Posted on November 7, 2010 by gpedersen

OTP Server – Administration Manual V3



Nordic Edge

One Time Password Server


Administration Manual V3

About Nordic Edge®

Nordic Edge AB is a provider of platform independent products focused on security and identity management. With extensive knowledge of directory services and security infrastructure, Nordic Edge provides products with unique applications for our customers to simplify information access and administration processes. As a result of the capabilities of Nordic Edge software and solutions, Intel acquired Nordic Edge in 2011 to serve as an important pillar of Intel’s secure cloud initiatives.

For more information, www.nordicedge.com

Trademarks
Nordic Edge is a registered trademark.
All third-party trademarks are the property of their respective owners.

1 Table of contents

        1. OTP Server – Administration Manual V3
  1. 1 Table of contents
  2. 2 Terminology
  3. 3 One Time Password Server – Overview
    1. OTP Server Architecture
    2. Technical Data
      1. Supported Operating Systems
      2. User Database Support
      3. Protocol Support
      4. OTP Client SDK (Software Developer Kit)
  4. 4 What’s new
        1. New improved configuration interface
        2. Identity Manager for OTP is included
        3. Pledge Enrollment for users is included
        4. Expired Password Notification detection
        5. RADIUS attribute detection
        6. New database type, RADIUS forward.
        7. Support for YubiKey from Yubico
        8. Support for OATH Token identifier auto enrollment
        9. Support for multiple RADIUS UDP port listeners
        10. Support for external OTP creation and verification by API
        11. Native OTP Clients can be named
    1. New in OTP Server 3.1:
        1. New OTP Client type, Web service
        2. Force one-time password delivery method
        3. Hashed PIN-code support
        4. Reply-Message for RADIUS Reject
        5. TOTP anti-replay check
        6. TOTP configurable time step
        7. OTP retry function
        8. Resynch of OATH devices (HOTP/TOTP)
        9. Multiple OATH key support for SQL databases
  5. 5 Product features
        1. SMS/Mail one time passwords
        2. Nordic Edge SMS Gateway
        3. Auto register SMS demo account
        4. LDAP user stores
        5. SQL user stores
        6. Multiple user stores
        7. Test tool
        8. Remote configuration
        9. OTP Mobile Client Pledge
        10. OATH support
        11. Alerts
        12. Easy to configure
        13. Java and COM/.NET API's
        14. Custom plug-in
        15. Custom user store handler
        16. PIN code for one-time passwords
        17. Prefetch one time passwords
        18. Fail-over user stores and one time password servers
        19. RADIUS support
        20. Integration modules
        21. Platform independent
        22. Store session data
        23. Get available user attributes
        24. Identity Manager for OTP
        25. Pledge Enrollment for users is included
        26. Expired Password Notification detection
        27. RADIUS attribute detection
        28. New database type, RADIUS forward.
        29. Support for YubiKey from Yubico
        30. Support for OATH Token identifier auto enrollment
        31. Support for multiple RADIUS UDP port listeners
        32. Support for external OTP creation and verification by API
        33. Native OTP Clients can be named
  6. 6 Integration Overview
    1. Integration modules
      1. Citrix
      2. Microsoft
      3. Novell
      4. Apache
      5. CA
      6. IBM
    2. VPN/RADIUS access
    3. Programming API's
  7. 7 Installation
    1. General Requirements
      1. Hardware server or Virtual Machine
      2. Operating System
      3. Communication
      4. Software
    2. Installing One Time Password Server version 3
      1. Installing on Windows
  8. 8 Configuration Interface and object overview
    1. OTP Configurator Main Window
      1. Console window – Overview
      2. The Select Pane (Left)
        1. Server
        2. RADIUS
        3. Logs
        4. Alerts
        5. License
        6. Databases
        7. Clients
        8. Delivery Methods
        9. Misc
      3. The Configuration Pane (Right)
      4. Special mouse operations
      5. Menu bar
      6. Save configuration (Button)
      7. Exit/Close (Button)
  9. 9 Configuration overview
      1. General configuration
      2. Quick start guides
  10. 10 Server configuration
      1. Server Settings
      2. Mobile Numbers
      3. One Time Password Options
      4. Client Settings
      5. Encryption
      6. Options
      7. Global Options
  11. 11 RADIUS configuration
      1. RADIUS Server Settings
      2. Additional Ports
  12. 12 Database configuration
        1. New Database
        2. Delete Database
        3. Duplicate Database
        4. OATH Database
    1. Create New LDAP Database
      1. Host Settings
      2. Search Settings
      3. Account Settings (HOTP not enabled)
      4. Account Settings (With HOTP enabled)
      5. Enable OTP Prefetch
      6. PIN Code
          1. Hashed PIN code
      7. Advanced Options
    2. Create New JDBC/ODBC (SQL) User Database.
      1. JDBC/ODBC Settings
      2. SQL Queries (HOTP not enabled)
      3. SQL Queries (HOTP Enabled)
        1. Onetime Password Prefetch
        2. PIN code
    3. Create Forward RADIUS database
    4. Create User Database Group
  13. 13 Client configuration
        1. New Client
        2. Delete Client
        3. Duplicate Client
    1. Create new RADIUS Client
      1. Advanced, RADIUS Client Attribute Detection, Listen on RADIUS ports
      2. RADIUS Options
      3. Prefetch OTP Options
      4. User Database
      5. Other Options
    2. Create new Native Client
      1. Advanced, Native Client Name Detection
      2. Options
      3. User Database
      4. Other Options
    3. Create new Web service Client
      1. Options
      2. User Database
      3. Other Options
  14. 14 Delivery Methods
        1. Show all
        2. Show enabled
        3. Show disabled
        4. Enable Delivery Method
        5. Deliver method sending order
    1. Nordic Edge SMS Gateway
      1. General Settings, Proxy
      2. Configuration & Status
      3. Advanced
    2. HTTP
      1. Headers or Templatefile
      2. Authentication
      3. Proxy
      4. Other Settings
    3. Extended HTTP
      1. Headers or Templatefile
      2. Authentication
      3. Proxy
      4. Client Cert
      5. Other Settings
    4. SMTP
      1. SMTP Host
      2. Authentication
      3. SMTP Options
    5. Netsize
      1. Communication
      2. Authentication
      3. Message
      4. Endpoint settings
      5. Options
    6. Concurrent Sender
    7. Instant Messaging
        1. OTP Message
        2. User Prefix concept
      1. Skype
      2. Microsoft Live/MSN
      3. Jabber (Google Talk)
    8. SMPP
    9. CIMD2
    10. UCP file
  15. 15 Logs
      1. Log Files
      2. Other Settings
  16. 16 Alerts
      1. Alert Configuration
  17. 17 License
    1. Register new licenses
      1. License Information
  18. 18 Misc
    1. AES Encryption
        1. General Settings
        2. Advanced Settings
        3. Test encryption & decryption
    2. Expired Password Notification
      1. Expired Password Notification
    3. OATH Configuration
      1. OATH Configuration
          1. HOTP
          2. TOTP
          3. General OATH Options
        1. Automatic OATH Enrollment
          1. Advanced Automatic OATH Enrollment with LDAP database
    4. Prefetch Proxy Config
        1. Proxy Sending of Prefetch OTPs
        2. Force sending Prefetch OTP with Method
    5. Identity Manager & Pledge Enrollment
    6. Yubico
  19. 19 Starting and Stopping the OTP Server
        1. Microsoft® Windows® 2008/2003
        2. Unix/Linux/OSX
  20. 20 The OTP-Server Monitor
        1. Shutdown
    1. OTP Server Statistics (Show Details)
      1. Sending OTP’s
      2. One time Passwords
      3. RADIUS
      4. Connections
      5. Encryption
      6. User Database Authentication
  21. 21 On-Demand services
    1. OTP On-demand
    2. SMS On-Demand
    3. SMS Gateway

2 Terminology

Term Description

Authentication

Authentication is the process of determining whether someone or something is who or what they declare to be.

Authorization

Authorization is the process of deciding if someone or something has permission to access or use resources that have been permitted to them.

JDBC

Java Database Connectivity (JDBC) is an application program interface (API) specification for connecting programs written in Java to the data in popular databases.

ODBC

Open Database Connectivity (ODBC) is an open standard application programming interface (API) for accessing a database.

LDAP

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP).

OATH

Open Authentication (OATH) is an open standard and designed to enable strong authentication for devices from multiple vendors. OTP Server has support for tokens using the OATH standards HOTP/TOTP. 

 

http://support.nordicedge.se/nordic-edge-one-time-password-server-oath-integration/

OTP Server

Nordic Edge One Time Password Server 

OTP Client

Native Client

Nordic Edge Client that uses the OTP Server APIs to communicate with the OTP Server.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

Nordic Edge OTP OnDemand 

This is a hosted service that enables our customers to use strong authentication without the need to install the product in their own environment. The Nordic Edge OTP On-Demand is accessed via Web Services.

Pledge

The mobile client from Nordic Edge that uses HOTP (rfc 4226) or TOTP (rfc 6238) from OATH to turn the mobile device into to a security token device.

3 One Time Password Server – Overview


Nordic Edge One-time password Server secures and protects applications and systems with strong, multi-factor authentication.


Nordic Edge One-time password Server (OTP Server) adds an extra layer of security that is flexible and efficient to implement in order to provide applications and systems with strong, multi-factor authentication. To combine the method username and password with a second method like a one-time password to a mobile device is a powerful way to protect the "key" (authentication process) to an organisations different applications and systems.

When the username and password is successfully verified by the OTP Server against the defined user store or stores, a one-time password is distributed to the end-user. The user is only authenticated to the application or system if the OTP Server successfully verifies the one-time password entered by the end-user.

The OTP Server has many methods to generate and distribute the one-time passwords to end-users like SMS to a mobile phone, E-mail, different Instant Messaging systems (Skype, Google Talk, MSN) and others.

The OTP Server also supports different type of devices (Tokens) that uses the HOTP standard (rfc 4226) or TOTP from OATH to generate the one-time passwords. Nordic Edge also offers the mobile client Pledge that uses this standard to turn the mobile device into to a security token device.

 

It is easy to integrate the OTP Server with systems and applications that has support for RADIUS or use one of the many native integration modules that Nordic Edge provides. 

A wide range of integration modules exist for Citrix, Microsoft Outlook Web Access, GroupWise Web Access, VPN (Cisco, Checkpoint, F5, Bluecoat and Juniper etc), Apache Reverse Proxy and Web Server, Microsoft IIS and more. Other applications can easily be integrated using our API's or Web Services. 

OTP Server Architecture

Technical Data

Supported Operating Systems

Any operating system that supports Java Virtual Machine (JVM) version 1.6 or higher, for example Microsoft® Windows® *, Linux™, Sun® Solaris®, IBM® AIX , MAC OS X.

64bit and 32bit operating systems are supported.


* Windows Server 2003/2008 R2 and earlier versions.

User Database Support

  • LDAP (Sun Directory Server, Microsoft Active Directory, Novell eDirectory etc.)
  • SQL via JDBC or ODBC (Oracle, Microsoft SQL Server, MySQL, etc.)
  • Others via API

Protocol Support

  • LDAP
  • HTTP and HTTPS
  • SMTP
  • Web Services/SOAP
  • NetSize
  • CIMD2
  • SMPP
  • Instant Messaging (Skype, Microsoft MSN Messenger, Jabber (GoogleTalk)

OTP Client SDK (Software Developer Kit)

The Java Client API can be used for integration with applications where Nordic Edge® does not provide an integration module. It is described in the document “OTPClientAPI.pdf”. 

