Editing the IBM MFA PAM modules

The IBM® MFA PAM modules are the IBM MFA authentication mechanism. You must configure these modules.

About this task

To edit the configuration file for the IBM MFA PAM modules, complete the following steps:
Note: Do not add preceding or trailing spaces to an entry. They can result in an Error processing MFA request error.


  1. Use an editor of choice to edit the /etc/security/azf/pam_azf.conf file on the IBM MFA client system.
    The pam_azf.conf file has the following format:
    # The TRUSTEDCAS directive is required. It specifies the fully-qualified
    # path to file containing a concatenation of PEM-format X.509 certificates.
    TRUSTEDCAS = /etc/security/mfa/certificates/server_ca.pem
    # The MFA-URL directive is required. It specifies the URL of the
    # MFA server. Optionally, MFA-URL2 and MFA-URL3 can be used to
    # specify fallback servers.
    MFA-URL = https://mfa.example.com:6793/policyAuth/
    #MFA-URL2 = https://mfa2.example.com:6793/policyAuth/
    #MFA-URL3 = https://mfa3.example.com:6793/policyAuth/
    # When enabled, CTC-PROMPT-ONLY instructs the PAM module to only support CTC
    # credentials, and disables support for policy based in-band authentication.
  2. In the TRUSTEDCAS field, specify the location of the client truststore you configured in Creating the client truststore, server_ca.pem in the example.
    Note: If you create your own root CA certificate for testing purposes as described in Optional: Creating test root and server certificates, use that certificate (myCA.pem in the examples) for the truststore.
  3. Specify the fully-qualified host name (or IP address) and port number of the IBM MFA server in the MFA-URL field. If you want to replicate IBM MFA, contact IBM support.
  4. See Enabling only IBM MFA Out-of-Band login to require the user to log in with a cache token credential (CTC) and not with policy based in-band authentication.
  5. Save the changes.