Documents in WebADM Server

OpenOTP Servers Sizing according to the Number of Users

1. Introduction In this how to we will present you how to size your servers according to the number of users in your organization that will use OpenOTP. 2. Recommendations for 500 Users 1 dedicated server or Virtual machine with Linux (2 for High Availability). Server configuration: 3GHz processor (4 cores). 8GB RAM memory. 200MB disk space for installation files. 10GB disk space for log files and DB. Optionally 1 YubiHSM for hardware crypto.

WebADM Administrator Guide

1. Product Documentation This document is a configuration guide for RCDevs WebADM. The reader should notice that this document is not a guide for configuring WebADM applications (Web Services and WebApps). Specific application guides are available through the RCDevs online documentation library. WebADM installation and setup is not covered by this guide and is documented in the RCDevs WebADM Installation Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as domain users and groups.

WebADM Installation Guide

1. Product Documentation This document is an installation guide for RCDevs WebADM Server. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and Web Applications). Specific application guides are available through the RCDevs Online documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

WebADM High Availability Guide

1. Product Documentation This document is a deployment guide for RCDevs WebADM in high availability (or cluster) mode. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and WebApps). 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups. It is the configuration interface and application container for RCDevs Web Services and WebApps such as OpenOTP.

Active Directory with WebADM

1. Installation Packages Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this “How To”, we will install all required packages through the RCDevs repository. So, your servers should have an internet access to download every packages. 1.1 For Redhat/CentOS On a RedHat, Centos or Fedora system, you can use our repository, which simplify updates. Add the repository on your server(s) who will host WebADM/OpenOTP:

Active Directory with SSL

How to Enable Active Directory LDAP SSL Installing an Enterprise Root Certificate Authority in Windows Server 2008/2012/2016. In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group. 1. To Set Up an Enterprise Root CA in Windows Server 2008/2012/2016 1) Click Start, point to Administrative Tools, and then click Server Manager. 2) In the Roles Summary section, click Add roles.

Proxy User Rights on MS Active Directory

How To Set the Access Rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

OpenOTP Quick Start

1. Introduction OpenOTP is the RCDevs user authentication solution. The OpenOTP solution is composed of a set of server applications and components which provide secure and reliable authentication of users to applications and online services, intranet and extranet access, secure Internet transactions… OpenOTP relies on proven technologies and open standards such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP. A one-time password (OTP) is a password that is only valid for a single login session or transaction.

OpenOTP Credential Provider for Mac OSX

1. Product Documentation This document is an installation guide for the OpenOTP Credential Provider for Mac OSX. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Product Overview The OpenOTP Credential Provider for Mac OSX is a component that integrates the RCDevs OpenOTP one-time password authentication into the Mac OSX logon process.

Authenticate Windows Local Users and Computers Out Of Domain

1. Overview This tutorial will explain you how to configure WebADM/OpenOTP servers and OpenOTP Credential Provider for Windows to authenticate local users using 2 factor authentication. We will also explain how to authenticate your users with OpenOTP and OpenOTP Credential Provider for WIndows on a computer out of domain. Both senarios require an LDAP server to store user metadata (Token metadata needs to be stored on a user account in WebADM even for local account authentication).

How To Configure RCDevs MFAVPN

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN RCDevs MFA VPN package is available at the following link.

OpenOTP Credential Provider for Windows

Normal Login flow Simple Login flow Push Login flow 1. Product Documentation This document is an installation guide for the OpenOTP Credential Provider for Windows. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website.

LDAP Read-Only with WebADM and OpenOTP

How To Configure WebADM with a Read-Only Active Directory In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra informations in a SQL database. In this example, we will start with a Webadm server running wih a local MariaDB and RCDevs Directory Server. It could be the VMWare Appliance or a new installation.

API

1. Manager API The Manager interface provides access to some WebADM user management functions and operations exported by your registered applications. The Manager also allows external systems such as Web portals to remotely trigger user management operations and actions from the network. The user management functions provide LDAP operations such as object creation, update, removal, WebADM settings and data management, etc… The method names for internal management functions are in the form Manager_Method.

pfSense & OpenOTP

How To Enable OpenOTP Authentication on pfSense This document explains how to enable OpenOTP authentication with Radius Bridge and pfSense. 1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your pfSense in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.

