Administrator Setup Procedure

After installation, complete the following procedure to configure Powertech Multi-Factor Authentication.

NOTE: See Installing Powertech Multi-Factor Authentication for installation information.

To Configure Powertech Multi-Factor Authentication

Configure Powertech Multi-Factor Authentication in HelpSystems Insite by configuring the general Powertech Multi-Factor Authentication settings, adding and configuring IBM i agents in Insite, configuring email settings, then adding and/or importing users to Powertech Multi-Factor Authentication.

Configure Powertech Multi-Factor Authentication Settings

The Settings screen includes several important settings related to authentication and general management of Powertech Multi-Factor Authentication. Review and configure all options available on the Settings screen prior to deploying Powertech Multi-Factor Authentication. See Settings Screen.

Add and Configure IBM i Agents in Insite

NOTE: The following instructions assume the Powertech Multi-Factor Authentication IBM i Agent software has been installed on the IBM i system. See Installing the IBM i Agent.
  1. Sign in to Insite and choose Powertech Multi-Factor Authentication from the Navigation Pane on the left.
  2. Click Systems Defaults to configure default agent settings. The Edit Default System screen appears. Here, you can:
    • Choose whether or not to allow user profiles that have not been assigned to a user in Powertech Multi-Factor Authentication.
    • Choose whether to allow or deny individual profiles for exit point sign on.
    • Choose whether to activate Exit Points by default for new IBM i Agents when the agent is activated.
  3. When you have finished configuring the defaults, click Save.
  4. On the Navigation Pane, choose Agents, click IBM i Agent, then click Add to open the New System screen, where you can add an agent. Do the following to setup the agent:
    NOTE: Settings for individual systems in Edit Systems override the equivalent settings configured in Edit Default System screen.
    1. Choose Select System and choose the IBM i system.
    2. Select whether or not to allow profiles that have not been assigned in Powertech Multi-Factor Authentication.
    3. Choose how to handle sign on of unassigned profiles. You can set Use Agent Defaults to Off in order to specify a profile to use for unassigned profile sign ons. Or, choose On to use the default settings defined in the Edit Default System screen.
    4. Check the Exit Points you want to enable and click Activate.
      5. NOTE: If you choose to require authentication for Exit Point sign on, users will need to download the Desktop Agent from the User Portal during User Setup. Instructions for doing so are included under User Setup.
    5. Click Save.
  5. To enable the system, click and choose Activate.
  6. Click Agents again in the navigation pane to show the IBM i agent option. If the "IBM i agent" row reads "Disabled", click for this option (on the right side of the screen) and choose Enable to enable IBM i agent service with Powertech Multi-Factor Authentication. You are asked if you want to change the statuses (activated or deactivated) of all systems connected to the agent. Choose Yes to do so and No to change only this system.

Add Groups

Before you begin adding Powertech Multi-Factor Authentication users, it is a good idea to create any Groups you would like to organize your users into. When users are organized into a Group, they can, for example, be enabled, disabled, or sent an email all at once. They can also be configured to use their own authentication method(s). (Users not assigned to a Group when added are assigned to the default group.)

  1. On the Navigation Screen, choose Users.
  2. Choose Add > Add Group. The New Group screen appears.
  3. Enter a Name and Description for the Group.
  4. Choose whether to Enable, Disable, or Inherit the five authentication methods.
  5. Click Save. This Group will not be available for selection when you add Powertech Multi-Factor Authentication Users.

Add Users

Powertech Multi-Factor Authentication must be added and linked to a profile on an IBM i agent system before registration or authentication can take place. Users can be added manually on an individual basis, or imported from Access Directory and created automatically.

NOTE: It is faster to import Active Directory users than create them manually, as they are created automatically upon import (see the next section, Importing Users, for details).
WARNING: QSECOFR is an IBM-supplied profile that should not, in general, be configured for multi-factor authentication. IBM warns: "do not change values [other than the password] for IBM-supplied user profiles. Changing these profiles can cause system functions to fail." See "IBM-supplied user profiles" in the IBM Security Reference at https://www.ibm.com/support/knowledgecenter/ for more details.

Adding Users Manually

Powertech Multi-Factor Authentication Users can be created individually using the following procedure:

  1. In the Navigation Pane, choose Users, then Add > Add User to open the New User screen.
  2. Enter the Powertech Multi-Factor Authentication Name. This is the name the user will be instructed to use to, for example, login to the Powertech Multi-Factor Authentication User Portal during the registration procedure. It can be the same as the Active Directory account name or IBM i profile the user will be attached to.
  3. Enter the Active Directory Username, if one exists for the user. Skip this step if the user has only an IBM i profile, and no Active Directory Username.
  4. Enter the user's Full Name, email, and desired Group.
  5. For 'User Status,' set Enabled to Yes, which activates the user within Powertech Multi-Factor Authentication.
  6. For 'Authenticate User,' choose Yes if you want the user to be required to authenticate immediately, then next time they attempt to sign on to the IBM i. You can leave this set to No if you would rather wait and give the user time to register an authentication device before requiring them to authenticate.
  7. For Authentication Methods, select whether you want to enable or disable each method, or inherit settings from the Group settings.
  8. Link IBM i profiles with this Powertech Multi-Factor Authentication User:
    1. Under 'IBM i Profiles and Systems,' click Add.
    2. Select a system and choose Next.
    3. Select one or more profiles and choose Save.
    4. Repeat the above steps to add profiles from additional systems.
  9. Click Save to save the User in Powertech Multi-Factor Authentication's database.

