Documents in WebADM Server

OpenID-SAML IdP Web Service

OpenID/SAML Identity Provider The installation of OpenID/SAML IdP is straightforward and only consists of running the self-installer and configure the application in WebADM. You do not have to modify any files in the OpenID install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure OpenID/SAML, just enter WebADM as super administrator and got to the ‘Applications’ menu. Click OpenID/SAML to enter the web-based configuration.

WebADM Administrator Guide

1. Product Documentation This document is a configuration guide for RCDevs WebADM. The reader should notice that this document is not a guide for configuring WebADM applications (Web Services and WebApps). Specific application guides are available through the RCDevs online documentation library. WebADM installation and setup is not covered by this guide and is documented in the RCDevs WebADM Installation Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as domain users and groups.

Secure Transaction Approval to be PSD2 compliant

1. Overview 1.1 The Problem RCDevs’ PSD2-READY solution has all the tools you need to stay compliant. Online banking and most business processes require controls and approvals. It could be for a large financial transaction, a simple work expense reimbursement or procurement approval. In banking, these have been traditionally managed using One-Time Passwords (OTP) or PIN codes and in business applications with simple username+password authentication. These mechanisms are now insufficient to meet today’s regulatory requirements, security and usability expectations.

OpenOTP Servers Sizing according to the Number of Users

1. Introduction In this how-to, we will present you how to size your servers according to the number of users in your organization that will use OpenOTP. 2. Recommendations for 500 Users 1 dedicated server or Virtual machine with Linux (2 for High Availability). Server configuration: 3GHz processor (4 cores). 8GB RAM memory. 200MB disk space for installation files. 10GB disk space for log files and DB. Optionally 1 YubiHSM for hardware crypto.

Novell eDirectory Installation

How To Install Novell eDirectory Note To install and setup Novell eDirectory on a Linux server, proceed as follows. 1. Installing eDirectory Use the nds-install utility to install eDirectory components on Linux systems. This utility is located in the Setup directory on the CD for the Linux platform. The utility adds the required packages based on what components you choose to install. Log in as root on the host.

WebADM High Availability Guide

1. Product Documentation This document is a deployment guide for RCDevs WebADM in high availability (or cluster) mode. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and WebApps). 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups. It is the configuration interface and application container for RCDevs Web Services and WebApps such as OpenOTP.

How to Configure RCDevs License Server

1. Introduction In this short How-To, we will explain how to configure RCDevs License Server. The license server is now the default RCDevs model for licensing. This documentation is addressed to every new customer who is subscribing for an enterprise license. For others, the license server can be used with at least WebADM 1.6.8-2. IMPORTANT NOTE Once the license server is configured with WebADM, a license cache is available for 10 days.

Read-Only Active Directory with WebADM

How To Configure WebADM with a Read-Only Active Directory Important Note An entreprise license is mandatory for that setup since WebADM 1.6.6 In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a WebADM server running with a local MariaDB and RCDevs Directory Server.

OpenLDAP Installation

How To Install OpenLDAP On an empty OpenLDAP, you can initialize your directory by importing the following LDIF entries. Change “mydomain” to match your organization name and save the LDIF content to a root.ldif file. dn: dc=mydomain dc: mydomain ou: rootObject objectClass: top objectClass: dcObject objectClass: organizationalUnit dn: cn=admin,dc=mydomain cn: admin sn: admin objectClass: person objectClass: inetOrgPerson Use the following command to initialize your OpenLDAP directory. ldapadd -x -D "cn=admin,dc=mydomain" -W -f root.

LDAP Schema Extension

LDAP Schema Extension 1. Content of the Schema Extension The schema extension is very minimal. It is composed of three object classes (webadmAccount, webadmGroup and webadmConfig) and three attributes (webadmSettings, webadmData and webadmType). Each attribute contains a registered object identifier. 34617 corresponds to the registered number for RCDevs at IANA. 2. Automatic Schema Extension This option is preferred and is very easy. It works with most of LDAP servers.

Feitian c100 - c200 Tokens with OpenOTP

How To use Feitian c100/c200 Tokens with OpenOTP OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. To register a Token with a PSKC file, edit a user account in WebADM and go to the OTP Server Actions.

Vasco Digipass GO6 Tokens with OpenOTP

How To use Vasco Digipass GO6 Tokens with OpenOTP OpenOTP supports Vasco Digipass GO6 Hardware Tokens. Digipass GO6 works with OATH-HOTP (event-based) and OATH-TOTP (time-based). If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk. To register a Vasco GO6 Token with a serial number, you must import them into the WebADM inventory.

