Documents in OpenOTP Server

WebADM Administrator Guide

1. Product Documentation This document is a configuration guide for RCDevs WebADM. The reader should notice that this document is not a guide for configuring WebADM applications (Web Services and WebApps). Specific application guides are available through the RCDevs online documentation library. WebADM installation and setup is not covered by this guide and is documented in the RCDevs WebADM Installation Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as domain users and groups.

WebADM Installation Guide

1. Product Documentation This document is an installation guide for RCDevs WebADM Server. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and Web Applications). Specific application guides are available through the RCDevs Online documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

Active Directory with WebADM

1. Installation Packages Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this “How To”, we will install all required packages through the RCDevs repository. So, your servers should have an internet access to download every package. 1.1 For Redhat/CentOS On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s) who will host WebADM/OpenOTP:

Active Directory with SSL

How to Enable Active Directory LDAP SSL Installing an Enterprise Root Certificate Authority in Windows Server 2008/2012/2016. In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group. 1. To Set Up an Enterprise Root CA in Windows Server 2008/2012/2016 1) Click Start, point to Administrative Tools and then click Server Manager. 2) In the Roles Summary section, click Add Roles.

proxy_user & super_admin rights on MS Active Directory

How To Set WebADM Access Rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

OpenOTP Quick Start

1. Introduction OpenOTP is the RCDevs user authentication solution. The OpenOTP solution is composed of a set of server applications and components which provide secure and reliable authentication of users to applications and online services, intranet and extranet access, secure Internet transactions… OpenOTP relies on proven technologies and open standards such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP. A one-time password (OTP) is a password that is only valid for a single login session or transaction.

OpenOTP Credential Provider for Mac OSX

1. Product Documentation This document is an installation guide for the OpenOTP Credential Provider for Mac OSX. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Product Overview The OpenOTP Credential Provider for Mac OSX is a component that integrates the RCDevs OpenOTP one-time password authentication into the Mac OSX login process.

Authenticate Windows Local Users and Computers Out Of Domain

1. Overview This tutorial will explain to you how to configure WebADM/OpenOTP servers and OpenOTP Credential Provider for Windows to authenticate local users using 2-factor authentication. We will also explain how to authenticate your users with OpenOTP and OpenOTP Credential Provider for Windows on a computer out of the domain. Both scenarios require an LDAP server to store user metadata (Token metadata needs to be stored on a user account in WebADM even for local account authentication).

How To Configure RCDevs MFAVPN

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN RCDevs MFA VPN package is available at the following link.

OpenOTP Credential Provider for Windows

Normal Login flow Simple Login flow Push Login flow 1. Product Documentation This document is an installation guide for the OpenOTP Credential Provider for Windows. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website.

Configure Push Login with OpenOTP

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

LDAP Read-Only with WebADM and OpenOTP

How To Configure WebADM with a Read-Only Active Directory In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a Webadm server running with a local MariaDB and RCDevs Directory Server. It could be the VMWare Appliance or a new installation.

API

1. Manager API The Manager interface provides access to some WebADM user management functions and operations exported by your registered applications. The Manager also allows external systems such as Web portals to remotely trigger user management operations and actions from the network. The user management functions provide LDAP operations such as object creation, update, removal, WebADM settings and data management, etc… The method names for internal management functions are in the form Manager_Method.

OpenOTP API WSDL

OpenOTP API Description The OpenOTP authentication service is implemented over the SOAP/XML and RADIUS APIs. The SOAP/XML API is provided with a SOAP WSDL service description listed below. The OpenOTP API is very simple and provides 4 methods: 1. openotpNormalLogin and openotpSimpleLogin These methods are used to send an authentication request. The request contains the following attributes: username: User login name (mandatory). domain: User login domain (optional if OpenOTP as a default domain setting set).

OpenOTP LDAP Bridge

1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.

PAM & OpenOTP

How To Install and Configure PAM OpenOTP Plugin to Enable Multifactor Authentication on Linux Machines Simple login flow Push Login flow 1. Background On Unix-like systems, processes such as the OpenSSH daemon need to authenticate the user and learn a few things about him or her (user ID, home directory, …). Authentication is done through a mechanism called Pluggable Authentication Modules, and retrieving information about users (or even groups, hostnames, …) is done through another mechanism, called the Name Service Switch.

pfSense & OpenOTP

How To Enable OpenOTP Authentication on pfSense This document explains how to enable OpenOTP authentication with Radius Bridge and pfSense. 1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your pfSense in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.