COM/.NET API’s can be downloaded from http://www.nordicedge.se

4 What’s new

There have been major changes in this release in terms of a new configuration Interface, new and updated functions and other improvements of the core product. Some of the new features are described below.

New improved configuration interface

The configuration interface is new and has been updated to improve the functionality and logic in order to make it even easier to configure the OTP Server.

Identity Manager for OTP is included

The OTP Server is now shipped with a preconfigured version of the Nordic Edge Identity Manager Portal applied on the included Tomcat server. It can be used by administrators and helpdesk personal to administrate specific user information in user stores (databases) that is used by the OTP server. It can also be used as a self-administration portal for end-user to change specific information about them self.

Pledge Enrollment for users is included

This web application is applied on the included Tomcat server and is used to let the end-users follow an easy step by step auto enrollment process to download a Pledge profile with included HOTP key. The application uses a web services interface to integrate with the Nordic Edge Profile Factory services where customers can design the look and feel and security options regarding their Pledge profiles.

Expired Password Notification detection

The OTP Server can now detect and notify the end-users that their password has expired.

RADIUS attribute detection

The OTP Server can separate connections from the same RADIUS Client based on the type of request that includes different RADIUS attributes.

New database type, RADIUS forward.

The OTP Server can use this type of database to pass through and forward the RADIUS request to another RADIUS Server. It can be used to support RSA SecuredID or SafeWord tokens as well as integration with other RADIUS servers or be used in migrations scenarios with legacy tokens.

Support for YubiKey from Yubico

  • Support for Yubico tokens and the keys based on OATH/HOTP or Yubicos native AES algorithm. 
  • Support for Yubicos validation server through web services and support to store the AES keys in a local database or LDAP directory services.
  • Support for auto enrolment of Yubikey´s by storing key-information in a LDAP directory or SQL database.
  • It is easy to import keys into the database

Support for OATH Token identifier auto enrollment

It is easy to import keys in to a database and store the key-information in a LDAP directory or SQL database.

Support for multiple RADIUS UDP port listeners   

The OTP Sever RADIUS module can be configured to listen on multiple UDP ports to support that clients can be assigned to a specific port.

Support for external OTP creation and verification by API

Any algorithm can use the API to handle the creation and verification of OTPs.

Native OTP Clients can be named

Integration modules that use the native client API can now have a name assigned to it. It can be used to assign separate native clients to a specific configuration in the OTP Server even if it comes from the same IP-address.

New in OTP Server 3.1:

New OTP Client type, Web service 

A new Web service OTP Client for any application or system using Web service. The Web service OTP Client functionality is corresponding to the One Time Password Native Client API, as SOAP services. More information is available at http://support.nordicedge.se/otp-server-web-service-client-api-soap

Force one-time password delivery method

One-time password delivery method can be configured at OTP Client level. This feature will override the automatic delivery method selection.

Hashed PIN-code support

OTP Server supports Hashed PIN-codes, SHS, SSHA and MD5.

Reply-Message for RADIUS Reject

OTP Server can reply with a customizable message if authentication failes, a system error occures or if the one-time password is wrong. 

TOTP anti-replay check

The anti-replay check will only allow a TOTP once within the timeframe. The OTP Server keeps track of used OTPs for each TOTP device within the accepted timeframe. 

TOTP configurable time step

Max out of synch time steps can be configured which allows TOTP devices to be used within the specified numbers of time steps.

OTP retry function

OTP retries function allows end users to easily retry again if a they failed to answer with the correct one-time password the first time. 

Resynch of OATH devices (HOTP/TOTP)

A new API for resynch of OATH by sending two OTPs in sequence. See more information http://support.nordicedge.se/nsd1326-how-to-re-synchronize-oath-tokens-with-oathresyncwebapp

Multiple OATH key support for SQL databases

Multiple OATH keys can be used with SQL databases

5 Product features

SMS/Mail one time passwords

Send one time passwords using SMS and e-mail for an easy way to let users access remote applications using two-factor authentication. 

Nordic Edge SMS Gateway

This plug-in delivers one time passwords using SMS via the Nordic Edge hosted SMS gateway. The Nordic Edge SMS Gateway supports automatic fail-over for service and SMS operator delivery, usage statistics, SMS status control and easy setup. 

Auto register SMS demo account

A demo account on the Nordic Edge SMS Gateway will be created automatically when installing the new version of OTP Server. This account can later be replaced with a production account or another means of SMS delivery. 

LDAP user stores

Use any LDAP compliant directory service to look up users and user attributes. OTP Server does not use any propriety user stores. 

SQL user stores

Use any JDBC compliant database to lookup users and user attributes. OTP Server does not use any propriety user stores.

Multiple user stores

For one specific client you can add as many user stores as you want. This can be used for fail-over, users are in separate user stores, one set of users should use SMS and another set of users should use Mail for their one time passwords. 

Test tool

The Test tool is a stand-alone application to test the OTP Server. Use this tool to test that the user store is configured correctly and that the one- time password distribution plug-in is working as expected. 

Remote configuration

The API's can be used to read and set OTP Server configuration from a remote client. This is ideal for bundled applications, servers with limited access and graphical interfaces. 

OTP Mobile Client Pledge

PLEDGE is a mobile client application used to generate one-time passwords based on the OATH algorithm. The one-time password can be used to achieve strong authentication to services.
The client supports multiple profiles and is available on multiple platforms such as iPhone, Android, Windows Mobile and any mobile phone that supports Java Micro Edition (JME).

OATH support

OTP Server supports tokens based on the OATH standard (HOTP, TOTP). Nordic Edge is a member of the OATH initiative. 

Alerts

OTP Server can be configured to handle error alerts and send them to a list of administrators using SMS or e-mail. These way system administrators can be notified immediately when errors occur. 

Easy to configure

OTP Server can be configured in less than a day, with full user store, SMS delivery and application integration.

Java and COM/.NET API's

The API's can be used to create custom integrations to applications with OTP Server. The Java API is always included in the OTP Server installation. COM/.NET API's can be downloaded from this product site. 

Custom plug-in

Use the plug-in interface to write custom one time password distribution plug-in.

Custom user store handler

If there is a need for very specific demands on how to handle user stores, a custom database handler can be written to override the internal database handler. This is an advanced feature. 

PIN code for one-time passwords

Use this feature to add an extra PIN code to the one time passwords for extra protection. The PIN code is stored in the user directory. 

Prefetch one time passwords

The Prefetch feature can be used to let users or administrators store one time passwords in scenarios where no mobile coverage is possible. The one time passwords can be stored as an SMS in the mobile or mail account, printed on cards or paper etc. All controlled with a web administration application.

Fail-over user stores and one time password servers

Multiple user stores can be grouped together for fail-over. If the user cannot be found in the first user store, look in the second. All client integrations can be configured for multiple OTP Servers.

RADIUS support

OTP Server can act as a RADIUS server to support any RADIUS aware application. Most VPN solutions have RADIUS support. It is easy to configure integrations with Cisco, Checkpoint, Appgate, Juniper etc. 

Integration modules

OTP Server comes with several integrations such as Microsoft Outlook Web Access, Microsoft Forefront Threat Management Gateway, Forefront Unified Access Gateway, Citrix Access Gateway, Microsoft SharePoint, EPiServer, Citrix Presentation Server, Citrix Web Interface, Citrix XenApp Server, Apache Reverse-Proxy, CA Siteminder and many more. 

Platform independent

OTP Server can be run on any Java compliant platform. This includes Windows, Linux, Solaris, HP-UX, Mac OS X etc.

Store session data

OTP Server can store both persistent and one time session data. This can be used in Single Sign-on scenarios or just when there is a need to store data in a session store. 

Get available user attributes

The API's can be used to get any available user attribute from the directory service. Do you need to read the user’s mail address, last-logon-time or address? This is easy using the API's. 

Identity Manager for OTP 

The OTP Server is now shipped with a preconfigured version of the Nordic Edge Identity Manager Portal applied on the included Tomcat server. It can be used by administrators and helpdesk personal to administrate specific user information in the directory that is used by the OTP server to authenticate users on behalf of configured Clients. It can also be used as a self-administration portal for end-user to change specified information about them self.

Pledge Enrollment for users is included

This web application is applied on the included Tomcat server and is used to let the end-users follow an easy step by step auto enrollment process to download a Pledge profile with included HOTP key. The application uses a web services interface to integrate with the Nordic Edge Profile Factory services where customers can design the look and feel and security options regarding their Pledge profiles.

A step by step guide is available here:
http://www.nordicedge.se/products/one-time-password-server/pledge-enrollment-guide

Expired Password Notification detection

The OTP Server can detect and notify the users that their password has expired.

RADIUS attribute detection

The OTP Server can separate connections from the same RADIUS Client based on the type of request that includes different RADIUS attributes.

New database type, RADIUS forward.

The OTP Server can use this type of database to pass through and forward the RADIUS request to another RADIUS Server. It can be used to support RSA SecuredID or SafeWord tokens as well as integration with other RADIUS servers or be used in token migration scenarios.

Support for YubiKey from Yubico 

  • Support for Yubico tokens and the keys based on either OATH/HOTP or Yubicos native AES algorithm. 

  • Support for Yubicos validation server through web services and support to store the AES keys in a local database or in a LDAP directory services.

  • Support for auto enrollment of Yubikey´s by storing key-information in a LDAP directory or SQL database.

  • It is easy to import keys into the database

Support for OATH Token identifier auto enrollment

It is easy to import keys in to a database and store the key-information in a LDAP directory or SQL database.

Support for multiple RADIUS UDP port listeners 

The OTP Sever RADIUS module can be configured to listen on multiple UDP ports to support that clients can be assigned to a specific port.

Support for external OTP creation and verification by API

Any algorithm can use the API to handle the creation and verification of OTPs.

Native OTP Clients can be named

Integration modules that use the native client API can now have a name assigned to it. It can be used to assign separate native clients to a specific configuration in the OTP Server even if it comes from the same IP address.

6 Integration Overview

Nordic Edge One Time Password Server can be integrated with application and systems using different types of integration modules. It can be by using RADIUS to integrate with different VPN services, the Java and .NET/COM API's used by the integration modules from Nordic Edge or the on-demand web services.

Most VPN/RADIUS aware products can be integrated without any installation since the OTP Server can act as a RADIUS server. Just configure the VPN/RADIUS product and Nordic Edge OTP Server and the integration is done. 

By using the OTP Server Client API's it is possible to add strong authentication into your custom applications. The integration can also be done by using the hosted service version The Nordic Edge OTP On-Demand that is accessed via Web Services.

Integration modules

Citrix

Citrix Access Gateway 4.2

Citrix Access Gateway 4.5

Citrix Access Gateway 5.X VPX

Citrix Access Gateway Enterprise Edition (Netscaler VPX)

Citrix Presentation Server 4.6

Citrix Web Interface 4.0/4.2

Citrix Web Interface 4.5

Citrix Web Interface 5.4

Citrix XenApp Server 5.1

Citrix XenApp Server 5.2/5.3

Microsoft

ISA Server 2006

TMG 2010

UAG 2010

IIS 6.0

IIS 7.x – IIS Custom AD Membership Provider – ASP.NET

Outlook Web Access 2003

Outlook Web Access 2007

SharePoint 2007 AD Membership Provider – ASP.NET

SharePoint 2010 AD Membership Provider – ASP.NET

IIS Custom AD Membership Provider – ASP.NET

EPiServer AD Membership Provider – ASP.NET

EPiServer SQL Membership Provider – ASP.NET 

Novell

IChain 2.3

Novell Access Manager

Groupwise Web Access 6

Groupwise Web Access 7

Apache

Apache Reverse Proxy

Apache Web Server 1.3/2.0

CA

Siteminder

IBM

Lotus Domino (Apache Proxy)

 
 
    

Check http://nordicedge.com/products/one-time-password-server/integrations for information about new or updated integration modules and configuration guides.

