Documents in Installation & Setup

OpenOTP Servers Sizing according to the Number of Users

1. Introduction In this how-to we will present you how to size your servers according to the number of users in your organization that will use OpenOTP. 2. Recommendations for 500 Users 1 dedicated server or Virtual machine with Linux (2 for High Availability). Server configuration: 3GHz processor (4 cores). 8GB RAM memory. 200MB disk space for installation files. 10GB disk space for log files and DB. Optionally 1 YubiHSM for hardware crypto.

WebADM Installation Guide

1. Product Documentation This document is an installation guide for RCDevs WebADM Server. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and Web Applications). Specific application guides are available through the RCDevs Online documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

WebADM High Availability Guide

1. Product Documentation This document is a deployment guide for RCDevs WebADM in high availability (or cluster) mode. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and WebApps). 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups. It is the configuration interface and application container for RCDevs Web Services and WebApps such as OpenOTP.

Active Directory with WebADM

1. Installation Packages Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this “How To”, we will install all required packages through the RCDevs repository. So, your servers should have an internet access to download every package. 1.1 For Redhat/CentOS On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s) who will host WebADM/OpenOTP:

Active Directory with SSL

How to Enable Active Directory LDAP SSL Installing an Enterprise Root Certificate Authority in Windows Server 2008/2012/2016. In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group. 1. To Set Up an Enterprise Root CA in Windows Server 2008/2012/2016 1) Click Start, point to Administrative Tools and then click Server Manager. 2) In the Roles Summary section, click Add Roles.

proxy_user & super_admin rights on MS Active Directory

How To Set WebADM Access Rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

OpenOTP Quick Start

1. Introduction OpenOTP is the RCDevs user authentication solution. The OpenOTP solution is composed of a set of server applications and components which provide secure and reliable authentication of users to applications and online services, intranet and extranet access, secure Internet transactions… OpenOTP relies on proven technologies and open standards such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP. A one-time password (OTP) is a password that is only valid for a single login session or transaction.

OpenOTP Credential Provider for Mac OSX

1. Product Documentation This document is an installation guide for the OpenOTP Credential Provider for Mac OSX. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Product Overview The OpenOTP Credential Provider for Mac OSX is a component that integrates the RCDevs OpenOTP one-time password authentication into the Mac OSX login process.

Authenticate Windows Local Users and Computers Out Of Domain

1. Overview This tutorial will explain to you how to configure WebADM/OpenOTP servers and OpenOTP Credential Provider for Windows to authenticate local users using 2-factor authentication. We will also explain how to authenticate your users with OpenOTP and OpenOTP Credential Provider for Windows on a computer out of the domain. Both scenarios require an LDAP server to store user metadata (Token metadata needs to be stored on a user account in WebADM even for local account authentication).

How To Configure RCDevs MFAVPN

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN RCDevs MFA VPN package is available at the following link.

OpenOTP Credential Provider for Windows

Normal Login flow Simple Login flow Push Login flow 1. Product Documentation This document is an installation guide for the OpenOTP Credential Provider for Windows. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website.

WebADM Publishing Proxy

1. Product Overview WAProxy is an HTTP(S) reverse proxy for WebADM. While any reverse proxy should be able to fill the role, this one has been already configured by RCDevs to work securely and use all the features WebADM provides to reverse proxies. WAProxy handles basic load balancing, failover, and both server and client certificates with the least possible amount of configuration effort. Without a WAProxy reverse proxy, WebADM end-user web applications must be accessible from anywhere its users could be: if you use OpenOTP Push Login or TiQR, a user’s phone must be able to access the mobile communication endpoints on your WebADM installation from the internet.

Configure Push Login with OpenOTP

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

LDAP Read-Only with WebADM and OpenOTP

How To Configure WebADM with a Read-Only Active Directory In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a Webadm server running with a local MariaDB and RCDevs Directory Server. It could be the VMWare Appliance or a new installation.

Radius Bridge

1. Product Documentation This document is a configuration guide for OpenOTP Radius Bridge (RB). The reader should notice that this document is not a guide for installing and configuring OpenOTP or WebADM. Specific application guides are available through the RCDevs documentation website. 2. Product Overview OpenOTP Radius Bridge provides the RADIUS RFC-2865 (Remote Authentication Dial-in User Service) API for OpenOTP Authentication Server. Standalone, the OpenOTP server provides SOAP/XML and JSON interfaces over HTTP and HTTPS.

OpenOTP LDAP Bridge

1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.

OpenOTP Token Mobile Application

1. Background OpenOTP Token is a mobile authentication solution available on iPhone and Android systems which provides secure access for websites, VPNs, Citrix, Cloud Apps, Windows, Linux, SAML, OpenID, Wifi and much more. With OpenOTP Authentication Server, it provides the most advanced user authentication system supporting simple registration with QRCode scan, Software Token based on OATH standards and Approve/Deny login with push notifications. 2. How To Install OpenOTP Token 2.

PAM & OpenOTP

How To Install and Configure PAM OpenOTP Plugin to Enable Multifactor Authentication on Linux Machines Simple login flow Push Login flow 1. Background On Unix-like systems, processes such as the OpenSSH daemon need to authenticate the user and learn a few things about him or her (user ID, home directory, …). Authentication is done through a mechanism called Pluggable Authentication Modules, and retrieving information about users (or even groups, hostnames, …) is done through another mechanism, called the Name Service Switch.

ADFS & OpenOTP

Simple Login Push Login 1. Product Documentation This document is an installation guide for the OpenOTP Authentication Provider for AD FS 3.0 / 4.0. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation library.

