You must run the azf_webserver_config utility to complete the
IBM® MFA server setup.
About this task
Important: The azf_webserver_config utility accepts the values you
specify and does not perform additional validation. If you make typing mistakes or enter invalid
values, the IBM MFA daemon might not start.
To finish the IBM MFA server setup, complete the following
steps:
Procedure
-
Log in to the IBM MFA server system by using SSH.
-
Change directory (cd) to /opt/IBM/MFA/bin.
-
Create an input file of the following format. A sample file is provided in
/opt/IBM/MFA/conf/azfserver_setup.conf.
# initial trace level for MFA server
INITIAL TRACE LEVEL=0
# location of the P12 identity certificate for the server
P12 LOCATION=/etc/security/certificates/secsrv.p12
# PKCS11 token used while encrypting P12 password
PKCS11 TOKEN NAME=mfazvm
# directory or PEM file containing CAs that will be trusted by the MFA server
# CAS LOCATION=/etc/security/mfa/certificates/cas
# port to use for server authentication
SERVER AUTH PORT=6793
# port to use for mutual authentication
MUTUAL AUTH PORT=6794
# port to use for ZVM Host communications
ZVM PORT=6787
where:
Important: Ensure that your firewall does not prevent access to the
SERVER
AUTH PORT
,
MUTUAL AUTH PORT
, and
ZVM PORT
ports.
Otherwise, the server will be listening on these ports but will not receive any connections, making
troubleshooting difficult.
One possible method to check the firewall status is with the
systemctl status firewalld command:
systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Fri 2019-12-13 12:43:29 EST; 47min ago
-
Ensure that the pkcsslotd daemon is running:
# ps -ef | grep pkcsslotd
root 3441 1 0 Jan28 ? 00:00:01 pkcsslotd
-
Run the following command as root.
./azf_webserver_config input-file
Enter password for P12 Identity Certificate:
Successfully configured AZF Webserver.