VPN/RADIUS access

OTP Server can act as a RADIUS server to support most VPN and other RADIUS aware applications. The VPN/RADIUS application should support RADIUS challenge/response standard for the best integration.

Below are some of the tested and approved vendors.

  • Cisco
  • Checkpoint
  • F5
  • Juniper
  • Palo Alto
  • Appgate

Programming API's

OTP Server can easily be integrated into custom applications by using our programming API's. There are a Java and a .NET/COM API available. The latest Java API is always included in the latest OTP Server release. The .NET/COM is usually updated after the OTP Server release and can be downloaded from the Nordic Edge web site.

7 Installation

General Requirements

Hardware server or Virtual Machine

  • The OTP Server is a software that you can place on any server in your internal network or DMZ. 
  • Any modern hardware server or a Virtual Machine running on top of a modern hardware server can be used as a plattform to install th OTP Server on.
  • The server needs to have an IP-address configured and must also be able to reach DNS-servers if DNS names are used when the OTP Server is configured.

Operating System

  • Any operating system that supports Java Virtual Machine (JVM) version 1.6 or higher, for example Microsoft® Windows® *, Linux™, Sun® Solaris®, IBM® AIX , MAC OS X.
  • 64bit and 32bit operating systems are supported.

* Windows Server 2003/2008 R2 and earlier versions. 

Communication

  • The OTP Server needs to be able to communicate (Outbound traffic) with your LDAP or JDBC User Database. Default port for LDAP and Secure LDAP is TCP port 389 / 636. 
  • The Integration Module needs to be able to communicate (Outbound traffic) with the OTP Server on TCP port 3100. Or RADIUS with UDP port 1812 or 1645 (Outbound traffic) 
  • If you want to use the Nordic Edge SMS Gateway, the One Time Password Server needs to be able to communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443. 

Software

  • Register and download the correct version of the installer depending on the operating system plattform that will be used to Install the OTP server version 3 from Nordic Edge web.

Installing One Time Password Server version 3

Installing on Windows

We will use Windows as an operating system to show how the installation process is done on this platform. The install utility and process is pretty much the same on other operating system platforms. 

There are two version of the install program for each operating system platform, one with a bundle version of java and one without. In this example we will use the bundle version which is the recommended version.

1. Start the installation program, in this case the file otp3install.exe and follow the instructions.

2. Click on Next to continue. 

5. Select I accept the terms to continue and Click on next.

6. Select the required Install Set. Full Installation or Remote Configuration GUI only.

7. Select where to install the OTP Server and Click on Next.

8. Choose the license.dat that you have received via e-mail or other media from Nordic Edge and Click on Next.

9. Click the checkbox if the OTP Server process will be installed as a Windows Service. Click Next to continue.

10. Select where to place shortcuts and product icons to manual start the OTP Server process and configuration interface. Click Next to continue.


11. Review the Pre-Installation Summary. Click on Install to continue the process.

12. The picture above shows that the installation is successful and that the installation process I finished. Click on Next to continue.

13. Decide if you want to start the OTP server process as the last action before starting to configure the OTP Sever.

14. Click Done to end the installation process.

8 Configuration Interface and object overview

OTP Configurator Main Window

Console window – Overview

Start the administration console OTP Configurator by selecting the product icon that was created during the installation or start the OTP Server process and click on the Configuration button (The location and start procedures is different depending on which operating system that is used).

The main configuration console window is divided in different parts.

  • Panes. The Select Pane (left) and the Configuration Pane (right).

  • Menu bar

In general, you perform administration tasks by selecting a configuration category object in the left pane and configure the options in the Right Pane. Some categories can have subcategories and they can be selected by expanding the category object in the same way you browse for folders in your file system.

The Select Pane (Left)

This pane is used to select witch kind of object type that will be created, configured, deleted or show information about in the Configuration Pane (Right). It is divided in to nine categories.

Server 

The Server configuration object includes basic configuration options for the OTP Server. It includes options for IP Address, Port number, OTP- Length and the configured clients that are allowed to connect to the OTP Server etc.

RADIUS

Is used to enable and configure options for the OTP Server to act as a RADIUS server for other systems acting as RADIUS clients to the OTP Server.

Logs

The Logs configuration object includes configuration options for how the OTP server will handle logging and log files.

Alerts

OTP Server can be configured to handle errors and alerts and send them to a list of administrators using SMS or e-mail. This can be used to notify administrators immediately when it happens.  

License

The License configuration object includes configuration options and license information.

Databases

The database objects contain configuration on how the OTP server can connect to various user stores to authenticate users and if needed read information from. 

Clients

The client objects contains configuration on how other systems (allowed clients) can connect and communicate with the OTP Server and witch database the client shall use to authenticate the users.

Delivery Methods

This category can be used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords. The following methods are available.

  • CIMD2

  • Concurrent sender

  • Extended HTTP

  • HTTP

  • Instant Messaging

  • NetSize

  • Nordic Edge SMS

  • SMPP

  • SMTP

  • UCP File

Misc

This category includes configuration objects for the following functions.

  • AES Encryption
  • Expired Password Notification
  • Identity Manager & Pledge Enrollment
  • OATH Configuration
  • Prefetch Proxy Config
  • Unlock User Accounts
  • Yubico

The Configuration Pane (Right)

This Pane shows information on different options that can be configured depending on which kind of object type that is selected in the Select Pane (left). 

Special mouse operations

  • Tool tips: This application briefly shows context sensitive help when the mouse cursor remains over a defined spot, for example Menu Action, property value etc.

Left Button

  • Navigate the category structure to expand or collapse the hierarchy.

  • Show and select actions in the Menu bar.

  • Select windows, Close windows, Minimize windows, enlarge or decrease the size of a window using the Title bar in normal “Windows” style.

Right Button

  • Show and select actions on configuration objects. Available actions depend on the object type.

  • Show and select actions in the Menu bar.

Menu bar

  • The menu bar has shortcuts to create different configuration objects and shortcuts to help and update functions.

Save configuration (Button)

The button Save Config writes the configuration from memory to the otp.properties file in the selected install directory. This file is read by the OTP Server when it starts or if a configuration change requires that it must save the configuration and reread it again to update the configuration.

Exit/Close (Button)

Is used to exit and close the configuration Interface. The system checks if the configuration in memory has been changed before it closes the interface. If a change has occurred a warning message will be displayed and give the administrators the opportunity to save the configuration or cancel the exit operation. 

9 Configuration overview

This chapter will go through the overall configuration process. In general a typical configuration and integration of the OTP Server is done by going through these steps.

General configuration

  1. Configure general option in the Server object category. It includes options for IP Address, Port number, OTP- Length and the configured clients that are allowed to connect to the OTP Server etc.
  2. Enable the RADIUS option in the RADIUS object category and configure it, if the OTP Server will act as a RADIUS server for the integration.
  3. Create and configure a Database. The database objects category contain configuration on how the OTP server can connect to various user stores to authenticate users and if needed read information from.
  4. Create and configure a Client. The client objects category contains configuration on how other systems (allowed clients) can connect and communicate with the OTP Server and witch database the client shall use to authenticate the users.
  5. Enable and configure one of the delivery methods that will be used to send the one-time passwords under the object category Delivery Methods.
  6. Configure options for logs and alerts under their category.
  7. Configure optional functions and features under the Misc object category.
  8. Save Config.

Quick start guides

You can find quick start guides on how to configure the OTP Server in different environments from the Nordic Edge web site.

10 Server configuration

The Server configuration object includes basic configuration options for the OTP Server. It includes options for IP address, Port number, OTP-length and the configured clients that are allowed to connect to the OTP Server etc.

  1. Select the Server category object in the Select Pane (Left) and configure the options in the Configuration Pane (Right).
  2. Configure the different options. You can find more information about the options in the following sections and tables. 

Server Settings

Option Description

Portnr

The Port number for the OTP Server native clients. Portnr 3100 is default.

Bind to This IP Address

Binds to a specific IP-address at the OTP Server. If the check box ”All” is checked, the OTP Server will bind to all available IP-addresses. 

Client Session Timeout

The timeout in millisecond the Client connection can be idle to the OTP Server (0=No Timeout).

Mobile Numbers

Option Description

Check Mobile Number

If the Mobile Number should be checked for any non-number characters (MSISDN). Any such character will be removed (included space). The ”+” character is not affected by this control.

Default Country Prefix

If the Mobile Number lacks a country prefix, this will add a default prefix to it (e.g. +46) and remove any leading zeros. 

One Time Password Options

Option Description

OTP Length

The number of characters to send as an OTP.

OTP Time

If a one-time password has not been used before this time, it will be removed. (For unlimited time enter 0 or a blank value).

OTP Retries

Enables end-user to automaticlly get a new OTP if the first OTP was not correct. Set the number of additional retries a user have for answering a correct OTP. Set "0" to disable this function. Only available for RADIUS OTP clients.     

Retry Message (OTP Retries)

The retry message to the end-user when a wrong OTP was entered. 

Regenerate Timeout

The time in seconds that users can request a single OTP. Use this parameter to prevent users from hitting submit/login button multiple times and generate multiple OTPs. Set value 0 to disable this.

OTP Composition

Select the compositions of the One Time Password. Select between: Digits Digits 0-9 are allowed. Letters & Digits Letters are case sensitive. 

Custom Characters Click on Edit button to define available OTP characters. Supported characters are Aa-Zz and 0-9. Other characters may not be transferred correctly. Note that characters are case sensitive.

Client Settings

Option Description

All Clients are Allowed 

If the check box is checked, all native clients are allowed. 

Allowed Clients

A comma (,) separated list of IP addresses for native clients that are allowed to use the OTP Server. ”,”. If blank, all clients can connect.

Allow remote configuration

Check the box to allow remote configuration through the Nordic Edge Client API or the remote OTPConfiguration client.

Enter a remote password for the connection.

Encryption

This part regards whether the messages between OTP Server and the OTP Client will be encrypted or not. 

Option Description

No encryption 

The message between OTP Server and OTP-client will not be encrypted.

Encryption if Client does encryption

The message will be encrypted if the OTP-client encrypts.

Always Encryption

The messages will always be encrypted. The OTP-client must accept encryption or be rejected.

Options

Option Description

Enable Monitor

Check this to start the Statistics Monitor when the OTP Server starts. The Monitor also allows dynamic configuration updates during runtime. This option requires GUI support on the server.

Debug

Check this if debug should be displayed in the console window.

Use Secure Random

Check this to use a more complex random algorithm (java.security.SecureRandom) when generating the Challenge. This function will require more CPU power.

Global Options

You can define Global configuration option for the server and clients.

Option Description

Prevent SQL Injection Attacks

For JDBC/ODBC user databases. Checks all usernames and passwords against the following patterns:

', ", or ,select ,drop ,–,insert  

If any of these patterns are detected in either the username or password, the user authentication will be denied.

Use whitelist (SQL databases)

The OTP Server will only accept whitelisted characters. Define a list of acceptable characters for username and passwords. The list can be Regular Expression (RegEx) or a list of characters.

Is RegEx

Enable Regular Expression in the Whitelist for SQL databases.

Test

The test window enables administrators to verify characters against the configured Whitelist for SQL databases.

Prevent LDAP Injection Attacks

For LDAP user databases. Checks all usernames against the following characters: *,(,),&

If any of these characters are detected in the username, the user authentication will be denied. 

LDAP idle reconnect 

The number of minutes an LDAP connection can be idle before the OTP Server forces a reconnect to the LDAP server. Set the value 0 to disable reconnect.

