Start of change

Installing IBM MFA server and GUI

IBM® MFA can run on any Red Hat Enterprise Linux® for IBM Z® and LinuxONE or SUSE Linux Enterprise Server on IBM Z operating system that meets the minimum requirements.

Before you begin

Important: Special considerations for SELinux
If SELinux is enabled in your environment, perform the following steps:
  1. Run the mfadb10-init.sh, mfadb20-create.sh, and mfadb30-populate.sh database scripts as described in this section.
  2. Review the process context and tags associated with the postgresql and pkcsslotd services before enabling mfa.service dependencies on the postgresql and pkcsslotd services.
  3. After you have identified the required SELinux tags, implement the sample scripts in /opt/IBM/MFA/db/db-selinux-rhel.sh and /opt/IBM/MFA/db/db-selinux-sles.sh, respectively, to update the MFA SELinux settings and enable dependencies in mfa.service.

About this task

You must install the IBM MFA server and GUI on one instance of a Red Hat Enterprise Linux for IBM Z and LinuxONE or SUSE Linux Enterprise Server on IBM Z operating system.

The IBM MFA server installs the mfa.service, which has dependencies on postgresql and pkcsslotd systemd services. systemd ensures that the dependent services are running before starting IBM MFA server.

As of version 2.2.0.7 of IBM MFA, the RPM installation behavior for the server has changed for new installations. (For upgrade installations no additional steps are required, as described in Updating IBM MFA server and GUI. ) The installation phases relating to the IBM MFA database are no longer invoked directly from the server RPM installation script. Instead, the installation RPM copies the following shell scripts to the /opt/IBM/MFA/db directory:
mfadb10-init.sh
This script allocates database directories and files, and starts the postgres server process.
mfadb20-create.sh
This script creates a postgres user to own the MFA database, and creates an empty IBM MFA database, owned by that user, in the directory created by the mfadb10-init.sh script.
mfadb30-populate.sh
This script creates IBM MFA table structures inside the database that was initialized and created during previous installation phases.
mfadb-status.sh
This script uses the pg_ctl utility to check Postgresql status on the system, as it relates to the IBM MFA database.
mfadb-bkup.sh
This script uses the pg_dumpall utility to create a backup of the IBM MFA database contents.
Start of change

Procedure

  1. Ensure that you are logged in as the root user.
  2. Enter one of the following commands depending on the platform on which you are installing:
    rpm -i mfa-server-2.2.0.latest.rhel8.s390x.rpm
    rpm -i mfa-server-2.2.0.latest.sles15.s390x.rpm
  3. Change directory to /opt/IBM/MFA/db.
  4. Review and customize the mfadb10-init.sh, mfadb20-create.sh, and mfadb30-populate.sh database scripts if needed. Be default, specific changes are not required.
  5. Execute mfadb10-init.sh to allocate database directories and files, and start the postgres server process.
    # ./mfadb10-init.sh
    pg_ctl: directory "/opt/IBM/MFA/mfadb" does not exist
    pg_status:pginfo return code=| 4 |
    pg_status:pginfo text=| |
    ./mfadb10-init.sh: no active Postgres server found for /opt/IBM/MFA/mfadb
    ./mfadb10-init.sh: Going to create db directory.
    Last login: Tue Jul 11 13:57:41 EDT 2023
    waiting for server to start.... done
    server started
    Last login: Tue Jul 11 13:57:41 EDT 2023
    pg_status:pginfo return code=| 0 |
    pg_status:pginfo text=| pg_ctl: server is running (PID: 11389) /usr/bin/postgres "-D" "/opt/IBM/MFA/mfadb" |
    ./mfadb10-init.sh: postgres server running in data directory /opt/IBM/MFA/mfadb
    ./mfadb10-init.sh: MFA DB initialization complete.
  6. Execute mfadb20-create.sh.
    # ./mfadb20-create.sh
    pg_status:pginfo return code=| 0 |
    pg_status:pginfo text=| pg_ctl: server is running (PID: 11389) /usr/bin/postgres "-D" "/opt/IBM/MFA/mfadb" |
    ./mfadb20-create.sh: postgres IS running
    ./mfadb20-create.sh: MFA DB creation complete.
  7. Execute mfadb30-populate.sh.
    # ./mfadb30-populate.sh
    pg_status:pginfo return code=| 0 |
    pg_status:pginfo text=| pg_ctl: server is running (PID: 11389) /usr/bin/postgres "-D" "/opt/IBM/MFA/mfadb" |
    BEGIN
    CREATE TABLE
    CREATE TABLE
    :
    :
    ./mfadb30-populate.sh: MFA DB population complete.
End of change
End of change