To use IBM® MFA Out-of-Band you must use the
RDEFINE command to define multi-factor authentication policies, and the
ALU command to apply the policies to one or more users.
Before you begin
Multi-factor authentication policies specify which authentication factors are required for
IBM MFA Out-of-Band. The multi-factor authentication policy determines which
of the active factors are actually applied. For example, if you activate TOTP (AZFTOTP1), Certificate Authentication (AZFCERT1),
and IBM MFA with SecurID (AZFSIDP1) for a user, but the
policy includes only AZFCERT1 and AZFSIDP1, then AZFTOTP1 is not required.
Important: If you apply a policy to a user, the user must have all the factors defined in the policy, and those factors must be active for the user. RACF® does not prevent you from applying a policy to a user who does not have all the required factors defined. This will prevent the user from authenticating with IBM MFA Out-of-Band.
About this task
You must create a multi-factor authentication policy under the following conditions:
If you enable a user for a single factor, you can optionally create a multi-factor
authentication policy for that single factor and direct the user to the IBM MFA Out-of-Band web server login page. You might want to do this for a reason
described in Benefits of IBM MFA Out-of-Band Authentication.
Procedure
-
Enter the following command to create a multi-factor authentication policy:
RDEF MFADEF POLICY.POLICY-NAME MFPOLICY(FACTOR(FACTOR-NAME)
TOKENTIMEOUT(num-of-seconds) REUSE(Y|N))
Where:
- POLICY-NAME is a name of your choice between 1 and 20 characters. The allowed
characters are A-Z, 0-9. You might find it convenient to give the policy a descriptive name, such
as CERTSIDPTOTP or CERTONLY.
-
FACTOR-NAME is a space-separated list of factor names. The allowed factor names
are as follows:
- AZFSIDP1
- AZFSIDP3
- AZFTOTP1
- AZFCERT1
- AZFSFNP1
- AZFRADP1
- AZFSIDR1
- AZFPASS1
- AZFYUBI1
- TOKENTIMEOUT sets the length of time (in seconds) the IBM MFA Out-of-Band token is valid once generated. The value can be between 1 and 86,400 (the number of seconds in a day). The default is 300 seconds (5 minutes.)
- REUSE determines whether the IBM MFA Out-of-Band token
can be reused by an application. Possible values are Y or N.
The default is N.
-
Repeat 1 as needed.
-
Refresh the MFADEF class:
SETROPTS RACLIST(MFADEF) REFRESH
-
Enter the following command to display information about a specific policy:
RLIST MFADEF POLICY.POLICY-NAME MFPOLICY
-
Enter the following command to display information about all IBM MFA factors and policies:
-
Enter the following command to apply the policy to a user:
ALU <USERID> MFA(ADDPOLICY(POLICY-NAME))
-
Repeat 6 as needed. If you apply
multiple policies to a user, instruct the user which policy to use.
-
Enter the following command to display IBM MFA
information for a user profile, including any applied policies:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
AUTHENTICATION POLICIES =
TOTPONLY
FACTOR = AZFSIDP1
STATUS = INACTIVE
FACTOR TAGS =
SIDUSERID:user
FACTOR = AZFTOTP1
STATUS = ACTIVE
FACTOR TAGS =
REGSTATE:PROVISIONED
-
If needed, enter the following command to remove a policy from a user:
ALU <USERID> MFA(DELPOLICY(POLICY-NAME))
-
If needed, enter the following commands to delete a policy and refresh the MFADEF class:
RDEL MFADEF POLICY.POLICY-NAME
SETROPTS RACLIST(MFADEF) REFRESH