Configuring server options

Most of the initial settings for the IBM® MFA server are derived from running the mfa_webserver_config utility. You must configure the remaining settings on the IBM MFA GUI Server Options pane.

About this task

If you make a change to the IBM MFA server settings, the GUI immediately reflects the change but the change does not take effect until you restart the IBM MFA server. In this instance, the GUI indicates the runtime value that is currently in use.

To configure the server options, complete the following steps:

Procedure

  1. In the IBM MFA GUI, click Settings.
  2. Select Server Options.
  3. Specify the following settings to configure the IBM MFA server.
    Table 1. Server Options
    Setting Allowed Values Description
    Initial Trace Level 0 - 3 Choose the initial trace level. Valid values are 0 - 3, where the higher number increases the level of verbosity. The default value is 0.
    Prefer client-side CTC display On or Off When this setting is On, the CTC is displayed. When this setting is Off, the CTC is masked for additional security to prevent it from being observed. The default is On.

    The user has the option to display a masked CTC on the IBM MFA Out-of-Band page if needed.

    Enable Certificate Services On or Off

    Set this to On if you plan to use the certificate authentication method. The default value is Off.

    Enable TOTP Services On or Off

    Enable this setting if you plan to use TOTP as described in Configuring the TOTP authentication method.

    Enable Yubico enrollment services On or Off Enable this setting if you plan to enable users for Yubico OTP authentication from an existing .csv configuration file.
    Enable MFA Password Services On or Off Enables the MFA password setting for all users.

    The MFA password is a special password that allows the user to log in to the IBM MFA server for IBM MFA-specific actions, such as enrolling TOTP and Yubico OTP tokens. This password is unique to the IBM MFA server.

    Enable Strict PCI mode On or Off Enable this setting if you plan to use strict PCI mode, as described in Enabling strict PCI compliance mode.
    PKCS#11 Token Name Actual PKCS#11 token name Enter the name of the PKCS#11 token you created by completing the procedure in Configuring a PKCS#11 token. The PKCS#11 token name is required.
    Start of changeAdmin Session Timeout in SecondsEnd of change Start of changeInteger valueEnd of change Start of changeThe amount of time that the IBM MFA session can remain inactive before the session is timed out and you must log in again. The default value is 300 seconds (5 minutes).End of change
    Max Administrator Login Failures Before Suspension Integer value This setting is intended to prevent brute force attacks. If the maximum failure value is exceeded, the IBM MFA administrator account is suspended until you re-enable the account with the azf_administrator_util command, as described in Resuming IBM MFA administrator IDs.
    Max CTC Check Failures Before Suspension Integer value This setting is intended to prevent brute force CTC attacks. If the maximum failure value is exceeded, the IBM MFA user account is suspended until you re-enable the account on the User Provisioning tab. If the user already has a valid CTC when the failure count is exceeded, that CTC is invalidated.

    If you set this value, choose a value high enough that the user does not unintentionally exceed it in the course of normal actions. For example, 50.

    A value of 0 indicates that brute force CTC protection is not enabled.

    CTC Style Select from the drop-down list Choose the CTC type that you want to use from the drop-down list. All generated CTCs will use this type.
    Start of changeSSL Trace LevelEnd of change Start of change0 - 3End of change Start of changeChoose the initial trace level for SSL connections. Valid values are 0 - 3, where the higher number increases the level of verbosity. The default value is 0.End of change
    Password Hash Iteration Select from the drop-down list The number of hash iterations made when setting, and therefore validating, IBM MFA-specific passwords. The default is 4000 hash iterations. Higher numbers of iterations result in more secure password handling at a cost of additional processing time.
    Trust Store Path Valid file specification You need to specify this setting only if you plan to use the PIV/CAC or X.509 Certificate authentication method. See Creating the server truststore.
    PKCS#12 Server Identity Path Valid file specification Enter the file specification of the server PKCS#12 file.
    PKCS#12 Server Identity Passphrase Valid passphrase Enter the passphrase of the server PKCS#12 file.
    Server Auth Port Valid port number Enter the port number on which the web server is listening.
    Mutual Auth Port Valid port number Enter the port number, or zero. The mutual authentication port is required only if Enable Certificate Services is set to On.
    ZVM Listener Port Valid port number Enter the port number to use for z/VM® host communications.
  4. Click Save to save your changes.
  5. Restart the IBM MFA daemon, as described in Restarting the IBM MFA server.