Step by Step Guide for Nordic Edge and Yubico Introduction pack
This Guide covers the installation and configuration of the Nordic Edge ™ One Time Password Server / Yubikeys Introduction Pack.
For more information from Nordic Edge, please contact sales@nordicedge.se or browse to http://www.nordicedge.com/.
If you have any questions regarding the following guide, please contact us via support@nordicedge.se and we will help you through the entire process.
Table of Contents
1 Prerequisites
The following is necessary to perform an OTPServer and Yubikeys integration:
- Nordic Edge One Time Password Server version 3.0.8802 or higher
- A valid license file license.dat for OTPServer v3.x
- An Operating System with a Java Virtual Machine (JVM) version 1.6 or higher (Microsoft Windows, Linux, Sun Solaris, IBM AIX, HP/UX, Novell Netware, Mac OS X)
- RAM: Minimum: 1 GB (depends on size of data source that will be processed in memory)
- HD: 100 MB for application + additional space for log rotation
- LDAP User repository (Sun Directory Server, Microsoft Active Directory, Novell eDirectory etc.)
- LDAP Administrative User Account with write access rights to modify LDAP attributes used by OTPServer:
Write access to LDAP container attribute used as Yubico Evaluation Pack keystorage
Write access to user object attribute used to store the Yubikey AES key assigned to Users
Nordic Edge™ One Time Password Server & Yubikeys Evaluation Pack can be integrated into existing environment via RADIUS challenge-response, on-demand webservices, specific integration modules as well as Java and .NET/COM API’s.
- RADIUS Challenge-Response systems to protect with OTPServer must be able to communicate (Outbound traffic) with OTPServer on UDP Port 1812 or 1645.
- Non RADIUS Challenge-Response systems configured with a Nordic Edge Integration module must be able to communicate (Outbound traffic) with OTPServer on TCP port 3100.
- One Time Password Server must be able to communicate (Outbound traffic) with LDAP User Database. Default port for LDAP and Secure LDAP are TCP port 389 / 636.
For more information about OTPServer integration see http://nordicedge.com/products/one-time-password-server/integrations/
- Yubico YubiKey Evaluation Pack (10 Yubikeys) and its corresponding seed file, YubikeysSeedInfo.
For more information about Yubikeys see http://www.yubico.com/yubikey
WARNING: This pack contains 10 Yubikeys programmed with a reference set of credentials. They must be reprogrammed for production use.
2 Getting started
- Perform a basic installation of OTPServer following instructions from:
http://support.nordicedge.se/general-step-by-step-guide-to-implement-sms-authentication-to-radius-products/
- Copy Yubikey seed file into OTPServer3 file directory.
- Create an Organizational Unit called Yubikeys in the LDAP UserStore that will be used as a placeholder for the Yubikeys seed information.
3 OTPServer Configuration
In the following example the LDAP repository is eDirectory and the system to protect with two factor authentication is RADIUS system.
1. OTPServer Databases Section
Two database objects must be created:
- One for OTPServer to use as a placeholder for the Yubikeys information and their association to LDAP user objects.
- One for OTPServer to authenticate Users.
From the OTPServer console screen click Configuration
- Create Yubikey keystorage database object as follows:
Note: The only section of interest from above screen is "Host Settings"
Test the connection to UserStore via the "Test Connection" button.
- Create UserStore database object as follows:
Choose a user object attribute from the LDAP directory not currently in use as the "OTP attribute", this is where the Yubikey AES key from the Token given to a User will be stored.
This attribute must be a String type, multi-value and its length should not be limited.
2. OTPServer Client Section
An OTPServer Client object representing the system to protect must be created.
For example:
3. OTPServer MISC Section
Configure the Yubico page as follows:
- Select "Validate AES key at the OTPServer"
Click Yes to confirm Token Import:
The result must be:
When User authenticate successfully for the first time with one of the Yubikey the following happens:
- OTPServer associates user object with Yubikey
Note: User jcalva has been assigned a Yubikey.
4. Remove a User/Token association
- Delete the "OTP Attribute" selected to store the Yubikey seed from user object.
- Remove user object CN from the Yubikey keystorage attribute
For example, jcalva left the company and its Yubikey was given to another User.
- Delete personalTitle attribute from user object cn=jcalva,ou=users,o=ne
- Remove jcalva's association to Yubikey by editing the description attribute from container object ou=Yubikeys,ou=OATH,o=ne
Remove ";jcalva" from attribute value: cccccccvfdfj;0000000f8888;vccccccccccccccccccccccccccccccj;jcalva
New User can now login with Yubikey for the first time and perform automatic enrollment.
Notes:
