Ingesting the .csv configuration file

You ingest the .csv configuration file in to the IBM® MFA database, and then activate users.

Before you begin

Note: Ensure that you have the following access, as described in Configuring a PKCS#11 token.
  • CONTROL access to the SO.token_name profile that protects the token.
  • UPDATE access to the USER.token_name profile that protects the token.
Note: As described in the YubiKey documentation, the Yubico OTP generated by the YubiKey token represents a single authentication factor. It is recommended that you use Yubico OTP together with compound in-band authentication or with another factor in IBM MFA Out-of-Band authentication.

About this task

The azfyubi1_ingest command has the parameters shown in Table 1.
Table 1. azfyubi1_ingest Parameters
Parameter Description
SCAN Iterates over the entire input file, attempts to validate each line as a Yubico format token descriptor, and determines whether an IBM MFA record already exists for the parsed token Public ID. Must be in uppercase.
INGEST mode without COMMIT Includes the SCAN behavior, and indicates which IBM MFA record additions would have been made. Must be in uppercase.
INGEST mode with COMMIT Includes the SCAN behavior, and indicates which IBM MFA record additions were made. Must be in uppercase.
CLEAN mode without COMMIT Includes the SCAN behavior, and indicates which IBM MFA record deletions would have been made. Must be in uppercase.
CLEAN mode with COMMIT Includes the SCAN behavior, and indicates which IBM MFA record deletions were made. Must be in uppercase.

Procedure

  1. Add the /usr/lpp/IBM/azfv2r2/bin/ directory to your PATH.
    export PATH=/usr/lpp/IBM/azfv2r2/bin:${PATH}
  2. Run the ./azfyubi1_ingest program with the SCAN parameter and check for errors. The output is for example purposes and contains only one CSV record.
    ./azfyubi1_ingest yubikey.csv SCAN
    Proceeding in SCAN mode
    AZF Yubico OTP Settings:
      PKCS#11 Token Name: AZFTOTP.TOKEN
      PKCS#11 Key Label:  AZFYUBI1.AESKEY
    
    Ingest Utility Results:
      Addressed the specified PKCS#11 token: Yes
      Addressed the specified key record:    Yes
      Last PKCS#11 return/reason codes:      p11rc=0, p11rsn=0x0
      Valid CSV records in input file:       1
        Those with PubID already in TKDS:    0
      Number of TKDS records written:        0
      Number of TKDS records deleted:        0
    Total input file lines processed: 1
    
  3. Run the ./azfyubi1_ingest program with the INGEST parameter without the COMMIT parameter and check for errors.
    ./azfyubi1_ingest yubikey.csv INGEST
    Proceeding in INGEST mode with committing OFF
    Skipped attempt to create a new TKDS record for token with 
       public ID vvjkeehkbkuj
    AZF Yubico OTP Settings:
      PKCS#11 Token Name: AZFTOTP.TOKEN
      PKCS#11 Key Label:  AZFYUBI1.AESKEY
    
    Ingest Utility Results:
      Addressed the specified PKCS#11 token: Yes
      Addressed the specified key record:    Yes
      Last PKCS#11 return/reason codes:      p11rc=0, p11rsn=0x0
      Valid CSV records in input file:       1
        Those with PubID already in TKDS:    0
      Number of TKDS records written:        0
      Number of TKDS records deleted:        0
    Total input file lines processed: 1
    
    Tip: The following error indicates that you do not have sufficient access to a required CSFSERV or CRYPTOZ resource profile.
    AZFYUBI:AZF9547E Failed to encrypt sensitive AZFYUBI data 
    Failed to create a new TKDS record for token with public ID vvjkeehkbkuj, 
    input line 1
    
    See AZF9547E for additional information about this message.
  4. Run the ./azfyubi1_ingest program with the INGEST parameter with the COMMIT parameter.
    ./azfyubi1_ingest yubikey.csv INGEST
    COMMIT
    Proceeding in INGEST mode with committing ON
    Added a new TKDS record 0000011C for token with public ID vvjkeehkbkuj
    AZF Yubico OTP Settings:
      PKCS#11 Token Name: AZFTOTP.TOKEN
      PKCS#11 Key Label:  AZFYUBI1.AESKEY
    
    Ingest Utility Results:
      Addressed the specified PKCS#11 token: Yes
      Addressed the specified key record:    Yes
      Last PKCS#11 return/reason codes:      p11rc=0, p11rsn=0x0
      Valid CSV records in input file:       1
        Those with PubID already in TKDS:    0
      Number of TKDS records written:        1
      Number of TKDS records deleted:        0
    Total input file lines processed: 1