Enrolling tokens for users

Enroll the tokens for users when you need to control which user has which specific YubiKey token. This method does not require the IBM® MFA web services started task.

Before you begin

Note: Ensure that you have the following access, as described in Configuring a PKCS#11 token.
  • UPDATE access to IRR.RFACTOR.USER in the FACILITY class.

About this task

Note: As described in the YubiKey documentation, the Yubico OTP generated by the YubiKey token represents a single authentication factor. It is recommended that you use Yubico OTP together with compound in-band authentication or with another factor in IBM MFA Out-of-Band authentication.

Procedure

  1. Add the /usr/lpp/IBM/azfv2r3/bin/ directory to your PATH. 
    export PATH=/usr/lpp/IBM/azfv2r3/bin:${PATH}
  2. Create a z/OS UNIX file of the following format: 
    user-name policy-name AZFYUBI1 csv-data
user-name policy-name AZFYUBI1 csv-data
user-name policy-name AZFYUBI1 csv-data
    where csv-data is the complete string from the configuration .csv file that you want to assign to this user.

    There are many ways to accomplish this step, depending on your environment. For example, you can edit z/OS UNIX files by using the TSO/E OEDIT command to invoke ISPF File Edit or by selecting File Edit on the ISPF menu, if it is installed. In a shell, you can use the ed and sed editors for editing z/OS UNIX files. You can use the oedit shell command to invoke ISPF File Edit.

    For example, if you are using TSO/E OMVS, you can use OEDIT to create a new file or edit an existing one.

    Note: If you open the .csv file on a Windows system to copy the csv-data string, open the file in a text editor. The default Windows application association might be different.

    For example:

    USERA YUBIPOL AZFYUBI1 "7699966,tvhcjlhgucln,ba29fe0f63b4,
3ae7fa1cd82885153a2ae8dea864a22b,000000000000,2018-08-23T16:06:21,"
  3. Run the azfbulk program without the COMMIT parameter. 
    azfbulk input-file
  4. Check the resulting azfprov1.sh and azfprov2.sh files for errors. azfprov1.sh invokes azfbulkcmd.sh, which allows you to make any needed customizations if you are using an ESM other than RACF. No changes to azfbulkcmd.sh are required if you are using RACF.
  5. Correct any errors in your input file and re-run azfbulk. Repeat as needed.
  6. When you are satisfied with the azfprov1.sh and azfprov2.sh scripts, run the azfbulk program with the COMMIT parameter. (COMMIT must be in uppercase.) 
    azfbulk input-file COMMIT
  7. Run the azfprov1.sh shell script. 
    sh azfprov1.sh

    ALU USER MFA(FACTOR(AZFYUBI1) NOACTIVE NOPWFALLBACK NOTAGS)
ALU USER MFA(FACTOR(AZFYUBI1) TAGS(REGSTATE:OPEN))
ALU USER MFA(ADDPOLICY(YUBIPOL))
  8. Run the azfprov2.sh shell script. 
    sh azfprov2.sh
    Existing AZFYUBI1 tag data for user USER:
REGSTATE:       OPEN
SERIAL: (not set)
PUBNAME:        (not set)
PRIVID: (not set)
SECRET: (not set)
CREATED:        (not set)
MODIFIED:       0
YKCTR:  0x00
YKUSE:  0x0
YKTSL:  0x00
YKTSH:  0x0
Parsed CSV successfully; pending AZFYUBI1 tag data for user USER:
REGSTATE:       WANTSYNC
SERIAL: 7699966
PUBNAME:        vvtvvrdfgtne
PRIVID: OaGKIt1QL/KZu/IcgUsizsP90UfzBPfaXJcnE/PelL4=
SECRET: d1cNHlipJ1XKdYWKwwZEH4qQJKVN7wS7t/8ElKwnx7GnYJZq+/nqsxIOfn5VuOYK
CREATED:        2020-01-24T11:39:38
MODIFIED:       0
YKCTR:  0x00
YKUSE:  0x0
YKTSL:  0x00
YKTSH:  0x0
Committed AZFYUBI1 factor data for USER.
  9. Instruct the user to insert the YubiKey into a USB port on their Windows system.
  10. Instruct the user to log in to the z/OS application and tap the YubiKey to generate a token in the password field. Remind the users that a YubiKey token in Configuration Slot 2 requires the long press.
  11. Enter the following command to display IBM MFA information for a user profile. Note that the REGSTATE changes to CONFIRMED and the factor state changes to ACTIVE. (The key material is for example purposes only.) 
    LISTUSER [Login ID] MFA
    FACTOR = AZFYUBI1                                                        
  STATUS = ACTIVE                                                        
  FACTOR TAGS =                                                          
    REGSTATE:CONFIRMED                                                   
    SERIAL:7699966                                                       
    PUBNAME:vvtvvrdfgtne                                                 
    PRIVID:OaGKIt1QL/KZu/IcgUsizsP90UfzBPfaXJcnE/PelL4=                  
    SECRET:d1cNHlipJ1XKdYWKwwZEH4qQJKVN7wS7t/8ElKwnx7GnYJZq+/nqsxIOfn5VuO
      YK                                                                 
    CREATED:2020-01-24T11:39:38                                          
    MODIFIED:1579894287                                                  
    YKCTR:1                                                              
    YKUSE:1                                                              
    YKTSL:24519                                                          
    YKTSH:78
  12. If needed, enter the following commands to deactivate a user for Yubico OTP: 
    ALU [Login ID] MFA(FACTOR(AZFYUBI1)
    NOACTIVE)