Completing the self-enrollment

Allowing users to self-enroll their YubiKey token on the web enrollment page lets you activate users for Yubico OTP authentication. Use the self-enrollment process when you do not need to control which user has which specific YubiKey token.

About this task

Note: As described in the YubiKey documentation, the Yubico OTP generated by the YubiKey token represents a single authentication factor. It is recommended that you use Yubico OTP together with compound in-band authentication or with another factor in IBM® MFA Out-of-Band authentication.

Procedure

  1. Add the /usr/lpp/IBM/azfv2r2/bin/ directory to your PATH.
    export PATH=/usr/lpp/IBM/azfv2r2/bin:${PATH}
  2. Create an input file in the following format to provision users for Yubico OTP:
    user-name policy-name AZFYUBI1
    user-name policy-name AZFYUBI1
    user-name policy-name AZFYUBI1
    user-name policy-name AZFYUBI1
    user-name policy-name AZFYUBI1

    There are many ways to accomplish this step, depending on your environment. For example, you can edit z/OS® UNIX files by using the TSO/E OEDIT command to invoke ISPF File Edit or by selecting File Edit on the ISPF menu, if it is installed. In a shell, you can use the ed and sed editors for editing z/OS UNIX files. You can use the oedit shell command to invoke ISPF File Edit.

    If you are using TSO/E OMVS, you can use OEDIT to create a new file or edit an existing one.

    For example:

    USERA YUBI1 AZFYUBI1
    USERB YUBIONLY AZFYUBI1
    USERC YUBIONLY AZFYUBI1
    USERD YUBIONLY AZFYUBI1
    USERE YUBIONLY AZFYUBI1
    USERF YUBIONLY AZFYUBI1
    
  3. Run the azfbulk program without the COMMIT parameter.
    azfbulk input-file
  4. Check the resulting azfprov1.sh file for errors. azfprov1.sh invokes azfbulkcmd.sh, which allows you to make any needed customizations if you are using an ESM other than RACF. No changes to azfbulkcmd.sh are required if you are using RACF.
    Important: azfbulk generates an azfprov2.sh file that is not needed or functional in this workflow. Do not run the azfprov2.sh file.
  5. Correct any errors in your input file and re-run azfbulk. Repeat as needed.
  6. When you are satisfied with the azfprov1.sh script, run the azfbulk program with the COMMIT parameter.
    azfbulk input-file COMMIT
  7. Run the azfprov1.sh shell script.
    sh azfprov1.sh
  8. Instruct the user to insert the YubiKey into a USB port on their Windows system.
  9. Instruct the user to launch the YubiKey Enrollment page:
    Note: Enable YubiKey Enrollment must be set to Y, as described in Configure IBM MFA web services started task.
    https://server-name:port/AZFYUBI1/enroll
    Instruct the user to provide their user name and password, and tap the YubiKey to generate an OTP in the YubiKey OTP field. Remind the users that a YubiKey token in Configuration Slot 2 requires the long press.
    The user receives a message that the YubiKey was associated with their account.
    Information
    Your YubiKey device was successfully associated with your account.
  10. Enter the following command to display IBM MFA information for a user profile. Note that the REGSTATE changes to CONFIRMED and the factor state changes to ACTIVE. (The key material is for example purposes only.)
    LISTUSER [Login ID] MFA
    FACTOR = AZFYUBI1                                                          
       STATUS = ACTIVE                                                          
       FACTOR TAGS =                                                            
         REGSTATE:CONFIRMED                                                     
         SERIAL:6489515                                                         
         PUBNAME:lcefiedkcvjcfdvgirifrvcndbgvkfdj                               
         PRIVID:i2l2hzz4mCqbkZPtyrxYJKDuBx3R37lakyk/y6uc9HY=                    
         SECRET:CfWgi/DhJXxgWF1ko9OATQxT+4OxO6LtLVPxw3IQKruqhubXIBqU2wIPZCBu3Y  
           mf                                                                   
         CREATED:2018-07-31T18:40:00                                            
         MODIFIED:1535468661                                                    
         YKCTR:9                                                                
         YKUSE:2                                                                
         YKTSL:43480                                                            
         YKTSH:106                                                                                                                       
  11. If needed, enter the following commands to deactivate a user for Yubico OTP:
    ALU [Login ID] MFA(FACTOR(AZFYUBI1)
        NOACTIVE)