Note. This value should be lower than any firewall idle timeout configured between the OTP Server and LDAP server.

LDAP follow referrals

Check the box, to automatically follow LDAP referrals. 

Set System Charset

Can be enabled to select system character set other than the default UTF8.

Note, this requires all the Native Clients to be configured to use the same character set.

11 RADIUS configuration

The RADIUS configuration object can be enabled to configure options for the OTP Server to act as a RADIUS server for other systems acting as RADIUS clients to the OTP Server.

  1. Select the RADIUS category object in the Select Pane (Left) and configure the options in the Configuration Pane (Right).
  2. Check the box “Enable Radius” to activate the OTP Server as a RADIUS server.
  3. Configure the different options. You can find more information about the options in the following sections and tables. 

RADIUS Server Settings

Option Description

Enable Radius

This enables the RADIUS server

Portnr

The RADIUS Port number.  Note, RADIUS uses UDP not TCP! Default: 1645. 

Bind to this IP-address

Binds the RADIUS server to a specific IP-address. If the checkbox ”All” is checked, the RADIUS server will bind to all available IP-addresses. 

Timeout

Timeout The time in milliseconds the OTP Server will wait for an answer from the RADIUS client. (0=No timeout).

Debug Packets

Enables or disables RADIUS Packets debugging to log file or system console. 

Additional Ports

Check the box “Enable” to activate the OTP Server to listen on multiple RADIUS ports.

Option Description

Port Number

Choose the alternative Port number to listen on.

Used by Client

Shows information on witch client that is listening on this Port number. 

12 Database configuration

The database objects contains configuration information about how the OTP server can connect to various user stores to authenticate users and if needed read information from. The following types of user databases are supported by the OTP Server:

  • LDAP v.3
  • JDBC (ODBC via JDBC)
  • RADIUS Forward Database
  • Database Group (Several LDAP and/or JDBC databases in a group)

There are 3 different ways to create, and configure database objects.

  1. Select the category Database in the Select Pane (left) and select the icon for the type of database that will be created or configured in the Configuration Pane (Right).
  2. Right click on Databases object category in the Select Pane (Left) and choose the correct action.
  3. Use the file menu to choose the correct action.

The type of configuration actions that can be performed are described below.

New Database

  1. Right click on the Databases Icon in the Select Pane (Left) and choose the database type or select the Databases object category in the Select Pane (Left) and choose the Database type in the Configuration Pane (Right).
  2. Enter a unique descriptive name and configure the options.

Delete Database

  1. Click to expand the category Databases and select the database to delete.
  2. Right click on the database and select Delete.

Duplicate Database

  1. Click to expand the category Databases and select the database to duplicate.
  2. Right click on the database and select Duplicate Database.
  3. Enter a unique descriptive name and configure the options.

OATH Database

OTP Server can use any LDAP, ODBC or JDBC Database as an OATH Database with Nordic Edge Pledge, YubiKey or any OATH compliant tokens. By selecting the "Use HOTP or TOPT (OATH)" check box in the database configuration will activate OATH instead of sending OTP via SMS. 

Tips: The same user store can be used for OTP over SMS as well as OATH token, just configure two Databases in OTP Server and select differens attributes. Eg. "Mobile" and "carLicense" 



Create New LDAP Database

  1. Right click on the Databases Icon in the Select Pane (Left) and choose the New LDAP option or select the Databases object category in the Select Pane (Left) and choose the LDAP Database type in the Configuration Pane (Right).
  2. Enter a unique and descriptive name of the LDAP database in the Database Display Name field.
  3. Select if the database will be used for HOTP or TOTP devices (OATH) including the mobile client Pledge that turns the mobile to a security token device. This will enable and disable some options under the section Account Settings and the functions for OTP Prefetch and PIN Code function.
  4. Configure the options that are described in the following sections and tables. 

Host Settings

Option Description

Host Address

Enter the IP address or DNS name of the LDAP server. For multiple LDAP hosts (replicas) enter both the IP address/DNS name with port number and separate the LDAP hosts with the space character. Examples:

myhost hishost:389 herhost:5000 whathost

Port number

Port number (389 is default port for none SSL, 636 is default for SSL)

SSL & TLS

Check the box if SSL or TLS are to be used for this connection. In order to use SSL or TLS, the LDAP-server certificate must be installed in the OTP Server.  Use the “Certificates” button to configure SSL or TLS certificates.

Admin DN

An Admin DN (Distinguished Name) for authentication that the OTP Server will use to search for users and modify the Account Disable attribute. This user account must have read and write access rights to the Account Disable attribute for all user objects.

Note, if no Admin DN is provided, an anonymous bind will be performed against the LDAP server.

Admin Password

The password for the selected admin user. 

Test LDAP connection

Test the LDAP connection with the specified values.

Search Settings

Option Description

Search Base DN

The starting point from where the OTP Server will search for user objects in the directory, for example: ou=users,o=acme. Use the browse button to select the search base.

Search Scope

BASE, search on only the Search Base DN object itself.

ONE, search from the Search Base DN object and one level below.

SUB, search from the Search Base DN and all levels below.

Nr of Connections

The number of concurrent connections the OTP Server will have in the pool to this LDAP-server.

Search Filter Start

The beginning of the search filter. The user input (username) will be added after this line. Example: (&(cn=

Search Filter End

The search filter end. The user input (username) will be added before this line. Example: )(objectclass=inetorgperson))

With a Search Filter Start set to: “(&(cn=” and a user input of “jdoe” the search filter will be:(&(cn=jdoe)(objectclass=inetorgperson))

Samples

Select Search example based on the type of LDAP Directory Sample for Search Filter Start and Search Filter End.

Test LDAP Authentication

Test an LDAP authentication.

Account Settings (HOTP not enabled)

Option Description

OTP Attribute

The attribute(s) where OTPServer should look into to find out how to deliver OTPs. For example a mobile phone number or email address. When first attribute is empty OTPServer will look into next attribute.

Use the browse button to search into the LDAP Schema & select the attribute(s).

Login Retries

Specify the number of incorrect passwords a user can try before the user account is disabled. Blank=Disable this function.

Accept Pwd change

Can be used to accept users that must change password.

Note, Users will not be able to login if this option is note enabled. This is used by Microsoft Active Directory.

Inactive Attribute

The LDAP attribute that will be read during authentication to check if the user account is locked. It will, if “Login Retries” above is set, also be used to lock the account if maximum number of failed logins has occurred. 

Inactive Value

The value that will be set in the Inactive Attribute when the Account is locked, for example LOCKED. If the Inactive Attribute has this value, the user account is considered to be locked. This value will also be set if max Login Retries has been reached.

Disable OTP Attribute

If this attribute is defined, the OTP Server will read the value of this attribute from the user’s object and see if it matches the Disable OTP Value. If the value matches, ONLY authentication will be performed and no OTP will be required from the user! 

Leave this blank to always require OTP during authentication. 

Disable OTP Value

If this parameter is set, the OTP Server will read the value of this attribute from the user’s object and see if it matches the Disable OTP Attribute.

If the value matches, ONLY authentication will be performed and no OTP will be required from the user. Leave this blank to always require OTP during authentication

Not

If the Disabled OTP Attribute is NOT equal to the Disabled OTP Value

Account Settings (With HOTP enabled) 

Option Description

OATH Key 

The attribute that stores the user’s OATH key. Use the browse button to browse the LDAP Schema to select the attribute.

Login Retries

Specify the number of incorrect passwords a user can try before the user account is disabled. Blank=Disable this function.

Inactive Attribute

The LDAP attribute that will be read during authentication to check if the user account is locked. It will, if “Login Retries” above is set, also be used to lock the account if maximum number of failed logins occurred.

Inactive Value

The value of Inactive Attribute when the Account is locked, for example TRUE. If the Inactive Attribute has this value, the user account is considered to be locked. This value will also be set if max Login Retries has been reached.

Accept Pwd change

Can be used to accept users that must change password.

Note, Users will not be able to login if this option is note enabled. This is used by Microsoft Active Directory

Enable OTP Prefetch

Prefetch OTPs offers the possibility for users to get a configurable number of OTPs in advance. A prefetched OTP can be used instead of using the normal method to send the OTP to a user’s mobile phone. This can be used when there is a problem with GSM coverage or as a normal method for a certain type of user.

The normal procedure for a user to retrieve the Prefetch OTPs is through a web server that is configured with the Nordic Edge Prefetch OTP web application. The Nordic Edge Prefetch OTP web application is a Java JSP page and is available in the PrefetchWebApp directory. 

The user will login to the web server and request Prefetch OTPs, which is sent to the user’s mobile phone or mailbox. When the user has used the last Prefetch OTP, the OTP Server can be configured to automatically send a new set of Prefetch OTPs to the user. 

  1. Enable OTP Prefetch by checking the box.
  2. Click on Configure Prefetch OTP.
  3. Configure the options in the following section and tables.
Option Description

Prefetch OTP Attribute 

Select the attribute that contains the Prefetch OTP string.

Enable LDAP filter (opt)

Optional. Enter an LDAP filter that enables the user to use Prefetch OTPs.

Max Nr of Prefetched OTPs

The maximum number of Prefetched Onetime Passwords that will be sent to users. Users can request fewer onetime passwords than this number but not more.

Must be used in order

Check the box if the prefetched OTPs must be used in order. If it is not checked, users can use any available prefetched OTP. Note, this option is global for all user databases.

OTP Length

The numbers of characters for each of the prefetched OTPs. 

Automatically send new Prefetch OTPs when last OTP is used

Check the box to send new Prefetch OTPs automatically when users have used the last OTP.

Message to user

Enter the message that includes the Prefetched Onetime Password. The tag $$OTP$$ is replaced during send with the OTPs. The OTPs are appended after the string if the string does not include the tag. Note, this option is global for all user databases.

Message Delivery

Select if the prefetched OTPs should be sent in one or several messages.

Allow administration creation of Prefetch OTP

Check this box to allow administrators to create Prefetch OTPs for any user. If it is not checked only users themselves can request Prefetch OTPs.

  1. Optional. Check the box to allow administrators to create Prefetch OTPs for any user.
Option Description

Administrator Database

Select the database to authenticate administrators from. The selected database will define a group or a specific user that can create Prefetch OTP to other users.

Allowed IP Addresses

Enter the IP Addresses separated by comma of the allowed administrator’s client from where they can create Prefetch OTPs.  This is mandatory. Ex. 192.168.0.1, 192.168.0.2

PIN Code

The PIN Code feature will add another layer of security. When PIN Code is enabled, Users must set a PIN code value in their PIN Code attribute and then will have to enter both their PIN code and the one-time password combined during login. 

Note: When no PIN code has been saved in PIN Code attribute Users can still login with OTP only.

For example, if the PIN code is 1234 and the one-time password is 999888, the user must enter: 1234999888 to login successfully. 

The PIN code is read from a selected attribute in LDAP directories or queried for SQL databases.

  1. Enable PIN Code by selecting the check box and click on Configure PIN Code.
  2. Select the attribute that contains the user’s PIN Code by clicking on browse the schema button marked in red.
NOTE: The PIN code will be used before the one-time password
Hashed PIN code

PIN codes for OTP users can be read in hashed format from the user database. OTP Server supports Salted SHA with global Salt or Salt per user or both. Hashed PIN code is available in OTP version 3.1 and above.

Note: Settings for Hashed PIN codes are a global setting and affects all databases.   



Option Description

Hashed PIN code options (Global)

Enable hashed PIN code

Secure SHA (SSHA) options:

OTP Server can use the Salt value per user, global Salt for all users or first Salt from the user then the global Salt. Select the requested setting in the menu. 

