The IBM® MFA PAM modules are the IBM MFA authentication mechanism. You must configure these
modules.
About this task
To edit the configuration file for the IBM MFA
PAM modules, complete the following steps: Note: Do not add preceding or trailing spaces to an
entry. They can result in an Error processing MFA request error.
Procedure
-
Use an editor of choice to edit the /etc/security/azf/pam_azf.conf file on
the IBM MFA client system.
The
pam_azf.conf file has the following
format:
# The TRUSTEDCAS directive is required. It specifies the fully-qualified
# path to file containing a concatenation of PEM-format X.509 certificates.
TRUSTEDCAS = /etc/security/mfa/certificates/server_ca.pem
# The MFA-URL directive is required. It specifies the URL of the
# MFA server. Optionally, MFA-URL2 and MFA-URL3 can be used to
# specify fallback servers.
MFA-URL = https://mfa.example.com:6793/policyAuth/
#MFA-URL2 = https://mfa2.example.com:6793/policyAuth/
#MFA-URL3 = https://mfa3.example.com:6793/policyAuth/
# When enabled, CTC-PROMPT-ONLY instructs the PAM module to only support CTC
# credentials, and disables support for policy based in-band authentication.
CTC-PROMPT-ONLY = Y
-
In the TRUSTEDCAS field, specify the location of the client truststore you
configured in Creating the client truststore,
server_ca.pem in the example.
-
Specify the fully-qualified host name (or IP address) and port number of the IBM MFA server in the MFA-URL field. If you
want to replicate IBM MFA, contact IBM support.
-
See Enabling only IBM MFA Out-of-Band login to require the user to log in
with a cache token credential (CTC) and not with policy based in-band authentication.
-
Save the changes.