IBM Support

Using IBM Navigator for i to Manage MFA

How To


Summary

On IBM i 7.6, you can use IBM Navigator for i to set up and manage your IBM i for Multi-factor Authentication (MFA). This page is an overview of the MFA management features in Navigator.

Objective

​You are in: IBM i Technology Updates  > Navigator for i > Documentation on Functional Areas > Security > Multi-Factor Authentication
On IBM i 7.6, you can manage your Multi-Factor Authentication configuration with IBM Navigator for i.  Also see Multi-factor authentication (MFA).
MFA Configuration
MFA Configuration
> Security Configuration Information
Security Configuration Information
Provides a quick view of the Security System values:
  • Security Level & Pending Security Level
  • Password Level & Pending Password Level
  • Additional Signon Factor & Pending Additional Signon Factor
  • Allow Additional Signon Factor Change
  • Allow Password Exit Program Add Remove
Right click the value you want to modify and select Change.
  • For Password, Security, and Allow Password Exit Program Add Remove - you will be brought to the System Values panel to make the change.  Right-click and select Properties to open the system values panel for those attributes.
  • Allow Additional Signon Factor Change can only be modified through SST
  • For Additional Signon Factor, a pop-up will allow you to change the setting.  Make your selection and Click Save:
  • Change Additional Signon Factor
> Users
Users - MFA Navigator
Provides a place to easily view all Users according to the following MFA settings. 
Before an administrator turns on MFA Authentication for a profile (set authentication method to *TOTP), they will want to validate that the profile has a configured MFA (TOTP) key. 
  • MFA Key Exists - The list defaults to filter on user profiles with an MFA key set.
  • MFA Authentication
  • Exit Program Authentication
  • Impersonation
  • Audit Level
  • MFA Key Last Changed
  • MFA Interval
Actions can be done here:
  • Enable Users for MFA Authentication - set the user's authentication method to *TOTP
  • Enable Users for Exit Program Authentication - set the user's authentication method to *REGFAC 
  • Set Impersonation to Denied - adds the user to the Denied list for the Function Usage ID QIBM_RUN_UNDER_USER_NO_AUTH
The user profile Properties panel (Select a user profile, right-click, and select Properties) can be used to:
  1. Change a user profile TOTP optional interval - In the Additional Authentication Options section, enter the number of minutes in the Optional Interval field.  Click OK to save changes.
  2. To display the remaining minutes in a user’s TOTP optional interval (if the user has a TOTP optional interval specified)
 
> Authentication Exit Point
Authentication Exit Point
Display the Authentication Exit Point Programs
Add or Remove Exit Programs
To enable *REGFAC authentication method (register the QIBM_QSY_AUTH exit program in the registration facility), click Authentication Exit Point:
  1. Right click QIBM_QSY_AUTH exit point name and select Add Exit Program.
  2. In the Add Exit Program panel, enter the exit program name in the Program field and the library name in the Library field.
  3. Click OK
 
Additional Factor Field
MFA additional factor field sign on screen
For 7.6 and later releases, the Additional Factor field will be displayed on the logon screen when the system is set to accept an Additional Signon Factor. 
The additional factor field is shown for each user whether or not the MFA factor is enabled for that user profile.  If MFA Authentication is not turned on for the user profile, anything entered in the Additional Factor field is ignored.
Manage My MFA Key
My Work > My Additional Authentication Factor > Manage My MFA Key:
My Additional Authentication Factor - Manage My MFA Key
Note: Any user with a valid user profile and password can use Navigator to set and manage their unique MFA key value.
Normally, users must have access to use IBM Navigator. If the user does not have *ALLOBJ authority, this is done with the QIBM_NAV_ALL_FUNCTION function usage ID. If a user does NOT have access with this function usage ID,  they will be still able to use Navigator to manage their own specific MFA key.  The following panel is displayed when the user logs in:
 
Manage My MFA Key

Note: The Navigator GUI node is available for a user to set up their TOTP on any system. A user without normal authority to use Navigator is allowed to manage their MFA user profile with the Navigator GUI. This is a special feature that allows access to that Navigator GUI node. This differs from when Navigator can use one GUI node to manage multiple systems. For normal access, the Navigator GUI is only required on one managing node, and functions can be performed on other systems.  This cross-system management is not available for the MFA configuration panel.

