IBM Support

Configuring Multi Factor Authentication (MFA) on the HMC

How To


Summary

Starting in V9R1M940 and higher the HMC offers MFA as an additional security measure.

Objective

This document will cover the requirements for MFA on the HMC.

Environment

The configuration of MFA on the HMC has the below requirements :
-PowerSC MFA server 1.2.0.2 or higher
-HMC users must be provisioned on the PowerSC MFA server.
-RSA Authentication Manager v8.1 or later is required if RSA SecureID is used.
You can configure MFA using the CLI or by using the GUI. To enable Multi-Factor Authentication from the GUI, complete the following steps:
In the navigation area, click the Users and Security icon , and then select Systems and Console Security. -> In the content pane, click Manage MFA. -> From the Manage MFA window, select the Enable multi factor authentication check box. -> Enter the following information:
  1. Host name or IP address of the authentication server
  2. Port of the authentication server
     
To enable MFA using the CLI, see the man pages on chhmcauth and lshmcauth.
Version 1060 Enhancement:
When HMC is enabled with Power SC MFA, all the users includinglocal/ldap/Kerberos will be prompted with PowerSC MFA authenticationprocess.
To avoid above process HMC will be enabled with an PowerSC MFA allow listfor user. The users which are added for allow list will be exempted fromPowerSC MFA authentication on HMC via CLI/SSH.
Add:
chhmcauth -t powersc -o set -a "allow_list+=username1,.."
Remove:
chhmcauth -t powersc -o set -a "allow_list-=username1,.."
Set:
chhmcauth -t powersc -o set -a "allow_list=username1,.."

Additional Information

 
  1. Multi-Factor Authentication is disabled on the HMC by default.
  2. For HMC GUI login, when MFA is enabled and the user is configured on the PowerSC MFA server, enter the Cache Token Credential (CTC) code in the password field.
  3. For Secure Shell (SSH) login:

    When MFA is enabled, all users that login through SSH are prompted for a CTC code. If the user is configured on the PowerSC MFA server, then you can enter the CTC code at the prompt. If the user is not configured on the PowerSC MFA server, press Enter when prompted for CTC code, and then enter the password of the user at the prompt.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGGSNP","label":"Hardware Management Console V9"},"ARM Category":[{"code":"a8m0z000000bowEAAQ","label":"Hardware Management Console"}],"ARM Case Number":"TS006560856","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 June 2024

UID

ibm16482893

Page Feedback