Completing the server setup

You must run the azf_webserver_config utility to complete the IBM® MFA server setup.

About this task

Important: The azf_webserver_config utility accepts the values you specify and does not perform additional validation. If you make typing mistakes or enter invalid values, the IBM MFA daemon might not start.

To finish the IBM MFA server setup, complete the following steps:


  1. Log in to the IBM MFA server system by using SSH.
  2. Change directory (cd) to /opt/IBM/MFA/bin.
  3. Create an input file of the following format. A sample file is provided in /opt/IBM/MFA/conf/azfserver_setup.conf.
    # initial trace level for MFA server
    # location of the P12 identity certificate for the server
    P12 LOCATION=/etc/security/certificates/secsrv.p12
    # PKCS11 token used while encrypting P12 password
    PKCS11 TOKEN NAME=mfazvm
    # directory or PEM file containing CAs that will be trusted by the MFA server
    # CAS LOCATION=/etc/security/mfa/certificates/cas
    # port to use for server authentication
    # port to use for mutual authentication
    # port to use for ZVM Host communications
    ZVM PORT=6787
    • INITIAL TRACE LEVEL sets the IBM MFA server initial trace level. Valid values are 0 - 3, where the higher number increases the level of verbosity. You should generally accept the default value of 0.

      The IBM MFA server logs informational and error messages to the /var/log/MFA/mfa_latest-server-log.log file.

    • P12 LOCATION is the PKCS#12 certificate you obtained by completing the procedure in Obtaining the PKCS#12 file and certificate password.
    • PKCS11 TOKEN NAME is the PKCS#11 token you created in Configuring a PKCS#11 token.
    • CAS LOCATION: You need to specify this location only if you plan to use the PIV/CAC or X.509 Certificate method. For more information, see Creating the server truststore.
    • SERVER AUTH PORT is the port number on which you want the web server to listen.
    • MUTUAL AUTH PORT is the port number you want to use for mutual authentication.
    • ZVM PORT is the port number you want to use for ZVM host communications.
    Important: Ensure that your firewall does not prevent access to the SERVER AUTH PORT, MUTUAL AUTH PORT, and ZVM PORT ports. Otherwise, the server will be listening on these ports but will not receive any connections, making troubleshooting difficult.
    One possible method to check the firewall status is with the systemctl status firewalld command:
    systemctl status firewalld
    firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
       Active: inactive (dead) since Fri 2019-12-13 12:43:29 EST; 47min ago
  4. Ensure that the pkcsslotd daemon is running:
    # ps -ef | grep pkcsslotd
    root      3441     1  0 Jan28 ?        00:00:01 pkcsslotd
  5. Run the following command as root.
    ./azf_webserver_config input-file
    Enter password for P12 Identity Certificate:
    Successfully configured AZF Webserver.