WIXLIB

IBM PowerSC MFA with SecurID authentication methodWhile authenticating by using the IBM PowerSC MFA with SecurID authentication method, the RSAAuthentication Manager determines whether the user's credentials are valid, and if valid returns successto IBM PowerSC MFA. The AIX or Linux operating system then resumes control and completes theauthentication and authorization process as usual.The IBM PowerSC MFA with SecurID authentication method requires the following credentials:v Something you have (The hardware or software RSA SecurID token).v Two things you know (An RSA SecurID Personal Identification Number (PIN), and something you know).PIV/CAC authentication methodThe PIV/CAC authentication method is a general-purpose certificate authentication that includesPersonal Identification Verification (PIV) and Common Access Card (CAC) cards. Certificateauthentication uses the client identity certificate to authenticate the user.The PIV/CAC authentication method requires the following credentials:v Something you have (The approved certificate, typically from a PIV or CAC card or other smart card).v Something you know (The Personal Identification Number (PIN)).Out-of-band authentication typeThe IBM PowerSC MFA out-of-band authentication type requires the user to authenticate to theout-of-band web page with one or more factors to retrieve an authentication code called a cache tokencredential (CTC).A user-specific out-of-band login page prompts for all of the authentication factors the user must provide.The user connects to the URL provided by the administrator and logs in with their MFA ID. A list ofauthentication policies is displayed. Each policy defines the factors the user must provide, and specifieswhether the cache token credentials can be reused, and the time duration for which the cache tokencredentials can be reused. When the user selects an authentication policy, a list of factors required to usethe policy is displayed.All configured authentication factors must succeed to receive the CTC. For example, if an account isconfigured for both IBM PowerSC MFA with SecurID and PIV/CAC authentication methods, bothmethods must succeed.If successful, the user receives a CTC that they can use to log in to the AIX or Linux application.Benefits of the out-of-band Authentication typeConsider the following benefits of using the out-of-band authentication type:v A system administrator can set the user to specify multiple authentication factors for authenticating tothe out-of-band web page. By mandating multiple authentication factors, you improve the security ofthe user account.v You can set the user to use certificate authentication for authenticating to the out-of-band web page,including certificates stored on CAC and PIV cards.v You can use the cache token credential in cases where the application replays the user password. IBMPowerSC MFA with SecurID token codes can be used only once, which can be problematic forapplications that cache and replay passwords. To resolve this problem, you can use the resulting8-character cache token credential as the password.4IBM PowerSC MFA Installation and Configuration

v You can customize the out-of-band authentication type for each user. You can decide which users mustprovide which factors based on your own environment and security needs. The user is then providedwith a customized, user-specific out-of-band web page to log in.Benefits of compound authentication in the out-of-band authentication typeAuthenticating to the out-of-band web page or to an application by using two or more factors is calledcompound authentication. All configured authentication factors must succeed for the user to retrieve thecache token credential.For example, if you configure the user for both IBM PowerSC MFA with SecurID and PIV/CACauthentication, both authentications must succeed. By mandating both a SecurID token code and thecertificate, you improve the security of the user account.How tokens work with the out-of-band authentication typeA SecurID token code is valid only while it is displayed. However, the out-of-band web page validateseach token according to the existing requirements.For example, if the user provides the SecurID token code, the out-of-band web page validates that tokencode in real time. If the user then provides a certificate, the out-of-band web page then validates thatcertificate in real time.The user has a fixed amount of time to satisfy all authentication factors.In-band PIV/CAC and out-of-band authentication typeThe typical use case for PIV/CAC card authentication is the out-of-band authentication type, in whichthe smart card reader is attached to a Windows or Mac OS desktop system and certificate managementand login is performed through the out-of-band web interface. For more information, see “Out-of-bandauthentication type” on page 4.The in-band PIV/CAC authentication type is a special use case in which the AIX operating system has asmart card directly attached to the USB port. See “Configuring the PIV/CAC in-band authenticationtype” on page 41 for complete information.RSA Authentication Manager conceptsThe RSA Authentication Manager includes token codes, PINs, and passcodes.SecurID token codeThe SecurID token code is a continuously regenerated number used to prove the user's identity.The token code is a pseudo-random 6-8 digit number (PRN), based on the current time, that is displayedon the RSA SecurID token device. It is presumed that only an authorized user possesses the token device.The token code is a one-time password (OTP). It is valid only while it is displayed, and it can be usedonly once. The token device generates a new token code at regular intervals, typically every 60 seconds.The display frequency for the token device determines the amount of time for which a token codeappears before the display is refreshed.SecurID PINThe SecurID PIN is conceptually similar to a PIN that the user might use for financial transactions. It is anumber that only the user knows that helps to identify the user.IBM PowerSC MFA concepts5

