Documents in Administration

WebADM Administrator Guide

1. Product Documentation This document is a configuration guide for RCDevs WebADM. The reader should notice that this document is not a guide for configuring WebADM applications (Web Services and WebApps). Specific application guides are available through the RCDevs online documentation library. WebADM installation and setup is not covered by this guide and is documented in the RCDevs WebADM Installation Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as domain users and groups.

WebADM High Availability Guide

1. Product Documentation This document is a deployment guide for RCDevs WebADM in high availability (or cluster) mode. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and WebApps). 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups. It is the configuration interface and application container for RCDevs Web Services and WebApps such as OpenOTP.

How to Configure RCDevs License Server

1. Introduction In this short How-To, we will explain how to configure RCDevs License Server. The license server is now the default RCDevs model for licensing. This documentation is addressed to every new customer who is subscribing for an enterprise license. For others, the license server can be used with at least WebADM 1.6.8-2. IMPORTANT NOTE Once the license server is configured with WebADM, a license cache is available for 10 days.

SpanKey Upgrade Guide from version 1.x.x to 2.x.x

1. Introduction In this documentation, we will see how to upgrade SpanKey Server and Client from version 1 to version 2. Note SpanKey Server v1 and v2 can work with both SpanKey Client v1 and v2 for NSS request only. For SSH key management features, you must use matching Server and Client versions. 2. Upgrade SpanKey Server In this document, we will upgrade the Spankey Server from v1.0.3-6 to v2.

WebADM Upgrade Guide from 1.5.x to 1.6.x and Later

1. Introduction This document provides the necessary information for upgrading servers running WebADM v1.5.x to WebADM v1.6.x. WebADM v1.6 is a major upgrade of RCDevs WebADM. The reader should notice that this document is not a guide for installing WebADM or its applications (Web Services and WebApps). Specific application guides are available through the RCDevs Online Documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation website.

WebADM Upgrade Guide from 1.3 and older to 1.4 and later

1. Introduction This document provides the necessary information for upgrading servers running WebADM v1.3 to WebADM v1.4 released in July 2015. WebADM v1.4 is a major upgrade of RCDEVS WebADM which includes major changes listed at the end of this document. The reader should notice that this document is not a guide for installing WebADM or its applications (Web Services and WebApps). Specific application guides are available through the RCDevs Online Documentation.

Add RCDevs Repository

1. Add RCDevs Repository on CentOS/RHEL On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates. Add the repository: rpm --import https://www.rcdevs.com/repos/redhat/RPM-GPG-KEY-rcdevs.pub curl https://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo Clean yum cache: yum clean all You are now able to install RCDevs packages on your system: yum install <packages> 2. Add RCDevs Repository on Debian/Ubuntu On a Debian and Ubuntu system, you can use our repository, which simplifies updates.

Utilities and Command Line Tools for OpenOTP

1. Introduction In this HowTo, we will demonstrate some useful scripts available for OpenOTP and how to use them. 2. OpenOTP Utilities and Scripts Some scripts are available in: [root@webadm]# cd /opt/webadm/websrvs/openotp/bin [root@webadm bin]# ll total 44 -rwxr-xr-x 1 root root 4588 8 oct. 11:01 authtest -rwxr-xr-x 1 root root 4927 8 oct. 11:01 pskc2invrcdevs -rwxr-xr-x 1 root root 11384 8 oct. 11:01 report -rwxr-xr-x 1 root root 3887 8 oct.

Utilities and Command Line Tools for WebADM

1. Introduction In this HowTo, we will demonstrate some useful scripts available for WebADM and how to use them. 2. WebADM Utilities and Scripts Some scripts are available in: [root@webadm]# cd /opt/webadm/bin/ [root@webadm bin]# ll total 152 -rwxr-xr-x 1 root root 1809 11 oct. 15:35 backup -rwxr-xr-x 1 root root 6807 11 oct. 15:35 dbprune -rwxr-xr-x 1 root root 11215 11 oct. 15:35 encrypt -rwxr-xr-x 1 root root 10837 11 oct.

Backup & Restore

1. Introduction This document is intended to provide administrators with the best practices for maintaining RCDevs WebADM and related applications (such as OpenOTP Authentication Server). The reader should notice that this document is not a guide for installing WebADM and its applications. Specific guides are available through the RCDevs online documentation library on RCDevs Website. WebADM installations and usage manuals are not covered by this guide and are documented in the RCDevs WebADM Installation Guide and WebADM Administrator’s Guide available in RCDevs website.

Migration Guide

1. Overview This document is a migration guide for RCDevs products between two servers. The installation is not covered by this guide. 2. Requirements You need a root access to the old server and the new server. Products you want to migrate should be installed on the new server. 3. RCDevs Products This section covers these products: WebADM (webadm) Radius Bridge (radiusd) LDAP Bridge (ldproxy) Directory Server (slapd) Publishing Proxy (waproxy) HSMHub Server (hsmhubd) You need to use only the command lines for products installed on your server.

Hardware Token Import

The Inventory For The Hardware Tokens For each purchase of hardware tokens from RCDevs, RCDevs provide an Inventory file encrypted that contains the tokens seeds. Only your server can decrypt this file: it works with the license. The Inventory for the hardware tokens in WebADM/OpenOTP allows: to review the token stock to register a token very easily with the serial number only for the RC200, RC300 & RC400 hardware tokens pressing a Yubikey to save time when importing a large number of tokens.