Hashed value format

 Select the Base64 or Hexadecimal format for the hashed PIN code.

Global Salt

 Type a value for the global Salt. Minimum one character

User attribute for Salt

 Select the attribute or SQL query for the user Salt. Eg. employeeID attribute in a LDAP user store or SELECT saltValue FROM userTable WHERE username='$$NAME$$'

Example:
Base64 hashed value should look this:
{MD5}hUPy04eFhuQR5XpI67NN1ib98KF+aBGvm2zo57bKcws=

Advanced Options

  1. Check the box External Database handler if you want to extend the database handler with your own Java class. 

  2. Enter the Java class name for a class that extends se.nordicedge.radius.DBHandler in the field.

Create New JDBC/ODBC (SQL) User Database.

  1. Right click on the Databases Icon in the Select Pane (Left) and choose the New SQL Database option or select the Databases object category in the Select Pane (Left) and choose the ODBC/JDBC SQL Database type in the Configuration Pane (Right).
  2. Enter a unique and descriptive name of the SQL database in the Database Display Name field.
  3. Select if the database will be used for HOTP (OATH). This will enable and disable some of the SQL queries regarding OATH parameters in the section SQL Queries. It will also disable the OTP Prefetch and PIN Code functions.
  4. Configure the options that are described in the following sections and tables.

JDBC/ODBC Settings

Option Description

Samples

Select configuration samples to provide help regarding configuration options for Driver Manager and Database URL based on database type.

Driver Manager

Enter the JDBC Driver Manager according to standard JDBC syntax. 

Example for ODBC “sun.jdbc.odbc.JdbcOdbcDriver”

Example for MySql “com.mysql.jdbc.Driver”

Database URL

Enter the JDBC Database URL.

Example for ODBC “jdbc:odbc:Databasename”

Example for MySql “jdbc:mysql://Ipaddress:portnr:/dbname

Username

The Username for this JDBC/ODBC database.

Password

The Password for this JDBC/ODBC database.

Nr of Connections

The number of concurrent connections the OTP Server will have in the pool to this JDBC database.

Test JDBC Connection

Test the connection to the database with the information in JDBC settings.

SQL Queries (HOTP not enabled)

Option Description

Authenticate

Enter the SQL Query that is used for authentication. It must return the username. Use the tags ‘$$NAME$$’ and ‘$$PASSWORD$$’ to enter what the user entered during the authentication process. Example:

SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ AND PASSWORD='$$PASSWORD$$'

OTP Field 

Enter the SQL Query to get the user’s mobile phone number or e-mail address. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query.

Login Retries

Specify the number of incorrect passwords a user can try before the user account is disabled. Blank=Disable this function can also be used to lock the account if maximum number of failed logins occurred.

Get Locked (Get Disabled)

The SQL field to check during authentication to see if the account is locked. Use the tag $$NAME$$ to fill in the user’s name in query.

INFO: This setting is called Get Disable in prior 3.0 versions.

Set Locked (Set Disabled)

This SQL Query will be executed if failed Login Retries occurs. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query.

INFO: This setting is called Set Disable in prior 3.0 versions.
Get Disable OTP

SQL query to determine if end-user should be challenge with a OTP or not. If the SQL query match the end-user authentication will be performed and no OTP will be required from the user! 

Example:

SELECT skipotpflag UserTable WHERE name='$$NAME$$'

Leave this blank to always require OTP during authentication.   

Test JDBC Connection

Test the JDBC connection with the specified values.

SQL Queries (HOTP Enabled)

Option Description

Authenticate

Enter the SQL Query that is used for authentication. It must return the username. Use the tags ‘$$NAME$$’ and ‘$$PASSWORD$$’ to enter what the user entered during the authentication process. Example:

SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ AND PASSWORD='$$PASSWORD$$'

Get OATHKey 

Enter the SQL Query to get the user’s OATH Key. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query.Example:

SELECT OATHKey FROM UserDB WHERE NAME='$$NAME$$'

Set OATHKey

Enter the SQL Update to set the user’s OATH Key. Use the tags ‘$$NAME$$’ and ‘$$KEY$$’ to fill in the user’s name and mobile key in the Query. Example:

UPDATE users SET OATHKey ='$$KEY$$' WHERE name='$$NAME$$'

Get Disabled

The SQL field to check during authentication to see if the account is locked. Use the tag $$NAME$$ to fill in the user’s name in query.

Set Disabled

This SQL Query will be executed if failed Login Retries occurs. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query.

Test JDBC Connection

Test the JDBC connection with the specified values.

Onetime Password Prefetch

Please see the Enable OTP Prefetch section in Database configuration – LDAP Database.

PIN code

Please see the PIN code section in Database configuration – LDAP Database.

Create Forward RADIUS database

The OTP Server can use this type of database to pass through and forward the RADIUS request to another RADIUS Server. It can be used to support RSA SecuredID or SafeWord tokens as well as integration with other RADIUS servers or be used in token migration scenarios. 

  1. Right click on the Databases Icon in the Select Pane (Left) and choose the New RADIUS Forward option or select the Databases object category in the Select Pane (Left) and choose the RADIUS Forward Database type in the Configuration Pane (Right).
  2. Enter a unique and descriptive name for the RADIUS Forward Database in the Database Display Name field.
  3. Click on Add RADIUS Server to add the IP Address and Port Number for the RADIUS server that the OTP Server will forward the request to.
  4. Optional. Select the RADIUS server that is to be removed and click on Remove RADIUS Sever. 
  5. Configure the options in the following section and tables.
Option Description

Shared Secret

Enter the shared secret for this client. Note! Must match the secret specified for the RADIUS Sever.

Forward additional RADIUS attributes

Can be enabled if the OTP Server should forward the additional RADIUS attributes to the other RADIUS Server.

Test RADIUS request

Makes a test authentication to the RADIUS Server selected in the list. Enter the username and password and click on the Test button.

Create User Database Group

A User Database Group is a group of LDAP and/or JDBC user databases. This feature can be used to search for a user in more than one database. The OTP Server will search for the user in database groups in the order that the databases are listed, starting from top and going down.

If a user with a matching username and password is found in one of the databases, that database will be used for that specific user. Before creating a user database group, two or more LDAP and/or JDBC user databases must already exist.

  1. Right click on the Databases Icon in the Select Pane (Left) and choose the New Database Group option or select the Databases object category in the Select Pane (Left) and choose the Database Group type in the Configuration Pane (Right).
  2. Enter a unique and descriptive name for the Database Group in the Database Display Name field.

  1. Click on Add Database and choose one or more databases that will be part of this Database group. 
  2. Use the buttons Move Up/Down to select the order in which they will be used. 
  3. Optional. Remove a database from the group by selecting it from the list and click Remove Database.

13 Client configuration

OTP client objects are used to manage configuration parameters regarding the connection between OTP Server and the system to protect (called OTP client). For example the Client name, IP address, RADIUS Shared Secret, Database for authentication of OTP users, Web service username and password. There are three types of OTP clients, RADIUS, Native and Web Service. The Web Service client is available in OTP Server version 3.1 and above.  

Native clients are OTP Server clients using the OTP Server API to communicate with OTP Server. Examples of native clients are Microsoft Outlook Web Access, Microsoft SharePoint, CA SiteMinder, Novell GroupWise Web Access. 

- RADIUS clients are OTP Server clients using the RADIUS challenge-response protocol to communicate with OTP Server. RADIUS is often used by network services such as firewall and VPN. Eg. Cisco, Juniper, F5, Bluecoat, Citrix etc. 

- Web services clients are OTP Server clients using Web service to communicate with OTP Server. OTP Server enables client functionality, corresponding to the Native Client API as Web service (SOAP). Read more about the Web service client at http://support.nordicedge.se/otp-server-web-service-client-api-soap/

There are 3 different ways to create, and configure OTP clients.

  1. Select the category Clients in the Select Pane (left) and select the icon for the type of client that will be created or configured in the Configuration Pane (Right).
  2. Right click on Clients object category in the Select Pane (Left) and choose the correct action.
  3. Use the file menu to choose the correct action.

The types of configuration actions that can be performed are described below.

New Client

  1. Right click on the Clients icon in the Select Pane (Left) and choose the client type or select the Client object category in the Select Pane (Left) and choose the client type in the Configuration Pane (Right).
  2. Enter a unique descriptive name and configure the options.

Delete Client

  1. Click to expand the category Clients and select the client to delete.
  2. Right click on the client and select Delete.

Duplicate Client

  1. Click to expand the category Clients and select the client to duplicate.
  2. Right click on the client and select Duplicate Client.
  3. Enter a unique descriptive name and configure the options.

Create new RADIUS Client

  1. Right click on the Clients Icon in the Select Pane (Left) and choose the New RADIUS Client option or select the Clients object category in the Select Pane (Left) and choose New RADIUS Client in the Configuration Pane (Right).
  2. Enter a unique and descriptive name of the client in the Client Display Name field.
  3. Enter the IP address of the RADIUS client. Do not use a DNS name. You can define IP addresses with wildcards (*) to group several clients like 192.168.0.*
  4. Configure the options in the following section and tables.

Advanced, RADIUS Client Attribute Detection, Listen on RADIUS ports

RADIUS Client Attribute Detection

Click on the Advance button to define configuration for RADIUS Client attribute Detection. It is used to detect specific RADIUS attribute values and apply different client configurations and its selected databases that will be used to authenticate the users even if the requests comes from the same IP address (sending source). This can for example be used to separate configurations for different type of users like Employees, Partners, and Customers.

Option Description

Enable Attribute Detection

Enable or disable the attribute value detection.

RADIUS attribute number

Select the RADIUS attribute number.

RADIUS attribute value

Define the RADIUS attribute value.

Match type

Select how the value should be matched. The Exact match or substring matches method Contains value.

Match case

Select if the matching should be done case sensitive or not. 

Listen on RADIUS ports

The Advanced configuration is also used to define if the OTP Server should listen on all RADIUS Port Numbers if there are multiple ones configured or only specific ports.

Option Description

Listen on ALL available portnumbers

Enable or Disable this to choose which port numbers this client will listen on.

Selected ports

Select one or more ports this client will listen on. Note! This option will only come up if “Listen on ALL available portnumbers” is unchecked. 

Encoding


Option Description

Charset encoding

Select character encoding. Note, the RADIUS standard defines UTF-8 standard character encoding.


RADIUS Reject Error Messages

OTP Server can reply with pre-set error messages during the process of the one time password. This gives the end-user more information if there is a system error or a problem with the one time password.

Option Description

Failed Auth/Error

Type a message that will be sent via RADIUS attribute 18 if user fails to authenticate with their username/password or a system error occurs. Leave this field blank to disable this function.  

Failed OTP

Type a message that will be sent via RADIUS attribute 18 if the user fails with their OTP, Prefetch, OATH OTP. Leave this field blank to disable this function.

RADIUS Options

Option Description
Shared Secret Enter the Shared Secret for this client. Note! Must be the same Shared Secret as for the RADIUS client application.
Supports Access-Challenge Check if the RADIUS client supports RADIUS Access-Challenge (Challenge/Response).
Response Message Enter the message that will be sent to the RADIUS client when prompting the user to enter the one-time password. 

If the check box “Supports Access-Challenge” is unchecked, enter the IP-address to the Authentication Server instead.
Auth. Server IP Address The authentication server is needed and used if the RADIUS client doesn’t support Access-Challenge. Enter the IP Address to the server.

The Authentication Server is the server in which:
Step 1, initiates the user-login process (User Name and Password).
Step 2, a one-time password is created by the OTP Server, which is then sent to the user’s mobile phone via SMS (or e-mail).
Step 3 the user authenticates himself via the RADIUS client application against the OTP Server with his username and one-time password.

