You ingest the .csv configuration file in to the IBM® MFA database, and then activate users.
Before you begin
Note: Ensure that you have the following access, as described in
Configuring a PKCS#11 token.
- CONTROL access to the SO.token_name profile that protects the token.
- UPDATE access to the USER.token_name profile that protects the token.
Note: As described in the YubiKey documentation, the Yubico OTP generated by the YubiKey token
represents a single authentication factor. It is recommended that you use Yubico OTP together with compound in-band authentication or with another factor
in IBM MFA Out-of-Band authentication.
About this task
The azfyubi1_ingest command has the parameters shown in Table 1.
Table 1. azfyubi1_ingest Parameters
Parameter |
Description |
SCAN |
Iterates over the entire input file, attempts to validate each line as a Yubico format token
descriptor, and determines whether an IBM MFA record
already exists for the parsed token Public ID. Must be in uppercase. |
INGEST mode without COMMIT |
Includes the SCAN behavior, and indicates which IBM MFA record additions would have been made. Must be in
uppercase. |
INGEST mode with COMMIT |
Includes the SCAN behavior, and indicates which IBM MFA record additions were made. Must be in uppercase. |
CLEAN mode without COMMIT |
Includes the SCAN behavior, and indicates which IBM MFA record deletions would have been made. Must be in
uppercase. |
CLEAN mode with COMMIT |
Includes the SCAN behavior, and indicates which IBM MFA record deletions were made. Must be in uppercase. |
Procedure
-
Add the /usr/lpp/IBM/azfv2r2/bin/ directory to your PATH.
export PATH=/usr/lpp/IBM/azfv2r2/bin:${PATH}
-
Run the ./azfyubi1_ingest program with the SCAN
parameter and check for errors. The output is for example purposes and contains only one CSV
record.
./azfyubi1_ingest yubikey.csv SCAN
Proceeding in SCAN mode
AZF Yubico OTP Settings:
PKCS#11 Token Name: AZFTOTP.TOKEN
PKCS#11 Key Label: AZFYUBI1.AESKEY
Ingest Utility Results:
Addressed the specified PKCS#11 token: Yes
Addressed the specified key record: Yes
Last PKCS#11 return/reason codes: p11rc=0, p11rsn=0x0
Valid CSV records in input file: 1
Those with PubID already in TKDS: 0
Number of TKDS records written: 0
Number of TKDS records deleted: 0
Total input file lines processed: 1
-
Run the ./azfyubi1_ingest program with the INGEST
parameter without the COMMIT parameter and check for errors.
./azfyubi1_ingest yubikey.csv INGEST
Proceeding in INGEST mode with committing OFF
Skipped attempt to create a new TKDS record for token with
public ID vvjkeehkbkuj
AZF Yubico OTP Settings:
PKCS#11 Token Name: AZFTOTP.TOKEN
PKCS#11 Key Label: AZFYUBI1.AESKEY
Ingest Utility Results:
Addressed the specified PKCS#11 token: Yes
Addressed the specified key record: Yes
Last PKCS#11 return/reason codes: p11rc=0, p11rsn=0x0
Valid CSV records in input file: 1
Those with PubID already in TKDS: 0
Number of TKDS records written: 0
Number of TKDS records deleted: 0
Total input file lines processed: 1
Tip: The following error indicates that you do not have sufficient access to a required
CSFSERV or CRYPTOZ resource profile.
AZFYUBI:AZF9547E Failed to encrypt sensitive AZFYUBI data
Failed to create a new TKDS record for token with public ID vvjkeehkbkuj,
input line 1
See
AZF9547E for additional information about this
message.
-
Run the ./azfyubi1_ingest program with the INGEST
parameter with the COMMIT parameter.
./azfyubi1_ingest yubikey.csv INGEST
COMMIT
Proceeding in INGEST mode with committing ON
Added a new TKDS record 0000011C for token with public ID vvjkeehkbkuj
AZF Yubico OTP Settings:
PKCS#11 Token Name: AZFTOTP.TOKEN
PKCS#11 Key Label: AZFYUBI1.AESKEY
Ingest Utility Results:
Addressed the specified PKCS#11 token: Yes
Addressed the specified key record: Yes
Last PKCS#11 return/reason codes: p11rc=0, p11rsn=0x0
Valid CSV records in input file: 1
Those with PubID already in TKDS: 0
Number of TKDS records written: 1
Number of TKDS records deleted: 0
Total input file lines processed: 1