1. Product Documentation This document is a configuration guide for OpenOTP Radius Bridge (RB). The reader should notice that this document is not a guide for installing and configuring OpenOTP or WebADM. Specific application guides are available through the RCDevs documentation website. 2. Product Overview OpenOTP Radius Bridge provides the RADIUS RFC-2865 (Remote Authentication Dial-in User Service) API for OpenOTP Authentication Server. Standalone, the OpenOTP server provides SOAP/XML and JSON interfaces over HTTP and HTTPS.
Documents in Installation & Setup
1. Product Documentation This document is an installation guide for WebADM Server in standalone and high availability mode. WebADM server is the main component to install and deploy OpenOTP in your environment. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. 2. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.
1. Overview RCDevs’ suite offers a public key infrastructure service and that functionality is mandatory for the proper functioning of RCDevs solutions. The default setup is to make WebADM/Rsignd a standalone CA. In that scenario, you just need to follow the default WebADM setup. For customers which already have a CA in place and running, you can configure WebADM as a subordinate CA. This document will present you with how to configure WebADM as a subordinate certificate authority of your enterprise certificate authority.
1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.
Setup of MIRkey / eHSM devices to use with WebADM 1. Introduction This guide will lead you through the setup of one or preferably several (for load-balancing and fail-over purposes) eHSM / MIRkey to use hardware cryptography within WebADM, adding an extra layer of security to protect WebADM sensitive data. MIRKey HSMs required at least WebADM 2.0.17. 2. Download and install the ellipticSecure Device Manager Although it is possible to initialize and setup the eHSM or MIRkey using standard command-line pkcs11 tools, we recommend to use the ellipticSecure Device Manager GUI that allows the update of the firmware and to setup a backup domain allowing backups from one device to be restored to a different device, which is particulary useful for load-balancing across several HSMs and for disaster recovery purposes.
Setup of SmartCard-HSM devices to use with WebADM 1. Introduction This guide will lead you through the setup of one or preferably several (for load-balancing and fail-over purposes) SmartCard-HSM to use hardware cryptography within WebADM, adding an extra layer of security to protect WebADM sensitives informations. All steps of the initialization, configuration and replication of the devices can be performed directly with standard command line tools directly on the server where WebADM is installed, except for the generation of an AES secret key that will be, as we write these lines, only exportable to another device if it has been generated properly through the Smart Card Shell GUI.
1. Overview In this how-to, we will demonstrate how to easily migrate from a third party 2FA software to OpenOTP. In this documentation, we assume that you are already running WebADM, OpenOTP and Radius Bridge. To understand what will be done here, we will describe the steps: Have a WebADM, OpenOTP and Radius Bridge installed and configured, Activate every users who will require 2FA authentication at the WebADM level, Import your third-party hardware Tokens into WebADM.
1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.
1. Overview The purpose of this web application is to provide an easy-to-use interface for the most common “tier 1” support task, typically performed by a Help-Desk function in a company IT organization. This Web application is designed for internal (corporate) use and includes several self-management features like: Activate users for OpenOTP use View and manage account information such as email, mobile phone numbers, etc… Reset LDAP password Send password reset or token registration links Enroll, re-synchronize and test a Software / Hardware Token or Yubikey Manage user certificates Manage SSH keys (SpanKey) Administration Help Desk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.
1. Overview The purpose of this web application is to provide an easy-to-use interface for the most common “tier 1” support task, typically performed by a Help-Desk function in a company IT organization. This Web application is designed for internal (corporate) use and includes several self-management features like: Activate users for OpenOTP use View and manage account information such as email, mobile phone numbers, etc… Reset LDAP password Send password reset or token registration links Enroll, re-synchronize and test a Software / Hardware Token or Yubikey Manage user certificates Manage SSH keys (SpanKey) Administration HelpDesk web application must be installed on your WebADM server(s) and can be accessed through WAProxy or another reverse proxy configured with WebADM.
1. Product Overview WAProxy is an HTTP(S) reverse proxy for WebADM. While any reverse proxy should be able to fill the role, this one has been already configured by RCDevs to work securely and use all the features WebADM provides to reverse proxies. WAProxy handles basic load balancing, failover, and both server and client certificates with the least possible amount of configuration effort. Without a WAProxy reverse proxy, WebADM end-user web applications must be accessible from anywhere its users could be: if you use OpenOTP Push Login or TiQR, a user’s phone must be able to access the mobile communication endpoints on your WebADM installation from the internet.
1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.
How To Configure WebADM with a Read-Only Active Directory Important Note An entreprise license is mandatory for that setup since WebADM 1.6.6 In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a WebADM server running with a local MariaDB and RCDevs Directory Server.
1. Overview This guide intends to explain how to install and configure WebADM in docker containers. The following items will be covered: Slapd MariaDB WebADM WAProxy 2. Before you start All steps were tested in CentOS 7/CentOS 8 and docker version 19. But it should work in any system running a modern version of docker. In this guide, I assume you already have a working docker installation. In case you need help to setup a docker environment, you can check the docker website documentation.
1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.