Prefetch OTP Options

This option can be configured if “Use ONLY Prefetch OTPs” is enabled. 

It defines that this client only will use prefetched one-time passwords. This can be used for RADIUS clients that don’t support Access-Challenge. Use this configuration with Prefetch OTP enabled databases. 

Option Description

Require Password AND Prefetch OTP

Enables that the users must enter their user database password together with the prefetched one-time password.

Example: mysecretpassword12345

Generate Prefetch OTP if none exists

Enables that the users can automatically generate prefetched one-time passwords for the first time by logging in with their username and password. 

User Database

Select the user database this RADIUS client will use to authenticate users. If no user database exists, one must be created. See chapter “Database Configuration”.

Other Options

Option  Description

Uses external OTP API 

Defines if an external code using the OTP API should generate and verify the one-time password instead of the OTP Server. Enter the java class name that implements the interface “se.nordicedge.interfaces.OTPVerificationHandler”

RADIUS Attributes

RADIUS attributes that will be sent after a successful authentication has been done. Add Attributes and their Attribute Number in the list. The values can be a Static Value, UserDN, User Attribute, Login Name or some external code..

Create new Native Client

  1. Right click on the Clients Icon in the Select Pane (Left) and choose the New Native Client option or select the Clients object category in the Select Pane (Left) and choose New Native Client in the Configuration Pane (Right).
  2. Enter a unique and descriptive name of the client in the Client Display Name field.
  3. Enter the IP address of the Native client. Do not use a DNS name. You can define IP addresses with wildcards (*) to group several clients like 192.168.0.*
  4. Configure the options in the following section and tables.

Advanced, Native Client Name Detection

Click on the Advance button to define configuration for Native Client Name Detection. It is used to detect if a specific Name is used by the integration module that uses OTP client API when it communicates with the OTP Server. 

This enables the opportunity to apply different client configurations and its selected databases even if the request comes from the same IP address (sending source). ). This can for example be used to separate configurations for different type of users like Employees, Partners, and Customers.

Option Description

Enable Name Detection

Enable or disable the name detection.

Client Name

Specify the Client Name used by the integration module.

Options

Option Description

Accept User Lookup only

Enable this if user lookup should be accepted (accept username only). A database authentication will NOT be performed if the user password is empty. Use this to verify a username and issue a one-time password without verifying the user password. Note, this will accept empty password!

Client Name

Specify the Client Name used by the integration module.

User Database

Select the user database this RADIUS client will use to authenticate users. If no user database exists, one must be created. See chapter “Database Configuration”.

Other Options

Option Description

Uses external OTP API 

If an external code using the OTP API should generate and verify the one-time password instead of the OTP Server. Enter the java class name that implements the interface:

“se.nordicedge.interfaces.OTPVerificationHandler”

Force OTP Delivery Method

Choose the delivery method to be used for this client. This option will override the general configured order for methods.  

Create new Web service Client

  1. Right click on the Clients Icon in the Select Pane (Left) and choose the New Web service Client option or select the Clients object category in the Select Pane (Left) and choose New Web service Client in the Configuration Pane (Right).
  2. Enter a the name of the client in the WS Client Name field. This name must correspond to the client name in the Web service request from the client. 
  3. Enter a password for the Web service client.
  4. Configure the options in the following section and tables.

Options

Option Description

Accept User Lookup only

Enable this if user lookup should be accepted (accept username only). A database authentication will NOT be performed if the user password is empty. Use this to verify a username and issue a one-time password without verifying the user password. Note, this will accept empty password!

User Database

Select the user database this Web service client will use to authenticate users. If no user database exists, one must be created. See chapter “Database Configuration”.

Other Options

Option Description

Uses external OTP API 

If an external code using the OTP API should generate and verify the one-time password instead of the OTP Server. Enter the java class name that implements the interface:

“se.nordicedge.interfaces.OTPVerificationHandler”

Force OTP Delivery Method

Choose the delivery method to be used for this client. This option will override the general configured order for methods.  

Read more about the OTP Web service: http://support.nordicedge.se/otp-server-web-service-client-api-soap/

14 Delivery Methods

The Delivery Methods object category is used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords. The Delivery Method object category holds subcategories that represent the different delivery methods. There is also capability to show all, enabled or disabled delivery methods in this category and configure the sending order.

Show all

  1. Select the Delivery Method category object in the Select Pane (Left) and Right click on the Delivery method icon
  2. Select Show all (this is default). This will display all delivery methods.

Show enabled

  1. Select the Delivery Method category object in the Select Pane (Left) and Right click on the Delivery method icon
  2. Select Show enabled (this is default). This will display only enabled delivery methods.

Show disabled

  1. Select the Delivery Method category object in the Select Pane (Left) and Right click on the Delivery method icon
  2. Select Show disabled. This will display only disabled delivery methods.

Enable Delivery Method

  1. Expand the Delivery Methods object category and select the delivery method to use.
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options for the method in the following section and tables.

Deliver method sending order

One or more delivery methods can be used to deliver the one-time passwords. The order in which they are used is determined based on how they are listed in the delivery method object category started from top as the first method and going down.

  1. Select the enabled delivery method. (The method must be enabled to be moved)
  2. Right click, and choose the action Move up or Move down to change the sending order.

Nordic Edge SMS Gateway

This method will use the Nordic Edge hosted SMS gateway to deliver the one-time password over SMS to the end-users. The Nordic Edge SMS Gateway supports automatic fail-over for service and SMS operator delivery, usage statistics, SMS status control and easy setup. 


Nordic Edge provides OTP Server customers with a trial SMS Gateway account at no charge.


  1. Expand the Delivery Methods object category and select the Nordic Edge SMS method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

General Settings, Proxy

Option Description

Username 

Enter the username for the service provided by Nordic Edge.

Password 

Enter the password for the service provided by Nordic Edge.

Flash SMS

Check the box to enable the support for sending flash SMS to user’s mobile phone.

Message

The message to be sent to the mobile phone. The OTP will be added to this message unless the tag $$OTP$$ is inserted in the message. The OTP will then replace the $$OTP$$ tag. Example: The passcode is $$OTP$$

Enable HTTP Proxy server 

Check the box to Enable HTTP Proxy.

Server: Enter the proxy server IP address or DNS name.

Port: Enter the proxy server port number.

Disable PF SMS Status

Disable SMS status to check if users have Prefetch OTP enabled. This will send a notification to the SMS gateway to disable status control of SMS on users that have Prefetch OTPs stored on their user database. This will reduce the waiting time up to 5 seconds on OTP enabled users.

Username in accounting file

Check the box to include the username in the accounting file. Ignore this if the accounting file is not being used.



Configuration & Status

Request a demo account. This can be done by selecting the “Request a demo account” button. This will create a demo account in Nordic Edge hosted SMS gateway and fill in the right information in the username and password field. It will also make a list of URL:s to the Nordic Edge hosted SMS gateways.

The option to configure this section is available if a demo or real account is defined.


Option Description

Test

Click on the Test button and enter a mobile phone number in the field to send a test SMS to the mobile phone through the Nordic Edge SMS Gateway Service.

Update Config

Click on the button to manually update the configuration for the Nordic Edge SMS Gateway Service. 

Debug

Check the box to enable debug information to be included in the log files.


Advanced

Option Description

Enable max Limit

Enable to set max limit for sending SMS

Max SMS per user per day

Set the maximum number of SMS that a single user can send in one day.

Max SMS total per day

Set the maximum number of SMS that the OTP Server can send on behalf of all users in one day.



HTTP

Enables the OTP Server to send one-time passwords (OTP) via HTTP or HTTPS protocol to a SMS provider.

  1. Expand the Delivery Methods object category and select the HTTP method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

Headers or Templatefile

Option Description

User Header

The HTTP Header name for the user’s mobile number or e-mail address.

OTP Header

The HTTP Header name for the OTP (Challenge).

Headers in Query String

Check if headers should be placed in the Query string as GET parameters. For example:

?USER=070112233&CHALLENGE=123456

Template file

Enter a file name if a template file will be used instead of headers. The file shall contain two values which will be replaced when posted;  $$IDENTITY$$ and $$CHALLENGE$$. Leave blank if only headers are to be used. See sample file from Vodafone/Mobilerelations: smstemplate.xml

Auto-Accept SSL Certificates

Enables auto trust of certificates received from HTTPS.

Debug

Enables extensive logging of HTTP sending. Could be used in troubleshooting.

Authentication

Option Description

Enable HTTP Authentication

Check the box to enable HTTP Authentication.

Username

Enter the username to be used for authentication.

Password

Enter the password to be used for authentication.

Proxy

Option Description
Enable Proxy Server Check the box to enable HTTP through a Proxy Server.
Proxy Server The DNS name of the proxy server to be used for all HTTP requests.
Proxy Port The port number for the proxy server.

Other Settings

Option Description

Content Type

HTTP mime content type. Default is application/x-www-form-urlencoded.

HTTP (HTTPS) URL

Enter the URL to post the OTP to.

Success string to look for

Enter what the HTTP server will respond back to the OTP Server. If the OTP Server finds this string it will assume a successful posting. If it does not find this string it will assume a failed post of the OTP.

Extended HTTP

Enables the OTP Server message sending service to support HTTP or HTTPS protocol to send one-time passwords (OTP). This module is similar in function with the HTTP module. One of the big differences is that the extended HTTP provides more fault tolerance because you can define more than one HTTP(S) URLs.

  1. Expand the Delivery Methods object category and select the Extended HTTP method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

Headers or Templatefile

Option Description

User Header

The HTTP Header name for the user’s mobile number or e-mail address.

OTP Header

The HTTP Header name for the OTP (Challenge).

Remove leading +

Removes the + from mobile phone numbers 

Replace + with 00

Removes the + from mobile phone numbers and replace it with 00 (two zeros)

Template file

Enter a file name if a template file will be used instead of headers. The file shall contain two values which will be replaced when posted;  $$IDENTITY$$ and $$CHALLENGE$$. Leave blank if only headers are to be used. See sample file from Vodafone/Mobilerelations: smstemplate.xml

Auto-Accept SSL Certificates

Enables auto trust of certificates received from HTTPS.

Debug

Enables extensive logging of HTTP sending. Could be used in troubleshooting.

Use GET

Use GET instead of POST as the HTTP method

Authentication

Option Description

HTTP Auth

Check the box to enable HTTP Authentication.

Username

Enter the username to be used for authentication.

Password

Enter the password to be used for authentication.

Proxy

Option Description

Proxy Server

Check the box to enable HTTP through a Proxy Server.

Proxy Server

The DNS name of the proxy server to be used for all HTTP requests.

Proxy Port

The port number for the proxy server.

Client Cert

Option Description

Client Cert

Check the box to enable a certificate to be used for authentication. INFO: The HTTPS URL must be HTTPS.

PKCS12 file

The full path to the certificate file (PKCS12 format).

Password

The password to the certificate.

Other Settings

Option Description

Content Type

HTTP mime content type. Default is application/x-www-form-urlencoded.

HTTP (HTTPS) URL 1-3:

Enter the URL:s to post the OTP to.


INFO: OTP Server will use the URLs in order 1, 2, 3. If URL 1 fails the OTP server will automatically start with the last URL that worked. 

Success string to look for

Enter what the HTTP server will respond back to the OTP Server. If the OTP Server finds this string it will assume a successful posting. If it does not find this string it will assume a failed post of the OTP.

Set SOAPAction request header

Add SOAPAction as a request header.

SMTP

Enables the OTP Server message sending service to support SMTP protocol to send one-time passwords (OTP). If the methods HTTP or Netsize are activated, all messages to users with the @-sign in the address will be sent via SMTP. 