Importing Users

Import users to expedite the process of creating Powertech Multi-Factor Authentication users using the following procedure:

  1. Import Active Directory users.
    In order for Powertech Multi-Factor Authentication to authenticate a user, it must have its own record of the user enrolled in Powertech Multi-Factor Authentication's database. Powertech Multi-Factor Authentication can create these users automatically while importing Active Directory users. However, before importing IBM i user profiles, the Powertech Multi-Factor Authentication users must already exist.

    Import Active Directory users first. This way, your Powertech Multi-Factor Authentication users can be created quickly for every Active Directory user. Then, you can import IBM i user profiles and use Powertech Multi-Factor Authentication's Smart Match feature to link them to the existing Powertech Multi-Factor Authentication users that were created when you imported from Active Directory.

    Any individual who does not have an Active Directory account must be imported manually. See Importing Users Manually.

    1. Configure LDAP using the LDAP Settings screen. To do so, in the Navigation Pane, click LDAP.
    2. Once LDAP has been configured, in the Navigation Pane, choose Users, then select Add > Import Users. The Import Users screen appears.
    3. For Location, choose Active Directory. For LDAP Context, enter the LDAP attributes you would like to use.
    4. For Group, select a Group for the users you are about to import.
      NOTE: To add a group, on the Users screen, click Add > Add Group. See Users screen for more details.
    5. Click Start Import. An Powertech Multi-Factor Authentication user is created for every Active Directory user.

  2. Import a list of IBM i user profiles and map them to the appropriate Powertech Multi-Factor Authentication users.
    WARNING: Powertech Multi-Factor Authentication does not prevent the possibility of system access using the Program/procedure field by a user during sign on. To disable the use of this field for users, set their Limit Capabilities user profile setting to *YES or *PARTIAL.
    1. In the Navigation Pane, choose Users, then select Add > Import Users. The Import Users pane appears.
    2. For Import Type, choose IBM i Profiles.
    3. For System, select the IBM system that includes the profiles you would like to import.
    4. You can filter results using a string of up to ten characters.
    5. Set Smart Match to On if you want Powertech Multi-Factor Authentication to attempt to match profiles with existing Powertech Multi-Factor Authentication users. (See Import Users screen for more details.)
    6. Click Start Import to begin importing profiles. After import, use the 'Assign Users to IBM i Profiles' section to link Powertech Multi-Factor Authentication users with imported IBM i profiles. Tips:
      • If Smart Match was enabled, use the icon to help identify matching users.
      • If the IBM i user was already assigned to an Powertech Multi-Factor Authentication user, the Powertech Multi-Factor Authentication user name appears in the column to the right of the Smart Match results.
      • Click Add User to display a menu that allows you to select an Powertech Multi-Factor Authentication user for the imported IBM i profile. Click within the text box and type to quickly identify the Powertech Multi-Factor Authentication user you would like to select, or use the scroll bar.

Send Email to Users

After users have been added to Powertech Multi-Factor Authentication, they need to be informed how to register the device(s) they will be using for authentication. Powertech Multi-Factor Authentication provides administrators with a pre-configured (and customizable) email that can be used for this purpose. The email includes the Powertech Multi-Factor Authentication User name, and a link to the User Portal, which allows them to register devices.

Configuring Email Settings

  1. In the Navigation Pane, click Email to configure email settings. See Email Settings screen.
    1. For 'Enabled,' choose On to allow emails to be sent from Powertech Multi-Factor Authentication.
    2. For 'Host,' enter your organization's email server (e.g. smtp.yourcompany.com).
    3. For 'Port,' select the email server port. (The default is 25, the usual default smtp port.)
    4. Set 'Use SSL with Email' to On to secure the connection between Powertech Multi-Factor Authentication and your mail server.
    5. For 'Email,' enter the account you want in the From field for outgoing messages.
    6. Enter your login credentials.
    7. If desired, enter a custom message. For example, if you intend to enable Exit Point authentication, you might inform users that they will need to download and install the Desktop Agent from the User Portal during the registration process in order to authenticate Exit Point Sign ons.
  2. Click Preview User Portal registration email to preview the contents of the email. This is a representation of how the message will look to users.
  3. Click Save.

Sending a 'Welcome' Email to Users

  1. On the Navigation Pane, choose Users to go to the Users screen.
  2. Check the user(s) and/or group(s) you want to email.
  3. Click Send Email. A confirmation message appears.
  4. Click Send. An email is sent to the selected recipients.

Users will now be able to register devices using the User Portal and authenticate.

Configuring RADIUS Authentication

If you are using an existing RADIUS server to authenticate users, first complete the above steps: To Configure Powertech Multi-Factor Authentication. Then, proceed with the following steps to configure your RADIUS server and Powertech Multi-Factor Authentication Users accordingly.

NOTE: Powertech Multi-Factor Authentication can use either its own authentication or RADIUS authentication, but not both at the same time.
  1. In Insite's Navigation pane, choose RADIUS Authentication
  2. Toggle Authenticate Using Radius to On.
  3. Enter the RADIUS Server Location, Port, Secret Key, and other requested information. See RADIUS Authentication screen for details.
  4. Click Save. Now that you have configured your RADIUS server, you need to add the RADIUS user credentials to the Powertech Multi-Factor Authentication Users that will need to be authenticated.
  5. In Insite's Navigation pane, choose Users
  6. Edit a User that will be authenticated with RADIUS. The Edit User pane appears.
  7. In the RADIUS User Name field, enter the user name referred to by RADIUS.
  8. Click Save.

Port/Server Configuration Diagrams

The following diagrams show two possible Powertech Multi-Factor Authentication system configurations.

Basic Configuration

Basic Configuration with Failover Support

For a dual server installation, the database port (6432 by default) also needs to be open.