SQL access rules require that an Assure MFA administrator has set up the appropriate authentication environment on the system and in the Assure MFA configuration and that you have valid license keys for both Assure MFA and Assure System Access Manager.
The Add Rules wizard creates an SQL access rule that requires multi-factor authentication using a RADIUS token to sign on to the IBM i. The rule created is based on your selections and default settings for the SQL access rule category.
To be useable, SQL access rules require the following configuration activities be performed from the 5250 user interface to set up the authentication environment on the system and in the Assure MFA configuration:
- Required: User profiles to be authenticated must be added to configuration in the MFA User Profiles list. This list maps IBM i user profile names to the user names known to the RADIUS server. See Working with Assure MFA profiles (WRKQAPRF) in the Assure Multi-factor Authentication User Guide for using the WRKQPRF command to add users manually or by creating and importing a file.
- Required: An Assure System Access Manager (SAM) control for SQL access to files must be configured and active. The control name must be either the same as the SQL access rule name or must use the rule name as a prefix. For example, a control named SQL4 could use rules named SQL4ADM and SQL4OTHER to authenticate. See How to secure the STRSQL command using Four-Eyes rules in the Assure Multi-factor Authentication User Guide.
- Required: Exit point programs for the types of requests requiring additional authentication must be active. You may also need to end and restart certain servers and subsystems to make the exit point programs effective. See How to secure the STRSQL command using Four-Eyes rules in the Assure Multi-factor Authentication User Guide.
- Required: Edit the SQL4_DB2 condition list to identify the files that require four-eyes authentication and the authorized users. The users identified must be the same as those that the SQL access rule can authenticate.
- Required:The RADIUS server that will validate tokens must be configured, added to Assure MFA configuration as an authentication server with the WRKQASRV command, and the server must be active. See Configuring Assure MFA for use with RADIUS server and RADIUS passcode in the Assure Multi-factor Authentication User Guide.
Default settings for an SQL access rule created using the Add rule wizard use the same values as the template rule X_SQL4ADM with these exceptions: the Additional Authentication field set to Radius Token, and the Send Information field is blank. You can view template rules from the 5250 user interface.