WebADM Upgrade Guide from 1.3 and older to 1.4 and later

1. Introduction This document provides the necessary information for upgrading servers running WebADM v1.3 to WebADM v1.4 released in July 2015. WebADM v1.4 is a major upgrade of RCDEVS WebADM which includes major changes listed at the end of this document. The reader should notice that this document is not a guide for installing WebADM or its applications (Web Services and WebApps). Specific application guides are available through the RCDevs Online Documentation.

Active Directory with WebADM

1. Installation Packages Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this how-to, we will install all required packages through the RCDevs repository. So, your servers should have internet access to download every package. 1.1 For Redhat/CentOS On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s) who will host WebADM/OpenOTP:

WebADM Upgrade Guide

1. Introduction This document provides the necessary information for upgrading servers running WebADM v1.5.x to WebADM v1.7.x. WebADM v1.7 is a major upgrade of RCDevs WebADM. The reader should notice that this document is not a guide for installing WebADM or its applications (Web Services and WebApps). Specific application guides are available through the RCDevs Online Documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation website.

Active Directory with SSL

How to Enable Active Directory LDAP SSL Installing an Enterprise Root Certificate Authority in Windows Server 2008/2012/2016. In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group. 1. To Set Up an Enterprise Root CA in Windows Server 2008/2012/2016 1) Click Start, point to Administrative Tools and then click Server Manager. 2) In the Roles Summary section, click Add Roles.

WebADM Installation Guide

1. Product Documentation This document is an installation guide for RCDevs WebADM Server. The reader should notice that this document is not a guide for installing WebADM applications (Web Services and Web Applications). Specific application guides are available through the RCDevs Online documentation. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

proxy_user rights on Active Directory

How to configure proxy_user rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter, register token metadata on the user account… Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

Token Registration

1. Overview In this how-to, we will demonstrate the possible ways to enroll a hardware token or a software token on your mobile. For software token registration, you must have a token application installed on your phone like OpenOTP Token or Google Authenticator. OpenOTP Token is the recommended one to enjoy all features offered by OpenOTP server (like push login, phishing protection…). 2. Admin Enrollment through the WebADM Admin GUI A token enrollment can be done by a super_admin or other_admin user through the WebADM admin GUI.

Utilities and Command Line Tools for WebADM

1. Introduction In this How-To, we will demonstrate some useful scripts available for WebADM and how to use them. 2. WebADM Utilities and Scripts Some scripts are available in: [root@webadm]# cd /opt/webadm/bin/ [root@webadm bin]# ll total 152 -rwxr-xr-x 1 root root 1809 11 oct. 15:35 backup -rwxr-xr-x 1 root root 6807 11 oct. 15:35 dbprune -rwxr-xr-x 1 root root 11215 11 oct. 15:35 encrypt -rwxr-xr-x 1 root root 10837 11 oct.

super_admin rights on Active Directory

How To configure super_admin rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

How to migrate from a third party 2FA software to OpenOTP

1. Overview In this how-to, we will demonstrate how to easily migrate from a third party 2FA software to OpenOTP. In this documentation, we assume that you are already running WebADM, OpenOTP and Radius Bridge. To understand what will be done here, we will describe the steps: Have a WebADM, OpenOTP and Radius Bridge installed and configured, Activate every users who will require 2FA authentication at the WebADM level, Import your third-party hardware Tokens into WebADM.

MFAVPN

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.

What's Wrong??

What’s Wrong?? Here we describe how to fix some common errors easily. The first thing to do when a login failed for an unknown reason is to check the log file /opt/webadm/log/webadm.log and find the right log. 1. Invalid Username or Password [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] New openotpSimpleLogin SOAP request [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Username: john@my.company [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Password: xxxxxx [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Client ID: RadTest [2017-07-21 09:13:16] [127.

User Activation

How To Activate Users An activated user is a user which is counted in the license and which is able to authenticate with OpenOTP. There are several ways to activate users. 1. Activate One User Graphically In WebADM, we select the user in the LDAP tree and click on Activate Now!: Then, we complete all mandatory attributes and click on Proceed: We click on Extend Object: Now, the user is activated.

