Configure SafeNet RADIUS

You must configure the AZFSFNP1 settings if you want to use SafeNet RADIUS.

Before you begin

The AZFSFNP1 authentication factor uses the PKCS#11 token to encrypt the shared secret before it is stored in RACF®, and to generate random authenticators for use inside the RADIUS packet.

You must configure a PKCS#11 token, as described in Configuring a PKCS#11 token. You need READ access to the CSF1TRC profile in the CSFSERV class.

About this task

Configuration data for SafeNet RADIUS is stored in the RACF database. The configuration data include settings related to the AZFSFNP1 authentication factor.

Procedure

  1. Execute AZFEXEC and choose AZFSFNP1.
  2. Provide the following:
    Table 1. AZFSFNP1 Factor Attributes
    Setting Allowed Values Description
    PKCS#11 Token Name Actual PKCS#11 token name Enter the name of the PKCS#11 token to be used for cryptographic operations. You created this token in Configuring a PKCS#11 token.
    Key Label Actual PKCS#11 key label The name of the key label that is used to encrypt the shared secret. The PKCS#11 key label has a limit of 32 characters. The value you specify for PKCS#11 key label is used if it already exists and is created if it does not exist.
    Primary Server Host Name Valid host name or IP address Enter the hostname or IP address for the primary SafeNet RADIUS server. The hostname must be sufficiently qualified for web clients to resolve the hostname. Must be set.
    Primary Server Port Valid port number The port number of the primary SafeNet RADIUS server. The default is 1812. Must be set.
    Secondary Server Host Name Valid host name or IP address Enter the hostname or IP address for the secondary SafeNet RADIUS server, if applicable. This is required only if you have multiple servers. The hostname must be sufficiently qualified for web clients to resolve the hostname.
    Secondary Server Port Valid port number The port number of the secondary SafeNet RADIUS server, if applicable. This is required only if you have multiple servers.
    Tertiary Server Host Name Valid host name or IP address Enter the hostname or IP address for the tertiary SafeNet RADIUS server, if applicable. This is required only if you have multiple servers. The hostname must be sufficiently qualified for web clients to resolve the hostname.
    Tertiary Server Port Valid port number The port number of the tertiary SafeNet RADIUS server, if applicable. This is required only if you have multiple servers.
    Number of Retries Integer, from 1 through 15 The number of times IBM® MFA attempts to contact the SafeNet RADIUS should the connection become inactive.
    Timeout Number of seconds, from 1 through 180 The amount of time the connection between IBM MFA and the SafeNet RADIUS can remain inactive before the session is timed out.
    Shared Secret Actual shared secret The shared secret (case-sensitive password) that is used by the SafeNet RADIUS server to recognize the IBM MFA RADIUS client. The RADIUS client uses the same shared secret when communicating with the RADIUS primary server or RADIUS replica servers.
    Important: The shared secret must be the same for all LPARs in a sysplex. Consult your SafeNet documentation for configuration information.
    Note: The shared secret is not displayed on the panel after you enter it.
    Note: When translating EBCDIC into ASCII to send to an external server the translation is performed using host code page IBM-1047 and server code page ISO-8859-1. This may have implications if you are using other code pages when specifying the host data.
    Initial Trace Level 0 through 3 Choose the initial trace level. Valid values are 0 through 3, where the higher number increases the level of verbosity. The default is 0.
  3. See Configure IBM MFA Compound In-Band for information about configuring IBM MFA Compound In-Band.
  4. Press F3 to save your changes and exit.
  5. Configure the SafeNet RADIUS server to accept communications from each z/OS system or LPAR that is running the IBM MFA services started task. Consult your SafeNet RADIUS documentation for configuration information.
If you change the PKCS#11 token name or key label values, you must re-enter the shared secret value.