OES MFA service uses the NetIQ Advanced Authentication (AA) server in the back-end. For more information, see NetIQ Advanced Authentication documentation.
Endpoint: Endpoint ID and Endpoint Secret of the Endpoint created.
Chain: Create a chain in the AA server, which contains smart phone (with push notification) as the only method.
Event: Name of the Event created in the AA server, which contains the chain created in step 2.
Repository: (Optional) Repository name can be configured in MFA only if all the eDirectory users who require MFA exist in one repository of the AA server. If the eDirectory users who require MFA are spread across different repositories in AA, no need to configure the repository name in the MFA server.
For Active Directory users, repository configuration is not required in the MFA server.
Select the OES MFA server pattern in YaST during or post OES installation.
After successful installation of OES MFA Server pattern, run the command from the terminal console.
mfa-server-cli service-config
During service-config, enter the eDirectory administrator credentials and confirm the host name to be used for the MFA server.
NOTE:By default, the host name is automatically fetched from the system. MFA agent establish HTTPS connection using this host name, so it should match with the DNS name in the server certificate used by Apache server.
This initialize the database and brings up the MFA server service and isDbConfigured parameter appears as true (Shown in mfa-server-cli print-config).
Run systemctl status mfa-server.service command to check the status of MFA server service. To view the configuration parameters, run mfa-server-cli print-config command.
Run the command to configure the AA server details.
mfa-server-cli auth-server --authSrvHost=<AA server details> --endPointID=<id> --endPointSecret=<secret>
This updates the AA server address and AA endPoint information. The parameter isAuthSrvConfigured appears as true on the configuration parameter page.
Run the command to configure the information from the AA server.
mfa-server-cli policy-config --event=<AA event name> --eDirRepo=<Name of eDirectory repository in AA server>
This updates the AA event and repository information and the isPolicyConfigured appears as true on the configuration parameter page.
NOTE:eDirRepo configuration is optional, but recommended for better performance. Only one repository can be configured. eDirRepo can be configured, only if all eDirectory users who require MFA exist in one repository of the AA server. If eDirectory users are spread across different repositories in AA, repository name configuration is not required.For Active Directory users, no configuration of repository is required in the MFA server. MFA server can identify the repository name of AD user.
On successful completion of steps 1 to 4, perform mfa-server-cli print-config.
If the MFA server configuration is successful, the mfa-server > isConfigured parameter appears as true, else perform a service-cleanup, and then do a service-reconfig to bring up the MFA server.
Configuration parameters can be modified using the utility mfa-server-cli as described in Command Line Utility of MFA Server.