ADFS & OpenOTP

Simple Login Push Login 1. Product Documentation This document is an installation guide for the OpenOTP Authentication Provider for AD FS 3.0 / 4.0. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation library.

Microsoft Remote Desktop Services & OpenOTP

How To Configure MS Remote Desktop Services with OpenOTP Note OpenOTP plugin for Remote Desktop Services works for Windows Server 2012 & 2016. If you have an older version, you have to update your RDS infrastructure. 1. Remote Desktop Services Infrastructure In this post, we will assume an existing Remote Desktop Services infrastructure installed and available. This post will not cover how to set up RDS. Please refer to the Microsoft documentation and/or the TechNet blog for details about how to install and configured Microsoft | TechNet.

Add RCDevs Repository

1. Add RCDevs Repository on CentOS/RHEL On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates. Add the repository: rpm --import https://www.rcdevs.com/repos/redhat/RPM-GPG-KEY-rcdevs.pub curl https://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo Clean yum cache: yum clean all You are now able to install RCDevs packages on your system: yum install <packages> 2. Add RCDevs Repository on Debian/Ubuntu On a Debian and Ubuntu system, you can use our repository, which simplifies updates.

Virtual Appliance

RCDevs Virtual Appliance Startup Guide The RCDevs VMware Appliance is a standard and minimal CentOS 7 (64Bit) Linux installation with the RCDevs software packages already installed with yum. The Appliance contains the following (already configured) components: WebADM Server (installed in /opt/webadm/). WebADM Web Services: OpenOTP, SMSHub, OpenSSO, SpanKey, TiQR (installed in /opt/webadm/websrvs/). WebADM WebApps: SelfDesk, SelfReg, PwReset, OpenID (installed in /opt/webadm/webapps/). OpenOTP Radius Bridge (installed in /opt/radiusd/). RCDevs Directory Server (OpenLDAP in /opt/slapd/).

Utilities and Command Line Tools for OpenOTP

1. Introduction In this HowTo, we will demonstrate some useful scripts available for OpenOTP and how to use them. 2. OpenOTP Utilities and Scripts Some scripts are available in: [root@webadm]# cd /opt/webadm/websrvs/openotp/bin [root@webadm bin]# ll total 44 -rwxr-xr-x 1 root root 4588 8 oct. 11:01 authtest -rwxr-xr-x 1 root root 4927 8 oct. 11:01 pskc2invrcdevs -rwxr-xr-x 1 root root 11384 8 oct. 11:01 report -rwxr-xr-x 1 root root 3887 8 oct.

Hardware Token Import

The Inventory For The Hardware Tokens For each purchase of hardware tokens from RCDevs, RCDevs provide an Inventory file encrypted that contains the tokens seeds. Only your server can decrypt this file: it works with the license. The Inventory for the hardware tokens in WebADM/OpenOTP allows: to review the token stock to register a token very easily with the serial number only for the RC200, RC300 & RC400 hardware tokens pressing a Yubikey to save time when importing a large number of tokens.

OpenOTP & U2F Keys

Overview OpenOTP v1.2 supports both OTP and the newer FIDO-U2F standard from the FIDO Alliance for user authentication. If you intend to use OpenOTP with FIDO U2F, please read this document which explains how to enable and use U2F with your application integrations and WebADM self-services. FIDO Universal 2nd Factor (U2F) is a new authentication standard created by the FIDO Alliance which simplifies and strengthens two-factor authentication for businesses and consumers.

Authentication

Test Double Authentication with a User 1. User Activation Once WebADM is installed and configured, we can connect to it with a web browser. We select the user to activate in the LDAP tree on the left, for example, Admin, or we create a new user by clicking on Create. Once the user is selected, we click on Activate Now!: If present, we fill mandatory attributes and Proceed: We click on Extend Object:

Client Policies

How To Create a Client Policy This documentation will explain how to configure a client policy on WebADM. 1. What is a Client Policy? A Client Policy provides per-client application access control and customized configurations. The Client Policy objects are also used to customize the behavior of a client application (ex. a VPN server using OpenOTP Authentication Server). You can create a client policy object having the name of a Web Service’s client ID.