Authentication

Test Double Authentication with a User 1. User Activation Once WebADM is installed and configured, we can connect to it with a web browser. We select the user to activate in the LDAP tree on the left, for example, Admin, or we create a new user by clicking on Create. Once the user is selected, we click on Activate Now!: If present, we fill mandatory attributes and Proceed: We click on Extend Object:

Trusted Certificate

1. How to Use my Own Trusted Certificate in WebADM During installation, WebADM generates its own certificate authority certificate and server SSL certificates. Yet, you can use your own SSL certificates instead of the pre-generated ones. Using a trusted certificate may be required when you use the RCDevs OpenID IDP, and to avoid user browser warnings when accessing the WebApps. Just create the SSL certificate and key files in /opt/webadm/pki/custom.

Policies

1. Overview This documentation will explain policies configurable for Web Services and Web Applications under WebADM admin GUI. WebADM provides different kinds of policies : default application configuration (weight 1), per-group (weight 2), per-user (weight 3), per-application (weight 4-6). Settings with the highest weight override settings with the lowest weight. (e.g for OpenOTP: My default OpenOTP settings require a LoginMode=LDAP only but the user who is trying to log in has a policy configured on his account with the LoginMode=LDAP+OTP.

Hardware Token Import

The Inventory For The Hardware Tokens For each purchase of hardware tokens from RCDevs, RCDevs provide an Inventory file encrypted that contains the tokens seeds. Only your server can decrypt this file: it works with the license. The Inventory for the hardware tokens in WebADM/OpenOTP allows: to review the token stock to register a token very easily with the serial number only for the RC200, RC300 & RC400 hardware tokens pressing a Yubikey to save time when importing a large number of tokens.

Mountpoints

1. Overview Generally, WebADM is configured to connect with a remote AD/LDAP domain for two reasons: For an admin to be able to browse (and optionally modify) remote domain contents such as user objects via a web browser (and optionally delegate that work to sub-administrators). To act as a gateway to allow the OpenOTP server to read and use remote user data for authentication purposes (i.e. fetch user mobile phone number from AD account).

How to use your Yubikey with RCDevs

1. Overview In this How-To, we will demonstrate how to reprogram your Yubikey with the Yubikey Personalization Tool, to generate an inventory file through Yubico tool to import the Yubikey in WebADM inventory and how to assign and use your Yubikey with OpenOTP. For this recipe, you will need to have WebADM and OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual. 2. Yubico Personalization Tool Once Yubico Personalization Tool is installed, open it.

Plivo SMS Gateway & WebADM

1. Setup an Account on Plivo Sign up for an account. Add the credit to the account (however, you should get some initial free credit when signing up). From the Dashboard go to API Platform and copy the AuthID and the AuthToken. 2. Configure WebADM: Login to WebADM. Go to Applications —> MFA Authentication Server. Configure the section SMS OTP. SMS Message Type ==> Normal (We advise testing using Normal first).

OpenOTP & U2F Keys

Overview OpenOTP v1.2 supports both OTP and the newer FIDO-U2F standard from the FIDO Alliance for user authentication. If you intend to use OpenOTP with FIDO U2F, please read this document which explains how to enable and use U2F with your application integrations and WebADM self-services. FIDO Universal 2nd Factor (U2F) is a new authentication standard created by the FIDO Alliance which simplifies and strengthens two-factor authentication for businesses and consumers.

Hardware Security Module Configuration (HSM)

1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.

Hardening your WebADM Server

1. Overview Hardening is the process of securing a system by reducing its surface of vulnerability. We will show you how to reduce available ways of attack this includes enabling FIPS mode, changing the default password, encrypting configuration passwords, limiting SSL Protocols and Ciphersuites, replacing Certificates, setting a bootloader password, disable root access with SSH root, securing the MySQL/MariaDB Databases, setting Firewall rules and resetting RCDevs Virtual Appliance root password… Please consider carefully which of these settings are relevant for your use.

Mail OTP

1. Overview This guide will show how to set up the email settings for sending MAIL OTP. If one needs to change or to add Localized Message then navigate to the following documentation Message Templates. 2. Config Mail Server SMTP mail servers can be used by WebADM for sending emails. Therefore add your mail server settings in the following configuration file /opt/webadm/conf/servers.xml. If no server is specified, WebADM will use the local mailer in /usr/sbin/sendmail to send emails.

NTP (Network Time Protocol)

1. Overview WebADM requires an accurate system clock and timezone. Your Linux server should be configured with NTP time synchronization. This guide will show how to install and configure the NTP server. Network Time Protocol traffic runs over port 123 UDP. At RCDevs Hardening Guide are firewall rules examples. The RCDevs Virtual Appliance uses chrony instead of ntp. 2. Check Installed Packages 2.1 CentOS 7 Please, verify if NTP or Chrony packages are already installed.