The Personal Identification Number (PIN) is a unique 4-8 digit identifier that only the user knows. ThePIN can be of the user's choosing, or system-generated by RSA Authentication Manager depending onthe RSA token policy. If the user creates their own PIN, they should follow the locally established rulesfor creating a valid PIN, such as the number of characters and the reuse policy.The RSA security administrator can clear and reset the PIN and the user's current PIN becomes invalid.SecurID passcodeA SecurID passcode is the combination of a PIN and token code.Similar to the token code, a passcode is a one-time password (OTP). It is valid only while it is displayed,and it can be used only once.There are two types of passcodes:v For hardware fob-style tokens without a PINpad, the SecurID passcode consists of the user's PINfollowed by the token code and the user must enter both. For example, if the PIN is 1234 and thetoken code is 567891, the user enters the passcode as 1234567891.v For SecurID PINpad hardware tokens and software token applications, the user enters the PIN on thePINpad and the token generates a hash-encrypted passcode from the PIN and the generated token. Thetoken generates a new passcode at regular intervals, typically every 60 seconds. The user then uses thegenerated passcode to log in.Types of token devicesSeveral types of RSA SecurID token devices are supported.RSA SecurID card-style tokens and key fobsThese devices generate a token code. Card-style tokens (such as the RSA SecurID 200) and key fobs (suchas the RSA SecurID 800) function identically, with both displaying the token code on the LCD.RSA SecurID PINpadsThe user enters the PIN directly into the token, and the token generates a hash-encrypted 6-8 digitpasscode. For example, by using the RSA SecurID 520 card-style PINpad, the user enters the PIN via a10-digit numeric pad that is contained on the card. The passcode displayed is a hash-encryptedcombination of the PIN and the current token code.The user can use the PINpad token in the following ways:v If the user has a valid PIN, the user can enter the PIN and the token generates a hash-encryptedpasscode. The passcode displayed is a hash-encrypted combination of the PIN and the current tokencode. The passcode can be six or eight digits, depending on the profile.v If the user does not have a valid PIN, which can occur if the security administrator forces the user tochange it, use the token to generate a token code. The user then uses the generated token code to login and change the PIN.RSA SecurID software token applicationsRSA SecurID software token applications are available on a computer or other smart device.The user can use the software token application in the following ways:v If the user has a valid PIN, enter the PIN and the token generates a hash-encrypted passcode. Thepasscode displayed is a hash-encrypted combination of the PIN and the current token code. Thepasscode can be six or eight digits, depending on the profile.6IBM PowerSC MFA Installation and Configuration

v If the user does not have a valid PIN, which can occur if the security administrator forces the user tochange it, use the token to generate a token code. The user then uses the generated token code to login and change the PIN.Password fieldDepending on the token type, IBM PowerSC MFA uses the password field to contain the PIN and thetoken code.Consider the following example:User SmithPIN 8888Token 123456Software token 223344As described in “Types of token devices” on page 6, hardware tokens use a physical token and a PIN.Software tokens use the software to hash the PIN into the token and generate a passcode, and you do notneed to use a separate PIN.Typical loginDepending on the token type, IBM PowerSC MFA uses the password field to contain the PIN and thetoken code.When more than 8 characters are allowed for the password:v For a hardware token, the user enters 8888123456 in the password field.v For a software token, the user enters 223344 in the password field.PIN-change modeDepending on the token type, IBM PowerSC MFA uses the password field to contain the PIN and thetoken code.PIN-change mode is similar to a password change in which after the user completes the login process,the user receives a password expired notification.For example, assume that the user wants to use 9999 as the new hardware token PIN, or 229999 if usinga software token.When more than 8 characters are allowed for the password:v For a hardware token, the user is prompted to enter a new password. Enter 9999 in new passwordfield.v For a software token, the user is prompted to enter a new password. Enter 229999 in new passwordfield.After the PIN change is complete, the user must re-validate the new codes by using the usual loginprocedure.IBM PowerSC MFA concepts7