WebADM Upgrade Guide from 1.5.x to 1.6.x and Later

1. Introduction This document provides the necessary information for upgrading servers running WebADM v1.5.x to WebADM v1.6.x. WebADM v1.6 is a major upgrade of RCDevs WebADM. The reader should notice that this document is not a guide for installing WebADM or its applications (Web Services and WebApps). Specific application guides are available through the RCDevs Online Documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation website.

WebADM Upgrade Guide from 1.3 and older to 1.4 and later

1. Introduction This document provides the necessary information for upgrading servers running WebADM v1.3 to WebADM v1.4 released in July 2015. WebADM v1.4 is a major upgrade of RCDEVS WebADM which includes major changes listed at the end of this document. The reader should notice that this document is not a guide for installing WebADM or its applications (Web Services and WebApps). Specific application guides are available through the RCDevs Online Documentation.

Microsoft Remote Desktop Services & OpenOTP

How To Configure MS Remote Desktop Services with OpenOTP Note OpenOTP plugin for Remote Desktop Services works for Windows Server 2012 & 2016. If you have an older version, you have to update your RDS infrastructure. 1. Remote Desktop Services Infrastructure In this post we will assume an existing Remote Desktop Services infrastructure installed and available. This post will not cover how to setup RDS. Please refer to the Microsoft documentation and/or the TechNet blog for details about how to install and configured Microsoft | TechNet.

Add RCDevs Repository

1. Add RCDevs Repository on CentOS/RHEL On a RedHat, CentOS or Fedora system, you can use our repository, which simplify updates. Add the repository: rpm --import https://www.rcdevs.com/repos/redhat/RPM-GPG-KEY-rcdevs.pub curl https://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo Clean yum cache : yum clean all You are now able to install RCDevs packages on your system : yum install <packages> 2. Add RCDevs Repository on Debian/Ubuntu On a Debian and Ubuntu system, you can use our repository, which simplify updates.

Utilities and Command Line Tools for WebADM

1. Introduction In this HowTo, we will demonstrate some useful scripts available for WebADM and how to use them. 2. WebADM Utilities and Scripts Some scripts are available in : [root@webadm]# cd /opt/webadm/bin/ [root@webadm bin]# ll total 152 -rwxr-xr-x 1 root root 1809 11 oct. 15:35 backup -rwxr-xr-x 1 root root 6807 11 oct. 15:35 dbprune -rwxr-xr-x 1 root root 11215 11 oct. 15:35 encrypt -rwxr-xr-x 1 root root 10837 11 oct.

Backup & Restore

1. Introduction This document is intended to provide administrators the best practices for maintaining RCDevs WebADM and related applications (such as OpenOTP Authentication Server). The reader should notice that this document is not a guide for installing WebADM and its applications. Specific guides are available through the RCDevs online documentation library on RCDevs Website. WebADM installations and usage manuals are not covered by this guide and are documented in the RCDevs WebADM Installation Guide and WebADM Administrator’s Guide available in RCDevs website.

Migration Guide

1. Overview This document is a migration guide for RCDevs products between two servers. The installation is not covered by this guide. 2. Requirements You need a root access to the old server and the new server. Products you want to migrate should be installed on the new server. 3. RCDevs products This section covers these products: WebADM (webadm) Radius Bridge (radiusd) LDAP Bridge (ldproxy) Directory Server (slapd) Publishing Proxy (waproxy) HSMHub Server (hsmhubd) You need to use only the command lines for products installed on your server.

Hardware Token Import

The Inventory For The Hardware Tokens For each purchase of hardware tokens from RCDevs, RCDevs provide an Inventory file encrypted that contains the tokens seeds. Only your server can decrypt this file: it works with the license. The Inventory for the hardware tokens in WebADM/OpenOTP allows: to review the token stock to register a token very easily with the serial number only for the RC200, RC300 & RC400 hardware tokens pressing a yubikey to save time when importing a large amount of tokens.

Trusted Certificate

1. How to Use my Own Trusted Certificate in WebADM During installation, WebADM generates its own certificate authority certificate and server SSL certificates. Yet, you can use your own SSL certificates instead of the pre-generated ones. Using a trusted certificate may be required when you use the RCDevs OpenID IDP, and to avoid user browser warnings when accessing the WebApps. Just create the SSL certificate and key files in /opt/webadm/pki/custom.