OpenOTP & U2F Keys

Overview OpenOTP v1.2 supports both OTP and the newer FIDO-U2F standard from the FIDO Alliance for user authentication. If you intend to use OpenOTP with FIDO U2F, please read this document which explains how to enable and use U2F with your application integrations and WebADM self-services. FIDO Universal 2nd Factor (U2F) is a new authentication standard created by the FIDO Alliance which simplifies and strengthens two-factor authentication for businesses and consumers.

Trusted Certificate

1. How to Use my Own Trusted Certificate in WebADM During installation, WebADM generates its own certificate authority certificate and server SSL certificates. Yet, you can use your own SSL certificates instead of the pre-generated ones. Using a trusted certificate may be required when you use the RCDevs OpenID IDP, and to avoid user browser warnings when accessing the WebApps. Just create the SSL certificate and key files in /opt/webadm/pki/custom.

OpenID-SAML IdP Web Service

OpenID/SAML Identity Provider The installation of OpenID/SAML IdP is straightforward and only consists in running the self-installer and configure the application in WebADM. You do not have to modify any files in the OpenID install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure OpenID/SAML, just enter WebADM as super administrator and got to the ‘Applications’ menu. Click OpenID/SAML to enter the web-based configuration.

WebADM Hardware Security Configuration (HSM)

1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.

Authentication

Test Double Authentication with a User 1. User Activation Once WebADM is installed and configured, we can connect to it with a web browser. We select the user to activate in the LDAP tree on the left, for example, Admin, or we create a new user by clicking on Create. Once the user is selected, we click on Activate Now!: If present, we fill mandatory attributes and Proceed: We click on Extend Object:

Client Policies

How To Create a Client Policy This documentation will explain how to configure a client policy on WebADM. 1. What is a Client Policy? A Client Policy provides per-client application access control and customized configurations. The Client Policy objects are also used to customize the behavior of a client application (ex. a VPN server using OpenOTP Authentication Server). You can create a client policy object having the name of a Web Service’s client ID.

User Activation

How To Activate Users An activated user is a user which is counted in the license and which is able to authenticate with OpenOTP. There are several ways to activate users. 1. Activate One User Graphically In WebADM, we select the user in the LDAP tree and click on Activate Now!: Then, we complete all mandatory attributes and click on Proceed: We click on Extend Object: Now, the user is activated.

Plivo SMS Gateway & WebADM

1. Setup an Account on Plivo Sign up for an account. Add the credit to the account (however, you should get some initial free credit when signing up). From the Dashboard go to API Platform and copy the AuthID and the AuthToken. 2. Configure WebADM: Login to WebADM. Go to Applications —> MFA Authentication Server. Configure the section SMS OTP. SMS Message Type ==> Normal (We advise testing using Normal first).

Feitian ePass NFC

SSH Authentication with a Feitian ePass NFC/FIDO/U2F Security Key Feitian ePass NFC FIDO U2F Security Key can work as a Generic Identity Device Specification (GIDS) smart card. There also are many other manufacturers and card models to which these instructions can be applied, but the specific tools to initialize the card can be different. In this how-to we will prepare a USB/NFC hardware key for SSH authentication and register the device in WebADM.

Smart Card - PIV

Authentication with a Yubikey Smart Card / PIV In this How-To we will configure a user in WebADM for using a PIV key. We need a WebADM server already configured. 1. Import the Inventory We need to create a inventory file like this: "Type","Reference","Description","DN","Data","Status" "PIV Device","<ID1>","PIV Yubikey","","PublicKey=<pub_key1>","Valid" "PIV Device","<ID2>","PIV Yubikey","","PublicKey=<pub_key2>","Valid" "PIV Device","<ID3>","PIV Yubikey","","PublicKey=<pub_key3>","Valid" For my test, I have a Yubikey Nano with a PIV certificate and I use yubico-piv-tool for the management of the Yubikey, but it can works with other PIV keys.

Secure Password Reset Web Application

Secure Password Reset The installation of PwReset is straightforward and only consists in running the self-installer and configure the application in WebADM. You do not have to modify any files in the PwReset install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure PwReset, just enter WebADM as super administrator and go to the ‘Applications’ menu. Click PwReset to enter the web-based configuration.

User Self-Registration

1. Overview User Self-Registration (SelfReg) application is a web application provided by RCDevs installed on the WebADM server. This application allows users to manage their OTP Token and U2F key enrollment. Users are also able to manage their OTP list, SSH key for SpanKey and TiQR Sign. SelfReg application is similar to the User Self-Service Desk, the only difference between both applications is that the Self-Registration can be acceded only with a WebADM Administrator request.

User Self-Service Desk

User Self-Service Desk The installation of SelfDesk is straightforward and only consists in running the self-installer and configure the application in WebADM. You do not have to modify any files in the SelfDesk install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure SelfDesk, just enter WebADM as super administrator and go to the ‘Applications’ menu. Click SelfDesk to enter the web-based configuration.

Feitian c100 - c200 Tokens with OpenOTP

How To use Feitian c100/c200 Tokens with OpenOTP OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. To register a Token with a PSKC file, edit a user account in WebADM and go to the OTP Server Actions.

Vasco Digipass GO6 Tokens with OpenOTP

How To use Vasco Digipass GO6 Tokens with OpenOTP OpenOTP supports Vasco Digipass GO6 Hardware Tokens. Digipass GO6 works with OATH-HOTP (event-based) and OATH-TOTP (time-based). The Digipass GO6 is provided with a PSKC import file by Vasco. The file includes the Token secret key in an encrypted format. The decryption PSKC key is provided by Vasco in a separated document. To register a Vasco GO6 Token: 1) Import the PSKC file either with the import tool in /opt/webadm/websrvs/openotp/bin/pkcs.