Plivo SMS Gateway & WebADM

1. Setup an Account on Plivo Sign up for an account. Add the credit to the account (however, you should get some initial free credit when signing up). From the Dashboard go to API Platform and copy the AuthID and the AuthToken. 2. Configure WebADM: Login to WebADM. Go to Applications —> MFA Authentication Server. Configure the section SMS OTP. SMS Message Type ==> Normal (We advise testing using Normal first).

Feitian c100 - c200 Tokens with OpenOTP

How To use Feitian c100/c200 Tokens with OpenOTP OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. To register a Token with a PSKC file, edit a user account in WebADM and go to the OTP Server Actions.

Vasco Digipass GO6 Tokens with OpenOTP

How To use Vasco Digipass GO6 Tokens with OpenOTP OpenOTP supports Vasco Digipass GO6 Hardware Tokens. Digipass GO6 works with OATH-HOTP (event-based) and OATH-TOTP (time-based). The Digipass GO6 is provided with a PSKC import file by Vasco. The file includes the Token secret key in an encrypted format. The decryption PSKC key is provided by Vasco in a separated document. To register a Vasco GO6 Token: 1) Import the PSKC file either with the import tool in /opt/webadm/websrvs/openotp/bin/pkcs.

WLAN EAP Authentication Radius

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do so. You have also to install our Radius Bridge product on your WebADM server(s). For authentication, you have two possible mechanisms. Username and password authentication using EAP-TTLS Certificate authentication using EAP-TLS (Supported from WebADM 1.6.8 & Radius Bridge 1.3.6) The WLAN protocol used does not support challenge-response, so only Login Mode LDAP or LDAP + Simple Push authentication is supported.

ASA SSL VPN

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your ASA SSL VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your ASA SSL VPN server.

F5 BIG-IP APM

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your F5 VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your F5 VPN server.

Schema Extension

Schema Extension 1. Content of the Schema Extension The schema extension is very minimal. It is composed of three object classes (webadmAccount, webadmGroup and webadmConfig) and three attributes (webadmSettings, webadmData and webadmType). Each attribute contains a registered object identifier. 34617 corresponds to the registered number for RCDevs at IANA. 2. Automatic Schema Extension This option is preferred and is very easy. It works with most of LDAP servers. 2.1 Active Directory Prerequisite The first domain controller defined in /opt/webadm/conf/servers.

Radius Attributes

How To Send a Radius Attributes with WebADM For this How-To, we start with a WebADM and a Radius Bridge up and running. 1. Sending a LDAP Value We select the user in WebADM and we click on WebADM settings: None [CONFIGURE]: We select OpenOTP and scroll down to RADIUS Options, we check the box and click on Edit: We select an attribute from a dictionary. We check that Gandalf-Phone-Number-1 attribute is present in Radius Bridge:

What's Wrong??

What’s Wrong?? Here we describe how to fix some common errors easily. The first thing to do when a login failed for an unknown reason is to check the log file /opt/webadm/log/webadm.log and find the right log. 1. Invalid Username or Password [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] New openotpSimpleLogin SOAP request [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Username: john@my.company [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Password: xxxxxx [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Client ID: RadTest [2017-07-21 09:13:16] [127.

Juniper-Pulse

How To Enable OpenOTP Authentication On Juniper-Pulse Secure This document explains how to enable OpenOTP authentication with Radius Bridge and Juniper SSL VPN. 1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register Your Juniper VPN In RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.

Palo Alto

How To Enable OpenOTP Authentication in Palo Alto SSL VPN This document explains how to enable OpenOTP authentication in Palo Alto SSL VPN. 1. Register your Palo Alto VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your Palo Alto VPN server. Example: client <VPN Server IP> { secret = testing123 shortname = PaloAlto-VPN } 2.

NetIQ

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. 2. NetIQ Installation and Initial Configuration We used the NetIQ appliance version 4.3 downloaded from the Microfocus website (trial version). ISO file name: AM_43_AccessManagerAppliance_Eval-0831.iso It’s SUSE Linux: netiqam:~ # cat /etc/SuSE-release SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4 NetIQ Access Manager Appliance 4.