8IBM PowerSC MFA Installation and Configuration

Installing IBM PowerSC MFAThe IBM PowerSC MFA components are installed separately, and have no dependencies on any otherproduct.IBM PowerSC MFA is installed from the installp file sets.A post-installation step allows you to log in as the initial IBM PowerSC MFA user.IBM PowerSC MFA requirementsThis section describes the hardware and software requirements for installing IBM PowerSC MFA.Software requirementsYou can install the IBM PowerSC MFA components as described in Table 1.Table 1. IBM PowerSC MFA Installation Requirements. ComponentLocation of InstallationIBM PowerSC MFA server and GUI componentsSeparate LPAR or VM that is running AIX 7.1 with TechnologyLevel 5 or later, or AIX 7.2 with Technology Level 2 or later.IBM PowerSC MFA PAM modulesEvery AIX operating system, Virtual I/O Server (VIOS), Red HatEnterprise Linux Server, or SUSE Linux Enterprise Server forwhich you want to use IBM PowerSC MFA for authentication. The AIX operating system must be at the following versions: The Virtual I/O Server version must be at the following version: The Red Hat Enterprise Linux Server must be at the followingversions: The SUSE Linux Enterprise Server must be at the followingversions:v AIX 6.1 with Technology Level 9 SP 8, or laterv AIX 7.1 with Technology Level 4 SP 3, or laterv AIX 7.2 with Technology Level 1 SP 1, or laterv Virtual I/O Server version 2.2.5.20, or later.v Linux on Power servers running Red Hat Enterprise LinuxServer 7.4, or laterv Linux on Power servers running SUSE Linux EnterpriseServer 12 SP3, or later. Copyright IBM Corp. 2017, 20189

Table 1. IBM PowerSC MFA Installation Requirements (continued).ComponentLocation of InstallationIBM PowerSC MFA pam pkcs11 PAM module.An AIX system to which the user's smart card reader is directlyattached to a USB port, running AIX 7.1 Technology Level 5 SP1or AIX 7.2 Technology Level 2 SP1.Select the appropriate link to download the interim fix (iFix) forthe version of the AIX operating system:v 0885m1a.180329.AIX71TL05SP00-01.epkg.Zv 4454m0b.AIX72TL02SP00-01.180312.epkg.ZIn addition, for AIX 7.2 Technology Level 2 SP1, also downloadthe interim fix (iFix) for xlock: 4453s0a.AIX72TL00.180228.epkg.ZThe bos.ahafs file set is required. The IBM PowerSC MFAinstallation creates the /aha directory, and mounts the AHAFSfile system on it.Hardware requirements for in-band PIV/CAC authentication typeIBM PowerSC MFA has been tested with the tokens, readers, and cards shown in Table 2. Other hardwarecomponents might also work, but have not been tested.Table 2. Tested Tokens, Readers, and Cards.ComponentModelAuthentication tokenYubikey 4Smart card readersv Identiv/SCM SCR3310v2v Identiv/SCM SCR3500v Gemalto IDBridge CT30Keyboard embedded smart card readersACS ACR38K-E1Smart cardsv PIVKey C910 PKI Smart Cardv NIST Test PIV Cardsv Oberthur Technologies Smart CardsInstalling IBM PowerSC MFA server and GUIIBM PowerSC MFA can run on any AIX operating system that meets the minimum requirements.You must install the IBM PowerSC MFA server and GUI on one instance of the AIX operating system.Change directory (cd) to the images-directory directory and run the following installp command as root toinstall the IBM PowerSC MFA server and GUI:installp -agXYd . powerscMFA.license powerscMFA.serverObtaining the PKCS#12 file and certificate passwordObtain the PKCS#12 file and the server certificate password for your IBM PowerSC MFA server systemfrom your security administrator.The PKCS#12 file includes the server certificate, any intermediate certificates, and the private key in asingle file. You must have the password for the server certificate.10IBM PowerSC MFA Installation and Configuration