Virtual Appliance

RCDevs Virtual Appliance Startup Guide The RCDevs VMware Appliance is a standard and minimal CentOS 7 (64Bit) Linux installation with the RCDevs software packages already installed with yum. The Appliance contains the following (already configured) components: WebADM Server (installed in /opt/webadm/). WebADM Web Services: OpenOTP, SMSHub, OpenSSO, SpanKey, TiQR (installed in /opt/webadm/websrvs/). WebADM WebApps: SelfDesk, SelfReg, PwReset, OpenID (installed in /opt/webadm/webapps/). OpenOTP Radius Bridge (installed in /opt/radiusd/). RCDevs Directory Server (OpenLDAP in /opt/slapd/).

WebADM Hardware Security Configuration (HSM)

1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.

Authentication

Test Double Authentication with a User 1. User Activation Once WebADM is installed and configured, we can connect to it with a web browser. We select the user to activate in the LDAP tree on the left, for example Admin, or we create a new user by clicking on Create. Once the user is selected, we click on Activate Now! : If present, we fill mandatory attributes and Proceed :

Client Policies

How To Create a Client Policy This documentation will explain you how to configure a client policy on WebADM. 1. What is a Client Policy ? A Client Policy provide per-client application access control and customized configurations. The Client Policy objects are also used to customize the behavior of a client application (ex. a VPN server using OpenOTP Authentication Server). You can create a client policy object having the name of a Web Service’s client ID.

User Activation

How To Activate Users hijpojpo An activated users is a user which is counted in the license and which is able to authenticate with OpenOTP. There are several ways to activate users. 1. Activate One User Graphically In Webadm, we select the user in the LDAP tree and click on activate Now!: Then, we complete all mandatory attributes and click on Proceed: We click on Extend Object: Now, the user is activated.

Plivo SMS Gateway & WebADM

1. Setup an Account on Plivo Sign up for an account. Add credit to the account (however you should get some initial free credit when signing up). From the Dashboard go to API Platform and copy the AuthID and the AuthToken. 2. Configure WebADM: Login to WebADM. Go to Applications —> MFA Authentication Server. Configure the section SMS OTP (instructions are embedded in the page).

Feitian c100 - c200 Tokens with OpenOTP

How To use Feitian c100/c200 Tokens with OpenOTP OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. To register a Token with a PSKC file, edit a user account in WebADM and go to the OTP Server Actions.

Vasco Digipass GO6 Tokens with OpenOTP

How To use Vasco Digipass GO6 Tokens with OpenOTP OpenOTP supports Vasco Digipass GO6 Hardware Tokens. Digipass GO6 works with OATH-HOTP (event-based) and OATH-TOTP (time-based). The Digipass GO6 is provided with a PSKC import file by Vasco. The file includes the Token secret key in an encrypted format. The decryption PSKC key is provided by Vasco in a separated document. To register a Vasco GO6 Token: 1) Import the PSKC file either with the import tool in /opt/webadm/websrvs/openotp/bin/pkcs.

Mountpoints

1. Overview Generally WebADM is configured to connect with a remote AD/LDAP domain for two reasons: For an admin to be able to browse (and optionally modify) remote domain contents such as user objects via a web browser (and optionally delegate that work to sub-administrators). To act as a gateway to allow OpenOTP server to read and use remote user data for authentication purposes (i.e. fetch user mobile phone number from AD account).

SpanKey SSH Key Management

1. Overview SpanKey is a centralised SSH key server for OpenSSH, which stores and maintains SSH public keys in a centralised LDAP directory (i.e. Active Directory). With SpanKey there is no need to distribute, manually expire or maintain the public keys on the servers. Instead the SpanKey agent is deployed on the servers and is responsible for providing the users’ public keys on-demand. SpanKey server provides per-host access control with “server tagging”, LDAP access groups, centralized management from the RCDevs WebADM console, shared accounts, privileged users (master keys), recovery keys… It supports public key expiration with automated workflows for SSH key renewal (via Self-Services).

What's Wrong??

What’s Wrong?? Here we describes how to fix some common errors easily. The first thing to do when a login failed for an unknown reason is to check the log file /opt/webadm/log/webadm.log and find the right log. 1. Invalid Username or Password [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] New openotpSimpleLogin SOAP request [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Username: john@my.company [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Password: xxxxxx [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Client ID: RadTest [2017-07-21 09:13:16] [127.