  1. Expand the Delivery Methods object category and select the SMTP method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

SMTP Host 

Option Description

SMTP Host

IP-address or DNS-name to the SMTP Host.

Mime Encoding

The Mime encoding for SMTP. Default is: Iso-8859-1.

Port

The SMTP port number (Default is 25).

SSL/TLS

If SSL/TLS will be used.

Force TLS

Forces use of TLS instead of SSL.

Authentication

Option Description

Enable SMTP Authentication

Check the box to enable HTTP Authentication.

Username

Enter the username to be used for authentication.

Password

Enter the password to be used for authentication.

SMTP Options

Option Description

Mail sender Address

The sending e-mail addess.

Mail To Address 

Add the static e-mail address here. Another option is to add the tag $$IDENTITY$$ anywhere in the string to insert the users identity (eg. Mobilenr etc)

Sample:

$$IDENTITY$$sms@acme.com will be: +4670123456sms@acme.com

Mail address

Check to use the user’s e-mail address as Mail To Address.

Subject

The SMTP subject line.

User ID

Check to place the user’s Mobile number or e-mail address in the Subject field. 

Body Text

The SMTP message body that will include the One Time Password. The tag $$OTP$$ will be replaced with the OTP during sending. If the tag does not exist in the string, the OTP will be appended to the end of the string. Use the text editor button to enable the text editor.

Is filename

Check this box if the Body Text is a file temple and enter the full path to the file. The tags $$IDENTITY$$ and $$OTP$$ can be used in the template file.

Debug

Enables or disables SMTP debugging to the log files.

Netsize

Enables the OTP Server message sending service to use to use Netsize SMS gateway services. You need an account to use the Netsize services.

  1. Expand the Delivery Methods object category and select the Netsize method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

Communication

Option Description

SMS Gateway

The IP-address or DNS name to the Netsize SMS-gateway.

Port nr

The Port Number to the gateway.

Authentication

Option Description

Login

Enter the username to be used for authentication.

Password

Enter the password to be used for authentication.

Message

Option Description

Message

The message to be sent to the Mobile phone. The tag $$OTP$$ will be replaced with the OTP during sending. If the tag does not exist in the string, the OTP will be appended automatically to the end of the string. Use the Text Editor button to enable the text editor.

Endpoint settings

Option Description

Sending, Receiving, Notification

Netsize parameters. See Netsize Agreement/Documentation.

Options

Option Description

Debug

Debugs Netsize packets in the system console or log file.

Encryption

Check this box if encryption will be used between the OTP Server and the Netsize gateway. Agreement with Netsize is required.
Message Type Select how the SMS will be presented in the Mobile phone:
Immediate Display (Flash-SMS)
Stored on Mobile phone
Stored on SIM-card

Concurrent Sender

Enables the OTP Server message sending service to simultaneously send the one-time passwords with more than one delivery method. Two or more delivery methods must be configured and selected in the list.

  1. Expand the Delivery Methods object category and select the Concurrent Sender method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Select the method to add from the list and click on Add button. Note! One or more delivery methods must be configured before they show up in the list.
  4. Optional. Remove a method from the sending method list by selecting it in the list and click Remove Database.

Instant Messaging

Enables the OTP Server to send one time passwords (OTP) to end-users via different Instant Messaging methods.

The instant messaging method supports sending one-time passwords to three different instant messaging services, Skype, Microsoft Live(MSN) and Jabber (Google Talk). The method supports all services or an individual service to be activated.

  1. Expand the Delivery Methods object category and select the Instant Messaging method in the Select Pane (Left).

  2. Enable the method in the Configuration Pane (Right).

  3. Configure the options in the following section and tables.

OTP Message

Enter the message that should be sent to the user’s mobile phone. The OTP will be added to this message unless the tag $$OTP$$ is inserted inside the message. The OTP will then replace the $$OTP$$ tag. Example, Passcode is $$OTP$$, by Nordic Edge

User Prefix concept

The User Prefix concept can be used to target which instant messaging service that should be used when the Nordic Edge OTP Server receives a users instant messaging userid. By configuring User Prefix, the Instant Messaging plug-in can select which services to use by looking at the incoming userid. All three instant messaging services support the User Prefix concept.

If the userid has a prefix, for example GOOGLETALK; attached to the userid, eg:

GOOGLETALK;johndoe@nordicedge.se and the Jabber service is configured with the User Prefix: GOOGLETALK; the Nordic Edge OTP Server will know that it should only use the Jabber service.

Both MSN and Jabber use mail address as userid. If both are enabled and no User Prefix is specified, the Nordic Edge OTP Server will first try to send to the MSN services and if it fails then send it to the Jabber services.

Skype

The Skype method requires that a Skype client is installed on the OTP Server and is active and logged into the Skype network. During the first message the Skype client will ask a question if the OTP Server is accepted to pass on messages to the Skype client. Select Yes when this question appears. 

Use the Test button to test the Skype method. Note, do not include the User Prefix when using the Test button.

Microsoft Live/MSN

The Microsoft Live/MSN method requires a valid MSN account to be specified in the Login id and password fields.

Use the Test button to test the MSN method. Note, do not include the User Prefix when using the Test button.

The Debug checkbox can be used for debugging the MSN method.

Jabber (Google Talk)

The Jabber/GoogleTalk method requires a valid Jabber account to be specified in the Login id and password fields.

It also requires a Server hostname (or IP address), a port number and the option to use SSL. If the server hostname contains Google, then Google Talk will automatically be enabled.

Use the Test button to test the Jabber/Google Talk plug-in. Note; do not include the User Prefix when using the Test button. The Debug checkbox can be used for debugging the Jabber/Google Talk method.

SMPP

Enables the OTP Server message sending service to support SMPP protocol to send one-time passwords (OTP).

  1. Expand the Delivery Methods object category and select the SMPP method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options. You can request more information from Nordic Edge on how to configure and integrate the OTP Server with SMPP sender.

CIMD2

Enables the OTP Server message sending service to support Nokia CIMD2 protocol to send one-time passwords (OTP). 

  1. Expand the Delivery Methods object category and select the SMPP method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options. You can request more information from Nordic Edge on how to configure and integrate the OTP Server with CIMD2 sender.

UCP file

Enables the OTP Server message sending service to support UCP File Creator in order to create files with the one-time passwords. 


  1. Expand the Delivery Methods object category and select the UCP File method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options. You can request more information from Nordic Edge on how to configure and integrate the OTP Server with UCP File Creator.




Option Description

File Directory to drop file

Select the directory to store one time password files in. Each one time password will be a separate file in this directory.
Filename starts with Enter the name the files will start with. A random number will be added after this name in the files. Eg. "ucp"
Filename ends with Enter the end of the filename. Eg. ".txt"
Template File Select the template file which contain the text with variables for the one time password. A default template file is included with the OTP Server. Eg. C:\Program Files\NordicEdge\OTPServer3\UCPTemplate.txt
Control +New Line (0D 0A) Creates the output file with DOS style line breaks
File characterset  Select the character encoding for the ucp-file.

15 Logs

The Logs configuration object includes configuration options for how the OTP server will handle logging and log files.

Log Files

Option Description

System Log file 

The name of the system log file. The system log file will also contain all debugging information.Leave blank if no log file will be used.

Accounting file 

The name of the accounting file. All successful OTP messages will be saved to this file. Leave blank if not used.

Roll Accounting File Now

Click on this button to Roll the Accounting file

Loglevel

Select required log level. Trace, Debug, Info, Warn, Error, Fatal. INFO: Default log level is Debug.

Max logfile size

Enter maximum size of the logfile before it will be rolled. INFO: Default 5000kb

Max backup index

The number of bakup files before OTP Server will start removing backup files. INFO: Default 100. Eg. 100 x 5000kb = 500Mb disk space required for logs.

External log Handler

Enter the Java class name for an external logger. This class needs to implement the se.nordicedge.interface.OTPlogging interface.
Leave this blank to use the default logger. Note, this parameter requires restart to activate or deactivate the loghandler.

Other Settings

Option Description

Check for config changes every

Check if any changes has occurred in the OTP Server config file every X seconds. Set to 0 do disable this function.

Check classpath during startup

Check this box if changes in the lib directory should be read during OTP Server startup.

16 Alerts

The Alerts Tab configures which method that will be used to alert and notify recipients. You can also define which components that generate alerts. The Alert configuration object includes configuration for which methods the OTP Server can use to alert and notify recipients. You can also define the modules that that are allowed to generate the alerts.

  1. Select the Alerts category object in the Select Pane (Left) and configure the options in the Configuration Pane (Right).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the different options. You can find more information about the options in the following sections and tables.

Alert Configuration

Option Description

Use method

The name of the system log file. The system log file will also contain all debugging information.Leave blank if no log file will be used.

Components

The name of the accounting file. All successful OTP messages will be saved to this file. Leave blank if not used.

Send to

Enter the addresses (mail, phone number, etc) to the recipients of the alert messages. Enter one address per line.

17 License

The License configuration object includes configuration options and license information. The license system for the OTP Server version 3 is new and not compatible with version 2 which means that in order to upgrade you need new license files. Contact Nordic Edge for how the license can be upgraded.

The new license system controls how many unique user identities that has been used and checks this against the total number of license that has been registered. New users that are above the limit of the registered user limit won’t be able to authenticate by the OTP Server. Alerts can be configured to notify administrators that the amount of user license is very close to the limit of registered users. This will give organizations the opportunity to buy more licenses.

The new licenses system also supports multiple license files. This means that one file can include a 50 user license and another 100 user which means that the total amount of user license is 150.

The license files must be placed in the license file directory and the filename must end with the extension “.dat”. 

Register new licenses

  1. Copy the license file to the license directory.
  2. Select the License category object in the Select Pane (Left) and configure the options in the Configuration Pane (Right).
  3. Click on the button Detect new to read and scan for new license files and update the Registered License limit.
  4. Check that the Registered License value has increased with the new amount of licenses.

License Information

Option Description

Registered Licenses

The total number of licenses detected in the license files.

Detect New

Checks for new licenses in the license directory.

Unused Licenses

The number of license available for new users.

Counter Started

The time and date when the license counter started.

Refresh

Refresh the license statistics.

18 Misc

The Misc configuration object category object hold configuration for other functions and it includes configuration for:

  • AES Encryption
  • Expired Password Notification
  • OATH configuration
  • Prefetch Proxy Config
  • Identity Manager & Pledge Enrollment
  • Unlock User Accounts
  • Yubico integration


AES Encryption

OTP Server supports AES encryption and decryption. AES can be used to store OATH keys or other important information in databases used by OTP Server. AES Encryption is available in OTP version 3.1 and above.

  1. Expand the Misc object category and select AES Encryption in the Select Pane (Left).
  2. Enable AES Encryption in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

General Settings

The General Settings section configures specific attributes to encrypt by the OTP Server. Click on the Add button and add a specific attribute to encrypt. 

  1. Add the specific attribute to encrypt with AES
  2. Add the database handler: ext.AES to the database that should use AES encryption 
INFO: AES encryption of OATH keys are enabled by the option Encrypt keys in keystorage database in Misc – OATH Configuration. 

Advanced Settings

Option Description

AES Key

The AES Key for encryption and decryption. 32 characters string for 128bit and 64 characters string for 256bit  


INFO: Do not change this key in a production environment. All data encrypted with a specific key can not be read if the key is changed and Nordic edge or any one else can not recover encrypted data.

Key size

Select 128, 192 or 256bit encryption/decryption.

