollment, the user's REGSTATE tag is set to REVIEW. This is the default.
    • E - ESM. Users performing self-service certificate enrollment are required to provide a user ID. If the ESM has been configured such that the InitACEE (IRRSIA00) callable service reports that the presented certificate maps to the same user ID, then the user's REGSTATE tag is set to APPROVED. Otherwise, the REGSTATE tag is set to REVIEW.

      One way to perform this task is with the RACDCERT MAP, as described in z/OS Security Server RACF Command Language Reference.

    • A - Always. If a user completes self-service certificate enrollment, the REGSTATE tag data is set to APPROVED.

    Default: N.

    Default Application Name for Certificate Auto-Approval This value should only be specified if the ESM has been configured for certificate name filtering via DIGTNMAP profiles. This value controls the APPL-id parameter used by MFA when invoking IRRSIA00.
    Initial Trace Level The trace level used for tracing events within the AZFCERT1 plug-in. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is zero.