1.  Generate and save a MFA key and recovery key for this user profile. This will generate a MFA key and save it to your user profile.
  Save the recover key in a safe place.  It can be used in place of the user password as a one-time recovery if the MFA key and code are not working.
Generate and save a MFA key and recover key for this user profile
  • On the Validate MFA Key and Save Recovery Key panel, scan the QR code using your client authenticator application. Alternatively, you can manually enter the value in the Saved MFA key field (this is the TOTP key).
  • Validate the MFA key by entering your password and the MFA Code (TOTP value or "Additional Factor") provided by the client application.  Click Validate.
  • Save the recovery key in a safe place.
  • Inform the administrator your TOTP key is set. 
2.  Enter a MFA key from your client generator application. This will save the entered code to your user profile
Enter MFA Key
3.  Remove the MFA key for this user profile
Remove MFA Key
4.  Validate the MFA code and password work correctly for this user profile
Validate the MFA Code and password
Enter the same password and Additional Factor as is used for the logon screen.
User Profile Additional Authentication Options
The user profile properties has additional fields related to MFA.
User Profile Additional Authentication Option
  • MFA Authentication using a TOTP key:  Use to turn on MFA Authentication
  • Optional Interval field (minutes)
    • By default, MFA will be required every time the user is required to authenticate. You can specify a time that MFA will not be required for subsequent signons after an initial successful signon using MFA. During this time period, only a valid user id and password will be required.  If the optional interval is 0 and TLS is not enabled for Navigator and DCM, the user will not be able to use these applications.
  • Exit Program Authentication (*REGFAC):  Shows that there is exit program authentication turned on for this user profile (QIBM_QSY_AUTH exit program registered).  
    • The Optional Interval does not apply for Exit Program Authentication. The exit program will always be called whenever authentication is performed.
  • Deny Impersonation: When the value of Impersonation is DENIED for a profile, the operating system will restrict the ability to impersonate this user profile without authentication. The system will block any attempt to swap to this user profile without specifying a password. This is controlled by setting the function usage ID QIBM_RUN_UNDER_USER_NO_AUTH to DENIED for this profile.
Configuring the NTP client
  • Check the QTIMADJ system value.  Go to Configuration & Service > System Values.  Right-click Date and Time and select Properties.  Select the Time tab. Under Time adjustment (QTIMADJ):
    1. If Time maintenance application is set to QIBM_OS400_NTP, then the NTP client is running. 
    2. If it is set to *NONE, then the NTP client is not running. 
    3. If it is set to QIBM_OS400_SNTP then the SNTP client is running instead of NTP.
System Values: Date and Time
  • If the NTP client is not running, start NTP services using Navigator.  Follow next steps to verify NTP will be started (not SNTP).
  • If it is set to QIBM_OS400_SNTP, change the client type by following these steps:
    1. Go to Network > Servers > TCP/IP Servers.
    2. Right click on SNTP and select Stop.
    3. Right click SNTP and select Properties.
    4. Set the client to auto-start. (SNTP services to start when TCP/IP is started)
    5. Click on the Client tab and specify client type NTP.
    6. Add multiple time servers reachable on your network.
    7. Click OK to save the changes.
    8. Right click on SNTP and select Start.
Change Function Usage (CHGFCNUSG) command for QIBM_RUN_UNDER_USER_NO_AUTH
When the value of Impersonation is DENIED for a profile, the operating system will restrict the ability to impersonate this user profile without authentication. The system will block any attempt to swap to this user profile. This is controlled by setting the function usage ID QIBM_RUN_UNDER_USER_NO_AUTH to DENIED for this profile.
  • In IBM Navigator for i, expand Security > MFA Configuration, click Users.
  • Clear the filter value from the MFA Key Exists filter and select Apply.
User profiles that have already been denied access to the function ID will have DENIED in the Impersonation column. Users that are using the default access will have ALLOWED in the column.
  • To change the access for a user, right-click on the user profile and select Properties.
  • Check the box Deny Impersonation
  • Click OK to save this change.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"and future releases;7.6.0"}]

Document Information

Modified date:
22 May 2025

UID

ibm17180390

Page Feedback