Microsoft Remote Desktop Services & OpenOTP

How To Configure MS Remote Desktop Services with OpenOTP Note OpenOTP plugin for Remote Desktop Services works for Windows Server 2012 & 2016. If you have an older version, you have to update your RDS infrastructure. 1. Remote Desktop Services Infrastructure In this post, we will assume an existing Remote Desktop Services infrastructure installed and available. This post will not cover how to set up RDS. Please refer to the Microsoft documentation and/or the TechNet blog for details about how to install and configured Microsoft | TechNet.

Virtual Appliance

RCDevs Virtual Appliance Startup Guide The RCDevs VMware Appliance is a standard and minimal CentOS 7 (64Bit) Linux installation with the RCDevs software packages already installed with yum. The Appliance contains the following (already configured) components: WebADM Server (installed in /opt/webadm/). WebADM Web Services: OpenOTP, SMSHub, OpenSSO, SpanKey, TiQR (installed in /opt/webadm/websrvs/). WebADM WebApps: SelfDesk, SelfReg, PwReset, OpenID (installed in /opt/webadm/webapps/). OpenOTP Radius Bridge (installed in /opt/radiusd/). RCDevs Directory Server (OpenLDAP in /opt/slapd/).

RCDevs Directory Server Installation

Installation of RCDevs Directory Server System requirements: RCDevs Directory Server (DS) runs on Linux with GLIBC ≥ 2.5. The package contains the required dependencies allowing DS to run on any Linux system without other requirements. 1. Install DS 1.1 Using the Repository 1.1.1 CentOS/RHEL On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository: [root@ldap ~]# curl http://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo Clean yum cache:

Novell eDirectory Installation

How To Install Novell eDirectory Note To install and setup Novell eDirectory on a Linux server, proceed as follows. 1. Installing eDirectory Use the nds-install utility to install eDirectory components on Linux systems. This utility is located in the Setup directory on the CD for the Linux platform. The utility adds the required packages based on what components you choose to install. Log in as root on the host.

OpenLDAP Installation

How To Install OpenLDAP On an empty OpenLDAP, you can initialize your directory by importing the following LDIF entries. Change “mydomain” to match your organization name and save the LDIF content to a root.ldif file. dn: dc=mydomain dc: mydomain ou: rootObject objectClass: top objectClass: dcObject objectClass: organizationalUnit dn: cn=admin,dc=mydomain cn: admin sn: admin objectClass: person objectClass: inetOrgPerson Use the following command to initialize your OpenLDAP directory. ldapadd -x -D "cn=admin,dc=mydomain" -W -f root.

TiQR Quick Start

Start with TiQR Server 1. Introduction TiQR is an innovative way to authenticate users to web applications. It is based on open standards for secure authentication developed by the Open Authentication Initiative. TiQR’s unique user-friendly features include one-click enrollment using QR codes and secure authentication without having to re-type complicated codes by leveraging dynamic QR codes embedded in web pages. TiQR supports the OCRA suite of authentication protocols. The security is based on AES 256-bit encryption and the SHA-family hashing functions.

TiQR User Manual

1. Introduction TiQR is a new and revolutionary way to authenticate for online applications, such as webmail or online banking. The key feature is the use of QR tags, which makes authenticating both secure and easy. You will no longer be burdened with typing username/password combinations or complicated one-time passwords. Scanning a QR code and typing your PIN is all there is to it. This is the secret behind tiqr’s ease of use.

TiQR Credential Provider for Windows

1. Product Documentation This document is an installation guide for the TiQR Credential Provider for Windows. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation library. 2. Product Overview The TiQR Credential Provider for Windows is a component that integrates the RCDevs TiQR QR-Code authentication into the Windows logon process.

WebADM Hardware Security Configuration (HSM)

1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.

Schema Extension

Schema Extension 1. Content of the Schema Extension The schema extension is very minimal. It is composed of three object classes (webadmAccount, webadmGroup and webadmConfig) and three attributes (webadmSettings, webadmData and webadmType). Each attribute contains a registered object identifier. 34617 corresponds to the registered number for RCDevs at IANA. 2. Automatic Schema Extension This option is preferred and is very easy. It works with most of LDAP servers. 2.1 Active Directory Prerequisite The first domain controller defined in /opt/webadm/conf/servers.

WebADM SAML Identity Provider

Configuration of WebADM as a SAML Identity Provider 1. Configuration of the Identity Provider First, we need a WebADM server with MFA Authentication Server and OpenID & SAML Provider. We can use the appliance or install a new server. We need also a DNS name for the server. If we can not change the DNS, we can also add the name in /etc/hosts or c:\WINDOWS\system32\drivers\etc\hosts for testing purpose :

Mountpoints

1. Overview Generally, WebADM is configured to connect with a remote AD/LDAP domain for two reasons: For an admin to be able to browse (and optionally modify) remote domain contents such as user objects via a web browser (and optionally delegate that work to sub-administrators). To act as a gateway to allow the OpenOTP server to read and use remote user data for authentication purposes (i.e. fetch user mobile phone number from AD account).

SpanKey SSH Key Management

1. Overview SpanKey is a centralized SSH key server for OpenSSH, which stores and maintains SSH public keys in a centralized LDAP directory (i.e. Active Directory). With SpanKey there is no need to distribute, manually expire or maintain the public keys on the servers. Instead, the SpanKey agent is deployed on the servers and is responsible for providing the users’ public keys on-demand. The SpanKey server provides per-host access control with “server tagging”, LDAP access groups, centralized management from the RCDevs WebADM console, shared accounts, privileged users (master keys), recovery keys… It supports public key expiration with automated workflows for SSH key renewal (via Self-Services).