If you want to use certificate authentication, you must create the server truststore so
that the server trusts the client certificates. You do not need to create the server truststore for
any other authentication method. The server truststore of trusted Certificate Authority (CA)
certificates is a single file in the /etc/security/mfa/certificates directory
that contains the client PIV/CAC card issuing certificate chain in Privacy Enhanced Mail (PEM)
format.
About this task
The client certificate issuing chain, including any intermediate certificates and the root CA,
must be in PEM format.
Note: The procedure to obtain the certificate chain of the PIV/CAC card varies by the vendor and
application.
To create the truststore, complete the following steps:
Procedure
-
If the certificates are not already in the PEM format, convert them. For example, if the
certificates are currently in the Distinguished Encoding Rules (DER) format, you can use the
openssl x509 command to convert them. The following example converts one
intermediary certificate and the root CA certificate.
openssl x509 -in inter_key.cer -inform der -outform pem -out inter_key.pem
openssl x509 -in ca_key.cer -inform der -outform pem -out ca_key.pem
-
Concatenate the certificate .pem files into a single file.
cat inter_key.pem > client.pem
cat ca_key.pem >> client.pem
-
Use the secure copy (scp) command to copy the resulting file to the
/etc/security/mfa/certificates directory in the IBM® MFA server system.
-
Specify the location of the file in the Trust Store Path field of the
IBM MFA server configuration, as described in Configuring server options.
-
Optionally, edit the server configuration input file you created in Completing the server setup to include the server truststore.
# initial trace level for MFA server
INITIAL TRACE LEVEL=0
# location of the P12 identity certificate for the server
P12 LOCATION=/etc/security/mfa/certificates/secsrv.p12
# PKCS11 token used while encrypting P12 password
PKCS11 TOKEN NAME=azf
# directory or PEM file containing CAs that will be trusted by the server
# CAS LOCATION=/etc/security/mfa/certificates/client.pem
# port to use for server authentication
SERVER AUTH PORT=6793
# port to use for mutual authentication
MUTUAL AUTH PORT=6794
# port to use for ZVM Host communications
ZVM PORT=6787
where:
<CAS LOCATION>
is the truststore (client.pem in the
example) you created.
-
After you set the Trust Store Path field of the IBM MFA server configuration, you need to stop and restart the
IBM MFA daemon. However, you will probably find it more
convenient to first configure the certificate authentication method as described in Configuring PIV/CAC or X.509 Certificate authentication and then restart the IBM MFA server.