Documents in Installation & Setup

Radius Bridge

1. Product Documentation This document is a configuration guide for OpenOTP Radius Bridge (RB). The reader should notice that this document is not a guide for installing and configuring OpenOTP or WebADM. Specific application guides are available through the RCDevs documentation website. 2. Product Overview OpenOTP Radius Bridge provides the RADIUS RFC-2865 (Remote Authentication Dial-in User Service) API for OpenOTP Authentication Server. Standalone, the OpenOTP server provides SOAP/XML and JSON interfaces over HTTP and HTTPS.

Secure Transaction Approval to be PSD2 compliant

1. Overview 1.1 The Problem RCDevs’ PSD2-READY solution has all the tools you need to stay compliant. Online banking and most business processes require controls and approvals. It could be for a large financial transaction, a simple work expense reimbursement or procurement approval. In banking, these have been traditionally managed using One-Time Passwords (OTP) or PIN codes and in business applications with simple username+password authentication. These mechanisms are now insufficient to meet today’s regulatory requirements, security and usability expectations.

WebADM High Availability Guide

1. Product Documentation This document is a deployment guide for RCDevs WebADM in high availability (or cluster) mode. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and WebApps). 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups. It is the configuration interface and application container for RCDevs Web Services and WebApps such as OpenOTP.

Hardware Security Module Configuration (HSM)

1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.

WebADM SAML Identity Provider

Configuration of WebADM as a SAML Identity Provider 1. Configuration of the Identity Provider First, we need a WebADM server with MFA Authentication Server and OpenID & SAML Provider. We can use the appliance or install a new server. We need also a DNS name for the server. If we can not change the DNS, we can also add the name in /etc/hosts or c:\WINDOWS\system32\drivers\etc\hosts for testing purpose: Once the server is up and running, we can configure it as a SAML Identity Provider (IdP).

How to migrate from a third party 2FA software to OpenOTP

1. Overview In this how-to, we will demonstrate how to easily migrate from a third party 2FA software to OpenOTP. In this documentation, we assume that you are already running WebADM, OpenOTP and Radius Bridge. To understand what will be done here, we will describe the steps: Have a WebADM, OpenOTP and Radius Bridge installed and configured, Activate every users who will require 2FA authentication at the WebADM level, Import your third-party hardware Tokens into WebADM.

MFAVPN

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.

WebADM Publishing Proxy

1. Product Overview WAProxy is an HTTP(S) reverse proxy for WebADM. While any reverse proxy should be able to fill the role, this one has been already configured by RCDevs to work securely and use all the features WebADM provides to reverse proxies. WAProxy handles basic load balancing, failover, and both server and client certificates with the least possible amount of configuration effort. Without a WAProxy reverse proxy, WebADM end-user web applications must be accessible from anywhere its users could be: if you use OpenOTP Push Login or TiQR, a user’s phone must be able to access the mobile communication endpoints on your WebADM installation from the internet.

Configure Push Login with OpenOTP

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

Read-Only Active Directory with WebADM

How To Configure WebADM with a Read-Only Active Directory Important Note An entreprise license is mandatory for that setup since WebADM 1.6.6 In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a WebADM server running with a local MariaDB and RCDevs Directory Server.

LDAP Bridge

1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.