Configure Yubico OTP

You must configure the Yubico OTP AZFYUBI1 settings.

Before you begin

You must have already configured PKCS#11 tokens before you configure Yubico OTP.

About this task

Configuration data for Yubico OTP is stored in the RACF® database. The Yubico OTP configuration data include settings related to the AZFYUBI1 authentication load module.


  1. Execute AZFEXEC and choose AZFYUBI1.
  2. Provide the following:
    Table 1. AZFYUBI1 Factor Attributes
    Setting Allowed Values Description
    PKCS#11 Token Name Actual PKCS#11 token name Enter the name of the PKCS#11 token to be used for cryptographic operations. You created this token in Configuring a PKCS#11 token.
    Key Label Actual PKCS#11 key label The name of the key label that is used to encrypt the client secret. The PKCS#11 key label has a limit of 32 characters. This label is created when you run the Yubico OTP bulk provisioning feature if it does not exist.
    Initial Trace Level 0 through 3 The trace level used for tracing events within the AZFYUBI1 plug-in. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is zero.
  3. See Configure IBM MFA Compound In-Band for information about configuring IBM MFA Compound In-Band.
  4. Press F3 to save your changes and exit.
  5. Set Enable YubiKey Enrollment to Y in the web services started task configuration, as described in Configure IBM MFA web services started task if you want users to be able to enroll a YubiKey on the YubiKey Enrollment page. The YubiKey Enrollment page and process is described in Ingesting the .csv configuration file.
If you change the PKCS#11 token name or key label values, all user registrations will become inaccessible, and users must re-register.