Editing the IBM MFA PAM modules
The IBM® MFA PAM modules are the IBM MFA authentication mechanism. You must configure these modules.
To edit the configuration file for the IBM MFA PAM modules, complete the following steps:
About this task
Note: Do not add preceding or trailing spaces to an entry. They can result in an Error processing MFA request error.
Use an editor of choice to edit the /etc/security/azf/pam_azf.conf file on
the IBM MFA client system.
The pam_azf.conf file has the following format:
# The TRUSTEDCAS directive is required. It specifies the fully-qualified # path to file containing a concatenation of PEM-format X.509 certificates. TRUSTEDCAS = /etc/security/mfa/certificates/server_ca.pem # The MFA-URL directive is required. It specifies the URL of the # MFA server. Optionally, MFA-URL2 and MFA-URL3 can be used to # specify fallback servers. MFA-URL = https://mfa.example.com:6793/policyAuth/ #MFA-URL2 = https://mfa2.example.com:6793/policyAuth/ #MFA-URL3 = https://mfa3.example.com:6793/policyAuth/ # When enabled, CTC-PROMPT-ONLY instructs the PAM module to only support CTC # credentials, and disables support for policy based in-band authentication. CTC-PROMPT-ONLY = Y
In the TRUSTEDCAS field, specify the location of the client truststore you
configured in Creating the client truststore,
server_ca.pem in the example.
Note: If you create your own root CA certificate for testing purposes as described in Optional: Creating test root and server certificates, use that certificate (myCA.pem in the examples) for the truststore.
- Specify the fully-qualified host name (or IP address) and port number of the IBM MFA server in the MFA-URL field. If you want to replicate IBM MFA, contact IBM support.
- See Enabling only IBM MFA Out-of-Band login to require the user to log in with a cache token credential (CTC) and not with policy based in-band authentication.
- Save the changes.