After you obtain the PKCS#12 file and the password for the server certificate, use the secure copy (scp)command to copy the resulting file to the /etc/security/pmfa/certificates directory on the IBMPowerSC MFA server system.Creating the server truststoreThe server truststore of trusted Certificate Authority (CA) certificates is a single file in the/etc/security/pmfa/certificates directory that contains the client PIV/CAC card issuing certificatechain in Privacy Enhanced Mail (PEM) format. You must create this truststore so that the server trusts theclient system.The client certificate issuing chain, including any intermediate certificates and the root CA, must be inPEM format.Note: The procedure to obtain the certificate chain of the PIV/CAC card varies by the vendor andapplication. See “Exporting the client issuing certificate chain” on page 39 for a possible method.To create the truststore, complete the following steps:1. If the certificates are not already in the PEM format, convert them. For example, if the certificates arecurrently in the Distinguished Encoding Rules (DER) format, you can use the openssl x509 commandto convert them. The following example converts one intermediary certificate and the root CAcertificate.openssl x509 -in inter key.cer -inform der -outform pem -out inter key.pemopenssl x509 -in ca key.cer -inform der -outform pem -out ca key.pem2. Concatenate the certificate .pem files into a single file.cat inter key.pem client.pemcat ca key.pem client.pem3. Use the secure copy (scp) command to copy the resulting file to the /etc/security/pmfa/certificates directory in the IBM PowerSC MFA server system.Completing the server setupYou must run the pmfa webserver config utility to complete the IBM PowerSC MFA server setup.Important: The pmfa webserver config utility accepts the values you specify and does not performadditional validation. If you make typing mistakes or enter invalid values, the IBM PowerSC MFAdaemon might not start.To finish the IBM PowerSC MFA server setup, complete the following steps:1. Log in to the IBM PowerSC MFA server system by using SSH.2. Change directory (cd) to /opt/IBM/powersc/MFA/bin.3. Run the following command as root and specify the required parameters./pmfa webserver config /etc/security/pmfa/certificates/secsrv.p12 password/etc/security/pmfa/certificates/client.pem /opt/IBM/powersc/MFA/mfa 6793 6794Successfully configured pMFA Webserver.where:v path to identity certificate and certificate password are the PKCS#12 certificate andpassword you obtained in “Obtaining the PKCS#12 file and certificate password” on page 10.v path to trusted cas is the truststore (client.pem in the example) you created in “Creating theserver truststore.”Installing11

v path to oob docroot is the document root for the IBM PowerSC MFA web server. Enter/opt/IBM/powersc/MFA/mfa, or choose your own location.v server auth port is the port number on which you want the web server to listen.v mutual auth port is the port number you want to use for mutual authentication.Adding IBM PowerSC MFA administrator IDsYou must run the pmfa administrator util utility to add one or more IBM PowerSC MFA administratorIDs. Only IBM PowerSC MFA administrators can access the IBM PowerSC MFA GUI.To add one or more IBM PowerSC MFA administrator IDs, complete the following steps:1. Log in to the IBM PowerSC MFA server system by using SSH.2. Change directory (cd) to /opt/IBM/powersc/MFA/bin.3. Run the following command as root and provide the required access level to the user. SpecifySUPERADMIN to be able to perform all IBM PowerSC MFA administrative functions./pmfa administrator util username S

1. SecurID 1 Select Policy or enter CTC: 1 2 Enter your SecurID passcode. Policy Satisfied. CTC: IVn&/KO2 iB4QNHW 3 v 1 The available IBM PowerSC MF A policies ar e displayed. v 2 The user is pr esented with a choice of selecting a policy or entering a CTC. - If the user selects a policy , it indicates the in-band authentication type. The .