Completing the self-enrollment
Allowing users to self-enroll their YubiKey token on the web enrollment page lets you activate users for Yubico OTP authentication. Use the self-enrollment process when you do not need to control which user has which specific YubiKey token.
About this task
Note: As described in the YubiKey documentation, the Yubico OTP generated by the YubiKey token
represents a single authentication factor. It is recommended that you use Yubico OTP together with compound in-band authentication or with another factor
in IBM® MFA Out-of-Band authentication.
Procedure
-
Add the /usr/lpp/IBM/azfv2r2/bin/ directory to your PATH.
export PATH=/usr/lpp/IBM/azfv2r2/bin:${PATH}
-
Create an input file in the following format to provision users for Yubico OTP:
user-name policy-name AZFYUBI1 user-name policy-name AZFYUBI1 user-name policy-name AZFYUBI1 user-name policy-name AZFYUBI1 user-name policy-name AZFYUBI1
There are many ways to accomplish this step, depending on your environment. For example, you can edit z/OS® UNIX files by using the TSO/E OEDIT command to invoke ISPF File Edit or by selecting File Edit on the ISPF menu, if it is installed. In a shell, you can use the ed and sed editors for editing z/OS UNIX files. You can use the oedit shell command to invoke ISPF File Edit.
If you are using TSO/E OMVS, you can use OEDIT to create a new file or edit an existing one.
For example:
USERA YUBI1 AZFYUBI1 USERB YUBIONLY AZFYUBI1 USERC YUBIONLY AZFYUBI1 USERD YUBIONLY AZFYUBI1 USERE YUBIONLY AZFYUBI1 USERF YUBIONLY AZFYUBI1
-
Run the azfbulk program without the COMMIT
parameter.
azfbulk input-file
-
Check the resulting azfprov1.sh file for errors.
azfprov1.sh invokes azfbulkcmd.sh, which
allows you to make any needed customizations if you are using an ESM other than RACF.
No changes to azfbulkcmd.sh are required if you are using RACF.
Important: azfbulk generates an azfprov2.sh file that is not needed or functional in this workflow. Do not run the azfprov2.sh file.
- Correct any errors in your input file and re-run azfbulk. Repeat as needed.
-
When you are satisfied with the azfprov1.sh script, run the
azfbulk program with the COMMIT parameter.
azfbulk input-file COMMIT
-
Run the azfprov1.sh shell script.
sh azfprov1.sh
- Instruct the user to insert the YubiKey into a USB port on their Windows system.
-
Instruct the user to launch the YubiKey Enrollment page:
Note: Enable YubiKey Enrollment must be set to Y, as described in Configure IBM MFA web services started task.
https://server-name:port/AZFYUBI1/enroll
Instruct the user to provide their user name and password, and tap the YubiKey to generate an OTP in the YubiKey OTP field. Remind the users that a YubiKey token in Configuration Slot 2 requires the long press.The user receives a message that the YubiKey was associated with their account.Information Your YubiKey device was successfully associated with your account.
-
Enter the following command to display IBM MFA
information for a user profile. Note that the REGSTATE changes to
CONFIRMED and the factor state changes to ACTIVE. (The key
material is for example purposes only.)
LISTUSER [Login ID] MFA
FACTOR = AZFYUBI1 STATUS = ACTIVE FACTOR TAGS = REGSTATE:CONFIRMED SERIAL:6489515 PUBNAME:lcefiedkcvjcfdvgirifrvcndbgvkfdj PRIVID:i2l2hzz4mCqbkZPtyrxYJKDuBx3R37lakyk/y6uc9HY= SECRET:CfWgi/DhJXxgWF1ko9OATQxT+4OxO6LtLVPxw3IQKruqhubXIBqU2wIPZCBu3Y mf CREATED:2018-07-31T18:40:00 MODIFIED:1535468661 YKCTR:9 YKUSE:2 YKTSL:43480 YKTSH:106
-
If needed, enter the following commands to deactivate a user for Yubico OTP:
ALU [Login ID] MFA(FACTOR(AZFYUBI1) NOACTIVE)