Server access rules require that an Assure MFA administrator has set up the appropriate authentication environment on the system and in the Assure MFA configuration and that you have valid license keys for both Assure MFA and Assure System Access Manager.
The Add Rules wizard creates a server access rule that directs authentication challenges to a listener (web or 5250) and requires multi-factor authentication using a RADIUS token to sign on to the IBM i. The rule settings are based on your selections in the wizard and the default values for the server access rule category.
To be useable, server access rules require the following configuration activities be performed from the 5250 user interface to set up the authentication environment on the system and in the Assure MFA configuration:
- Required: An Assure System Access Manager (SAM) control for server access must be configured and active. The control name must be either the same as the server access rule name or use the rule name as a prefix. For example, a control named MFASGN could only use rules named MFASGN, MFASGN1, MFASGN2, MFASGN3 to authenticate. See How to configure to secure access to server jobs in the Assure Multi-factor Authentication User Guide.
- Required: Exit point programs for the types of requests requiring additional authentication must be active. You may also need to end and restart certain servers and subsystems to make the exit point programs effective. See How to configure to secure access to server jobs in the Assure Multi-factor Authentication User Guide.
- Optional: If you want to add authentication to secure opening the listener, create an additional listener rule from the 5250 user interface. You can create either rule MFA_OPNQA to secure the 5250 listener or rule MFA_OPWQA to secure the web listener. Also, the listener must be active in order to handle authentication challenges. See How to configure to secure access to server jobs in the Assure Multi-factor Authentication User Guide.
- Required: User profiles to be authenticated must be added to configuration in the MFA User Profiles list. This list maps IBM i user profile names to the user names known to the RADIUS server. See Working with Assure MFA profiles (WRKQAPRF) in the Assure Multi-factor Authentication User Guide for using the WRKQAPRF command to add users manually or by creating and importing a file.
- Required: The RADIUS server that will validate tokens must be configured, added to Assure MFA configuration as an authentication server with the WRKQASRV command, and the server must be active. See Configuring Assure MFA for use with RADIUS server and RADIUS passcode in the Assure Multi-factor Authentication User Guide.
Also, the User Guide topic How to test the configuration for securing server jobs describes information about how to test a Sign On rule with a RADIUS server.
Users who will be authenticated must be logged in to the web listener application or have a 5250 listener started before attempting to access (PC) client applications that require FTP, ODBC, or JDBC connections to an IBM i system.
Default settings for a server access rule created using the Add rule wizard are the same as the template rule X_MFASGN3. You can view template rules from the 5250 user interface.