Configuring bulk provisioning users for IBM MFA
IBM® MFA provides programs and UNIX shell scripts that you can use to provision users with policies and factors. Although you can use the RACF® commands for this purpose, the bulk provisioning feature is more efficient if you have a large number of users.
Before you begin
Important:
- You need to have UPDATE access to the system security manager FACILITY class profile IRR.RFACTOR.USER to update the user factor data. Use the PERMIT command to grant UPDATE access to the profile. If the FACILITY class has been RACLISTed, refresh the class for the change to become effective.
- If the authentication factor you are provisioning requires a PKCS#11 token, ensure that you have CONTROL access to the SO.token_name profile that protects the token and UPDATE access to the USER.token_name profile that protects the token, as described in Configuring a PKCS#11 token.
- If provisioning AZFCERT1, the user running azfbulk needs read access to the CSFSERV profiles CSFOWH and CSF1TRD.
About this task
The azfbulk parameters are shown in Table 1.
The parameter usage
is as follows:
azfbulk input-file (COMMIT)
Parameter | Description |
---|---|
input-file | A user-created text file of user names, policies, authentication methods, and authentication
method-specific parameters. The format of this file must be as follows:
|
COMMIT | Commits the changes. You can run the azfbulk program with or without the COMMIT parameter. It is recommended that you run it the first time without COMMIT and then examine the output shell scripts. If the output shell scripts are correct, run the azfbulk program a second time and specify the COMMIT parameter. COMMIT must be in uppercase. |
Table 2
describes the authentication method parameters. The parameters are positional and you can omit
trailing parameters. However, you must specify all preceding parameters.
Authentication Method | Parameters |
---|---|
AZFCERT1 | The file specification of the user certificate. The .cer (DER) and PEM formats are supported. The azfbulk program performs the certificate enrollment and approval process described in Approve user certificates on your behalf. |
AZFSIDP1, AZFSIDP3, and AZFSIDR1 | The associated RSA user ID. |
AZFRADP1 and AZFSFNP1 | The RADIUS user ID. |
AZFPTKT1 | The setting for MFAFIRST (Y or N), and the number of seconds for WINDOW. |
AZFTOTP1 | Does not accept any parameters. The user is set to REGSTATE:OPEN. |
AZFISAM1 |
|
AZFLDAP1 | The user DN. |
AZFPASS1 | Does not accept any parameters. |
AZFYUBI1 | The complete string from the .csv file. |
AZFCKCTC | The user name on the CTC source system. Note: The AZFCKCTC authentication factor supports
in-band authentication only. If you activate a user for AZFCKCTC, the user cannot be associated with
a policy name or have any other active authentication factors.
|
A sample input file is as
follows:
USERA CERTONLY AZFCERT1 /u/usersa/certificates/usera.cer
USERB *NONE* AZFTOTP1
USERC *NONE* AZFRADP1 raduserc
USERD *NONE* AZFSFNP1 raduserd
USERE SIDPONLY AZFSIDP1
USERF *NONE* AZFPTKT1 Y 600
USERG *NONE* AZFSIDR1 rsauserg
USERH *NONE* AZFPASS1
USERI *NONE* AZFCKCTC USERI
USERJ *NONE* AZFCKCTC USERX
The
azfbulk program creates two shell scripts, azfprov1.sh and
azfprov2.sh from the input file:
- azfprov1.sh associates the users with the policies and factors. The factors are not active. azfprov1.sh invokes azfbulkcmd.sh, which allows you to make any needed customizations if you are using an ESM other than RACF. No changes to azfbulkcmd.sh are required if you are using RACF.
- azfprov2.sh calls factor-specific utility programs to set the user factor data. azfaprov2.sh commits the changes.