Key type format

Select the format of the Key. Select Hex or Base 64. Default Hex. 
AES prefix The AES data prefix. This prefix is used in front of the encrypted value and indicates the encryption format. Default "{AES}". 
Data format The format of the data. Select Hex or Base 64. Default Hex.  
Use CBC Enables or disables cipher-block chaining (CBC)
IV (CBC) The initialization vector (IV) required for CBC. Note: Must be in HEX format and 16 bytes long (32 Hex characters)
Lock Lock button locks the configuration above form accidentally being changed. Click again to unlock the settings.

Test encryption & decryption

The Test encryption & decryption section helps administrators to verify AES settings for encryption and decryption. 

Option Description

Value

Type a value to encrypt or decrypt.

INFO: Make sure to use a sufficient length of the AES Key corresponding with the specific AES encryption level. See AES Advanced Setting, AES Key and Key size. 

Results

Displays the results for encryption or decryption.

  

Expired Password Notification

The Expired Password Notification can be enabled to detect and notify the end-users that their password has expired.

  1. Expand the Misc object category and select the Expired Password Notification method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

Expired Password Notification

Option Description

User attributes to send message to

Select the attribute or attributes the sending delivery method can read to collect the address to the user. It can be the mobile attribute holding the telephone number or the mail attributes with the e-mail address. Separate the attribute with comma "," Example: mobile,mail

Message to the user

Enter the message the end-user will see when they are notified that their password has expired.

Method to send notifications with

Select the method that will be used to send the notifications to the end-users from the list.

OATH Configuration

Enables the OTP Server to support hardware based tokens and the mobile client Pledge that uses the HOTP or TOTP algorithm from OATH. Detail information on how to store the OATH information in the user databases con be found here:

Detail OATH Keyinformation

It is also used to configure the automatic enrollment feature for Tokens that sends Token identifier.

  1. Expand the Misc object category and select the OATH Configuration in the Select Pane (Left).
  2. Enable the integration in the Configuration Pane (Right).
  3. Configure the options in the following section and tables.

OATH Configuration

HOTP

Configuration of HOTP OATH settings.

Option Description

Encrypt Key and counter

If the HOTP key and counter should be encrypted in the database.

Validation LookAhead Value

 The maximum number of counter checks for a users OTP.
Example: If the OATH device has a counter with the value of 20 and the value at userobject accessable by the OTPServer is at 10, then it will require a lookahead value of 10 to catch up.
If the lookahead value is to small the OATH device will be out of sync and needs to be resynchronized.

OTP Length/Variable Length

Enter the fixed or variable length of the OTP. Select the required length of the OTP.

Truncation value

The offset value for OATH devices. This value should not be changed. Use -1 for variable truncation.

Use variable OTP length

If both 6 and 8 length OTP should be accepted. 

Info: Available in OTP Server up to version 3.0.

TOTP

Configuration of HOTP OATH settings. Available in OTP version 3.1 and above.



Option Description
Accept time drift Accept the previous, current and future OTP instead of only the current OTP. If a token device or the OTP Server drifts in time, this can compensate by accepting the previous or future OTP.

Anti-replay check

If a TOTP will only be allowed once within the timeframe. The OTP Server keeps track of used OTPs for each TOTP device within the accepted timeframe. The Timeframe is set by the token device, standard 30 or 60 seconds.

Encrypt Key value

If the TOTP key value is stored encrypted in the database.
Max Out of Synch Time Steps (Accept time drift) The number of time steps a OTP device can be out of synch.
Eg. Time step 30 seconds (set by the token device) and Max out of Synch Time Steps = 2 gives 2×30+30+2×30 = 2min and 30sec time diff is accepted by the OTP server.  

General OATH Options

This settings are general for both OATH HOTP and TOTP.

 
Option Description
Pincode placement If using PIN code, should the OTP user enter the PIN code before or after the HOTP/TOTP. Select Before or After.

Accept OATH Token Identifier

Enable to accept Token devices that send Token Identifier together with the OTP.

Enable Automatic Enrollment

Enable Automatic Enrollment for Class A – Token Identifier. Defines if the automatic enrollment process will pick up the OATH Key and counter from a key database and store it on the user object using the OATH Token identifier specification.

Automatic OATH Enrollment

This section can be configured if the option Accept OATH Token Identifier and Enable Automatic Enrollment is enabled.

Option Description

Keystorage database

Select the database that contains or will contain the keys and token identifier.  

Check SQL Database

This button is visible if the database type selected in the Key database list is a SQL database. Click on the button to test if the selected database has a database called TOKENDB with the table Token which is a requirement. If the TOKENDB database and Tokens table are not created, click Yes to create them. 

Object DN:

This option is visible if the database type selected in the Keys database list is a LDAP database. Select the LDAP object to store the keys in.

Attribute

This option is visible if the database type selected in the Key database list is an LDAP database. Select the specific attribute to store the keys in. The attribute must be of the type multivalue string.

Upload keyfile to database

Click on the button to upload keys from file to the selected database. 

The file format must be either semicolon or comma separated or PSKC (RFC 6030) format.


- Semicolon separated format:

ub0000011111;69fc80be0e757941013c35b70b517d8d9f441fa;0


- Comma separated format:

Number id, Token identifier, countervalue, HOTP key (hex), Config Password (not used), Timestamp

Example:

125,ub9020000125,0,7e4baa15979ee53e2695bed18a10259f4bd6ebd5,000000000000,2010-04-19T01:48:51,
Allow multiple token assignments Accept if a user already has a OATH token and enrolls for a additional token
Encrypt keys in keystorage database If the keys should be encrypted in the key database.
INFO: If AES is configured in Misc – AES the keys will be encrypted with AES encryption.
Advanced Automatic OATH Enrollment with LDAP database

In some LDAP databases there is a default limit of 1000 entries in an LDAP attribute. Advanced OATH enrollment enables the use of multiple object/attributes to store OATH Keys to overcome this LDAP limitation.

  1. Click on the Advanced button in Configuration Pane (Right) of the OATH Configuration under Misc in the OTP Configurator.
  2. Click Add and select an object.
  3. Select a Attribute.
  4. Repeat step 2 and 3 to att more objects or attributes.
Option Description

Maximum nr of keys per object

Set the maximum of keys stored in each object

Prefetch Proxy Config

The Prefetch Proxy Config configuration object includes configuration how the OTP Server will send the Prefetch one-time passwords. 

Proxy Sending of Prefetch OTPs

  1. Enable this option to send all the created Prefetch OTP requests to another OTP Server that will handle the sending of the one-time passwords.
  2. Enter the IP address and port number (separated with colon) to the OTP Server that will receive the created Prefetch OTP requests. Multiple servers can be defined and be separated by comma. Example:192.168.1.1:3100;10.0.0.1:3100;otp3.otpserver.com:3100

Force sending Prefetch OTP with Method

  1. Select the sending method for the Prefetch OTP from the list. Note! One or more delivery methods must be configured before they show up in the list.

Identity Manager & Pledge Enrollment

Enables Identity Manager and Pledge enrollment web applications. Identity manager for OTP is a preconfigured version of the Nordic Edge Identity Manager Portal applied on the included Tomcat server. It can be used by administrators and helpdesk personal to administrate specific user information in user stores (databases) that is used by the OTP server. It can also be used as a self-administration portal for end-user to change specific information about them self.

Pledge Enrollment is a web application applied on the included Tomcat server and is used to let the end-users follow an easy step by step auto enrollment process to download a Pledge profile with included HOTP key. The application uses a web services interface to integrate with the Nordic Edge Profile Factory services where customers can design the look and feel and security options regarding their Pledge profiles.

A step by step guide for Pledge Enrollment is available here:
http://www.nordicedge.se/products/one-time-password-server/pledge-enrollment-guide

  1. Expand the Delivery Methods object category and select the Identity Manager & Pledge Enrollment method in the Select Pane (Left).
  2. Enable the method in the Configuration Pane (Right).
  3. Configure the options. You can request more information from Nordic Edge on how to configure and integrate the OTP Server with Identity Manager & Pledge Enrollment.

Yubico 

Enables the OTP Server integration for Yubico.

  1. Expand the Misc object category and select the Yubico integration in the Select Pane (Left).
  2. Enable the integration in the Configuration Pane (Right).
  3. Configure the options.

    Click here for a detailed documentation of the Nordic Edge and Yubico integration

19 Starting and Stopping the OTP Server

Microsoft® Windows® 2008/2003

There are different ways of starting/stopping the OTP Server on Microsoft® Windows®:

  • As a Microsoft® Windows® service.  Use the Microsoft® Windows® Services in order to start and stop the OTP Server. 
  • Start the program file”OTPServer.exe” in the installation directory.
  • If the Monitor option is enabled, the OTP Server will preferably be stopped by clicking the button”Shutdown 

Unix/Linux/OSX

The OTP Server can be started in the following ways on UNIX/Linux/OSX:

  • Execute the file ”OTPServer” as a background process with, for example OTPServer & 
  • If the Monitor is not used, the OTP Server will be stopped with the Unix ”kill” command.
  • If the Monitor option is enabled, the OTP Server will preferably be stopped by clicking the button”Shutdown”.

20 The OTP-Server Monitor

The OTP Server Monitor can be displayed when the OTP Server process is started if the option Enable Monitor is configured in the Server object category. This option requires GUI support on the server.

The monitor can be used to configure the server, display statistics (Show Details) and shutdown the server process.

Configuration

Click on the button Configuration to start the configuration program.

Shutdown

Click on the button Shutdown to shutdown the server process. 

OTP Server Statistics (Show Details)

Click on the button Show Details to see the statistics from the OTP Server.

Sending OTP’s

Option Description

Total OTP’s

The total number of OTP’s created.

One time Passwords

Option Description

Successful OTP’s

The number of OTP’s, successfully answered by clients.

Failed OTP’s

The number of OTP’s, which the clients failed to answer.

Unfetched OTP’s

The number of OTP’s that have not yet been retrieved by a client.

Expired OTP’s

TThe number of OTP’s that have expired.

RADIUS

Option Description

RADIUS Packets Sent

The number of sent RADIUS packets.

RADIUS Packets Received

The number of received RADIUS packets.

Connections

Option Description

Active Connections

Nr of native client connections at this moment. 

Successful connections

The total number of successful native client connections to this OTP-Server.

Failed Connections

The total number of failed native client connections to this OTP Server by a client.

Encryption

Option Description

Encrypted Requests

The number of encrypted requests from native clients to the OTP Server.

Unencrypted requests

The number of unencrypted requests from native clients to the OTP Server.

Rejected Unencrypted Requests

The number of requests from native clients that were rejected by the OTP Server because the client did not encrypt the request (Requires Always Encryption or ”EncryptionLevel=2” in otp.properties).

User Database Authentication

Option Description

Successful Logins

The number of successful User Authentication to LDAP or JDBC/ODBC databases.

Failed Logins

The number of failed User Authentication to LDAP or JDBC/ODBC databases.

Locked Accounts

The number of times the OTP Server has locked out users because the maximum number of login attempts to LDAP or JDBC/ODBC databases has occurred.

21 On-Demand services

 

OTP On-demand

This is a hosted service that enables our customers to use strong authentication without the need to install the product in their own environment. The Nordic Edge OTP On-Demand is accessed via Web Services. 

 

SMS On-Demand

This is a hosted service that enables our customers to use SMS distribution without the need to install the product in their own environment. The Nordic Edge SMS On-Demand is accessed via Web Services. 

 

SMS Gateway

This plug-in delivers one time passwords using SMS via a Nordic Edge hosted SMS gateway. The Nordic Edge SMS Gateway supports automatic fail-over for service and SMS operator delivery, usage statistics, SMS status control and easy setup. 

Download article as PDF

Comments are closed.