Configure IBM HTTP Server - Powered by Apache

Edit the IBM® HTTP Server - Powered by Apache conf/httpd.conf file to make IBM MFA-specific changes.

Before you begin

You must satisfy the following prerequisites:
  • You must have already installed and configured IBM HTTP Server - Powered by Apache. 64-bit and 31-bit versions of V8R5 and V9R0 are supported.

    See IBM HTTP Server Powered by Apache (https://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf) for installation and configuration information. In particular, see the section "Authenticating with SAF on IBM HTTP Server (z/OS® systems)."

  • You must have already configured a PKCS#11 token as described in Configure a PKCS#11 token.

Procedure

  1. For V8R5 only, add (or uncomment) the following directives to the conf/httpd.conf file. SAF authentication is provided by the mod_authnz_saf module. The mod_saf_mfa85.so module is IBM MFA specific. The module name is mod_saf_mfa85_31.so for the 31-bit version. 
     
LoadModule headers_module modules/mod_headers.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
LoadModule saf_mfa_module /usr/lpp/IBM/azfv2r3/modules/mod_saf_mfa85.so
Header append Cache-Control max-age=0
  2. For V9R0 only, add (or uncomment) the following directives to the conf/httpd.conf file. SAF authentication is provided by the mod_authnz_saf module. The mod_saf_mfa90.so module is IBM MFA specific. The module name is mod_saf_mfa90_31.so for the 31-bit version. 
    LoadModule headers_module modules/mod_headers.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
LoadModule saf_mfa_module /usr/lpp/IBM/azfv2r3/modules/mod_saf_mfa90.so
Header always merge Cache-Control max-age=0
  3. For both V8R5 and V9R0, add all of the following (case sensitive) directives to the httpd.conf file: 
    <Location location.html>
   SAFRunAs %%CLIENT%%
   AuthBasicProvider saf
   AuthName safmfatest1
   AuthType BASIC
   Require valid-user
   MFADomain cookieName
   MFAExpireSeconds num-of-seconds
   MFAPKCS#11TokenName PKCS#11 token name
   MFAKeyLabel PKCS#11 key label
   MFAPath path
   SAFAPPLID MFATEST1
   AuthSAFExpiration "EXPIRED! oldpw/newpw/newpw"
</Location>
    where:
    • The scope of the IBM MFA configuration parameters is the current location, but you can set them outside of a Location definition to set global default values. If set globally, one or more values can be overridden on a per-location basis.
    • The non-IBM MFA-specific statements must use these exact values, with the exception of AuthName and SAFAPPLID, which are site-specific values.
    • MFADomain cookieName has a limit of 32 characters and defaults to MFAToken.
    • MFAExpireSeconds is the number of seconds for which the IBM MFA authentication is valid. Change this value as needed in your environment. Possible values are 0-86400, inclusive. If you specify a value over the maximum value, it is ignored and the maximum value is used. The default is 86400, 24-hours.
    • MFAKeyLabel PKCS#11 key label has a limit of 32 characters and defaults to AZF.IHSA.SESSION

      The value you specify for PKCS#11 key label is used if it already exists and is created if it does not already exist.

    • MFAPath path is the authentication path for IBM MFA resources. All requested resources must be subordinate to this path. If a resource is outside the path, users are prompted to re-authenticate. If not specified, the default is "/".
    • MFAPKCS#11TokenName PKCS#11 token name has a limit of 32 characters and defaults to AZF.IHSA.TOKEN.

      The value you specify for PKCS#11 token name identifies the PKCS#11 token to contain the key material used to encrypt the cookie. This is the token you created in Configure a PKCS#11 token.

      Note: If you change the values for MFAKeyLabel or MFAPKCS#11TokenName after they have been used, it may result in unspecified failures.
  4. Define the BPX.DAEMON FACILITY class profile if it is not already defined.: 
    RDEFINE FACILITY BPX.DAEMON UACC(NONE)
  5. The user ID of the IBM HTTP web server must have UPDATE access to the BPX.DAEMON FACILITY class profile, where web-server-user-ID is the user ID of the web server started task. 
    PERMIT BPX.DAEMON CLASS(FACILITY) ID(web-server-user-ID) ACC(UPDATE)
  6. Define the BPX.SERVER FACILITY class profile if it is not already defined.: 
    RDEFINE FACILITY BPX.SERVER UACC(NONE)
  7. The user ID of the IBM HTTP web server must have UPDATE access to the BPX.SERVER FACILITY class profile, where web-server-user-ID is the user ID of the web server started task. 
    PERMIT BPX.SERVER CLASS(FACILITY) ID(web-server-user-ID) ACC(UPDATE)
  8. Refresh the FACILITY class: 
    SETROPTS RACLIST(FACILITY) REFRESH
  9. Start the web server, as described in IBM HTTP Server Powered by Apache (https://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf).