Overview

In this documentation, we will guide you through the process of reprogramming your YubiKey using the YubiKey Personalization Tool, generating an inventory file with the Yubico tool to import the YubiKey into the WebADM inventory, and assigning and using your YubiKey with OpenOTP. For this process, you will need to have WebADM and OpenOTP installed and configured. Please refer to the WebADM Installation Guide and the WebADM Administrator Guide for detailed instructions.

In this guide, we will utilize the YubiKey Personalization Tool for configuring the YubiKeys and the YubiKey Manager to manage the PIV (Personal Identity Verification) functionality of the YubiKeys.

YubicoOTP

Validation with OpenOTP

Programmation

Once Yubico Personalization Tool is installed, open it.

Yubikey Personalization tool home page

To ensure you have the correct settings from the start, click on Restore Defaults under Settings in the Yubico Personalization Tool before proceeding.

Once you're in the application, navigate to the Settings page and configure the Log configuration output setting to Yubico format.

Yubikey Personalization tool settings page

Inventory generation

Once you have configured this setting, plug in your YubiKey. Then, switch to the Yubico OTP tab and click on Advanced. Select Configuration Slot 1.

Click the three Generate buttons to create a new Public/Private Identity and a new Secret Key.

Next, click on the Write Configuration button. You will be prompted to save the inventory file.

Yubikey Personalization tool export page

Save this file, as it will be imported into the WebADM inventory in the next step.

Yubikey Personalization tool configuration page

Inventory Import in WebADM

We have now reprogrammed our YubiKey and generated an inventory file for it. The next step is to import this inventory file into WebADM to enable the use of the YubiKey with OpenOTP, Spankey, and other services.

Now, go to the WebADM Admin GUI and click on the Import tab.

WebADM import first tab

On that page, click the Import Inventory File button.

WebADM import second tab

In the Type of File dropdown, select Yubico CSV and browse to the inventory file you previously created using the YubiKey Personalization Tool.

Click the Import button, and the YubiKey should be successfully imported.

WebADM import success

You can check the inventory table to verify the new entry. Click on the Databases tab and then select Inventoried OTP Tokens. You should see the new entry listed there.

WebADM database check Yubikey

I am now able to assign this YubiKey to a user account. This step will be covered in the next section.

User Registration

The YubiKey can be assigned to a user through the WebADM Admin GUI, or via the User Self-Service Desk (SelfDesk), User Self-Registration (SelfReg), or Administration Helpdesk (Helpdesk) applications. In this section, we will assign the YubiKey to the user using the Admin GUI. Click on an activated user account in the left-hand tree.

WebADM user home page

Click on MFA Authentication Server under the Application Actions box, then select Register/Unregister OTP Tokens.

WebADM user register token

Register your token, select Primary Token, and check the box I use a Yubikey Token.

WebADM Yubikey registration

At this step, simply perform a short touch on your YubiKey to select Slot 1 and enroll it to the user account.

WebADM Yubikey registration success
WebADM user list of tokens

The YubiKey is now correctly assigned to the user account. If you return to the Databases tab and select Inventoried OTP Tokens, you will see a link between the YubiKey database entry and the LDAP user.

WebADM database second check Yubikey

A YubiKey can be assigned to multiple users, but to do so, you must first remove the User DN link in the database from the YubiKey entry. Removing the link between the YubiKey and the user does not remove the YubiKey from the user account. The first user who enrolled the YubiKey will always be able to use it to log in.

Validation with Yubicloud

Yubicloud validation server config in OpenOTP

First, if you need to reprogram your YubiKey, you will need to register it on a YubiCloud server. You can do this on their public server using the following URL: https://upload.yubico.com/. Use the CSV file generated in the previous Inventory generation section of this documentation. Note that by default, the keys are already programmed with the YubiCloud validation servers.

Next, you will need to obtain a YubiCloud Client ID and a YubiCloud Secret Key from this URL: https://upgrade.yubico.com/getapikey/.

Once you have this information, log in to your WebADM GUI, go to the Applications tab, and click on Configure for the MFA Authentication Server (OpenOTP). In the YubiKey Tokens section, enable YubiCloud and enter the values for the Client ID and the Secret Key.

WebADM configuration for Yubicloud

You can apply these settings.

User Registration

Once the previous configuration is complete, go to the user for whom you want to register the YubiKey. Click on MFA Authentication Server in the Application Actions box for the user, then select Register/Unregister OTP Tokens. Choose an available token slot before selecting the YubiKey token.

WebADM Yubikey registration

Press your Yubikey as asked and it will be enrolled on this user.
You can check in the Databases tab, Inventoried OTP Tokens section, that this key is enrolled as a YubiKey Yubicloud.

WebADM Yubikey registration

User Authentication

Logs when validated by Yubicloud

We can now test user authentication with YubiCloud by returning to the MFA Authentication Server in the Application Actions box for the user and clicking on Test OTP & FIDO Authentication.

WebADM user test login action

Enter the LDAP password in the corresponding field before clicking the Start button if LDAP authentication is required, or select a policy you would like to test with the YubiKeys.

WebADM user test login page

Then, place the cursor in the OTP password field and perform a short touch on your YubiKey to activate Slot 1.

WebADM user test login OTP
WebADM user test login success

Then, go to the Databases tab and navigate to the WebADM Server Log File section to view the logs corresponding to the authentication we just performed.

[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] New openotpNormalLogin SOAP request
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] > Username: john.doe
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] > Domain: rcdevsdocs
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] > LDAP Password: xxxxxxxxxxxx
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] > Client ID: OpenOTP
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] > Source IP: 192.168.3.217
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] > Context: bc7a98e8114eb99d2cde9823883ecc17
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Registered openotpNormalLogin request
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Resolved LDAP user: CN=John Doe,CN=Users,DC=rcdevsdocs,DC=com (cached)
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Resolved LDAP groups: IT,Enterprise Admins (cached)
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Started transaction lock for user
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Found user language: EN
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Found 1 user mobiles: +33612345678
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Found 1 user emails: john.doe@rcdevsdocs.com
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Found 52 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Found 13 user data: ListInit,ListState,AppKeyInit,LastOTP,Device1Type,Device1Name,Device1Data,Device1State,TokenType,TokenKey,TokenState,TokenID,TokenSerial
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Last OTP present (valid until 2025-01-24 09:55:34)
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] OTP List present (0/50 passwords used)
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Found 1 registered OTP token (YUBIKEY)
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Requested login factors: LDAP & OTP
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] LDAP password Ok
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Authentication challenge required
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Started OTP authentication session of ID gFLykyAF2CSqMn1X valid for 90 seconds
[2025-01-24 09:51:15] [127.0.0.1:57976] [OpenOTP:PMO13QIW] Sent login challenge response
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] New openotpChallenge SOAP request
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] > Username: john.doe
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] > Domain: rcdevsdocs
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] > Session: gFLykyAF2CSqMn1X
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] > OTP Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] Found authentication session started 2025-01-24 09:51:15
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] Started transaction lock for user
[2025-01-24 09:51:21] [127.0.0.1:57980] [OpenOTP:PMO13QIW] Sending YubiCloud validation request to 5 servers
[2025-01-24 09:51:22] [127.0.0.1:57980] [OpenOTP:PMO13QIW] Received accept response from YubiCloud server api.yubico.com
[2025-01-24 09:51:26] [127.0.0.1:57980] [OpenOTP:PMO13QIW] YUBIKEY password Ok (token #1)
[2025-01-24 09:51:26] [127.0.0.1:57980] [OpenOTP:PMO13QIW] Updated user data
[2025-01-24 09:51:26] [127.0.0.1:57980] [OpenOTP:PMO13QIW] Sent login success response

Logs when locally validated by OpenOTP

Let's test user authentication with OpenOTP. Return to the MFA Authentication Server in the Application Actions box for the user and click the Test OTP & FIDO Authentication action.

WebADM user test login action

Enter the LDAP password in the corresponding field before clicking the Start button if LDAP authentication is required, or select a policy you would like to test with the YubiKeys.

WebADM user test login page

Then put the cursor in the OTP password field and short touch your Yubikey for activating Slot 1.

WebADM user test login OTP
WebADM user test login success

Then, go to the Databases tab and navigate to the WebADM Server Log File section to view the logs corresponding to the authentication we just performed.

[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] New openotpNormalLogin SOAP request
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] > Username: john.doe
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] > Domain: rcdevsdocs
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] > LDAP Password: xxxxxxxxxxxx
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] > Client ID: OpenOTP
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] > Source IP: 192.168.3.217
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] > Context: e4b8befbff2104f67155f1bd962c7f94
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Registered openotpNormalLogin request
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Resolved LDAP user: CN=John Doe,CN=Users,DC=rcdevsdocs,DC=com
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Resolved LDAP groups: IT,Enterprise Admins
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Started transaction lock for user
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Found user language: EN
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Found 1 user mobiles: +33612345678
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Found 1 user emails: john.doe@rcdevsdocs.com
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Found 52 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Found 13 user data: ListInit,ListState,AppKeyInit,LastOTP,Device1Type,Device1Name,Device1Data,Device1State,TokenType,TokenKey,TokenState,TokenID,TokenSerial
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Last OTP expired 2025-01-16 11:10:42
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] OTP List present (0/50 passwords used)
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Found 1 registered OTP token (YUBIKEY)
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Requested login factors: LDAP & OTP
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] LDAP password Ok
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Authentication challenge required
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Updated user data
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Started OTP authentication session of ID J2QBq3NqV82h6jL7 valid for 90 seconds
[2025-01-16 11:12:39] [127.0.0.1:43706] [OpenOTP:8B7HX5AJ] Sent login challenge response
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] New openotpChallenge SOAP request
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] > Username: john.doe
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] > Domain: rcdevsdocs
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] > Session: J2QBq3NqV82h6jL7
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] > OTP Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] Found authentication session started 2025-01-16 11:12:39
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] Started transaction lock for user
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] YUBIKEY password Ok (token #1)
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] Updated user data
[2025-01-16 11:12:59] [127.0.0.1:59728] [OpenOTP:8B7HX5AJ] Sent login success response

Yubico OATH-HOTP

Program the key

Instead of generating a 44-character key when you press the YubiKey, you can configure it to generate a 6 or 8-digit OTP code.

First, you need to edit some settings in the YubiKey Personalization Tool. Go to the Settings tab and select Log configuration output: Yubico format as shown below:

Yubikey Personalization tool settings page

Now, we will reprogram the YubiKey. Switch to the OATH-HOTP tab and select Advanced configuration. Choose Configuration Slot 2, and disable the option OATH Token Identifier (6 bytes) as shown below:

Yubikey Personalization tool OATH configuration page

Plug in your YubiKey and click on the Generate buttons. Then, click on the Write Configuration button, and you should be prompted to save the inventory file. At this step, your YubiKey should generate a 6 or 8-digit OTP code when you perform a long touch. If this does not happen, there is no point in proceeding with the next steps.

Import it in WebADM

We have now reprogrammed our YubiKey and generated an inventory for it. Next, we will import the inventory file into WebADM to enable the use of this YubiKey within the WebADM/OpenOTP ecosystem.

Now, go to the WebADM Admin GUI and click on the Import tab.

WebADM import first tab

On that page, click the Import Inventory File button.

WebADM import second tab

In the Type of File dropdown, select Yubico CSV and browse for the inventory file you previously created using the YubiKey Personalization Tool.

Click the Import button, and the YubiKey should be successfully imported.

WebADM import success

You can check the inventory table to see the new entry. Click on the Databases tab and then select Inventoried OTP Tokens. You should see the new entry listed below.

WebADM database check Yubikey HOTP

I am now able to assign this YubiKey to a user account. This step will be covered in the next section.

User Registration

We will now assign this HOTP YubiKey to a user account through the WebADM Admin GUI. To assign the YubiKey, you will need its Reference, which is registered under the Databases tab in Inventoried OTP Tokens.

WebADM database check Yubikey HOTP

On my side, the reference is 4159234.

Now, click on a user account in the left tree, go to MFA Authentication Server, and select Register/Unregister OTP Tokens. Choose the option I use a Hardware Token (Inventoried). In the Token Serial field, enter the reference you previously copied.

WebADM registration HOTP Yubikey

Click on Register, and the YubiKey will now be enrolled on your account.

WebADM registration HOTP Yubikey success
WebADM user tokens with Yubikey HOTP

If you are using an 8-digit OTP length, the OTP length in OpenOTP must be reconfigured.

  • It can be reconfigured at the OpenOTP default configuration level. Be cautious, as this will invalidate any 6-digit OTPs that have already been registered across all accounts.

  • Alternatively, the OTP length can be configured at the user level, which will not impact other users' tokens that are registered in 6-digit mode. However, if any 6-digit tokens have already been registered on the user's account where the setting is changed, they will be invalidated.

Test Authentication

Let's test the user authentication with this new token. Return to the MFA Authentication Server in the Application Actions box for the user and click the Test User Authentication action.

WebADM user test login action

Enter the LDAP password in the corresponding field before clicking the Start button if LDAP authentication is required, or select a policy you would like to test with the YubiKeys.

WebADM user test login page

Then place the cursor in the OTP password field and perform a long touch on your YubiKey to activate Slot 2.

WebADM user test login OTP
WebADM user test login success

Then you can go to Databases tab and to the WebADM Server Log File section so that you can see the logs corresponding to the authentication we just did.

[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] New openotpNormalLogin SOAP request
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] > Username: john.doe
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] > Domain: rcdevsdocs
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] > LDAP Password: xxxxxxxxxxxx
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] > Client ID: OpenOTP
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] > Source IP: 192.168.3.217
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] > Context: 14260a3ce73b4a7b46949983c70612d4
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Registered openotpNormalLogin request
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Resolved LDAP user: CN=John Doe,CN=Users,DC=rcdevsdocs,DC=com (cached)
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Resolved LDAP groups: IT,Enterprise Admins (cached)
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Started transaction lock for user
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Found user language: EN
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Found 1 user mobiles: +33612345678
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Found 1 user emails: john.doe@rcdevsdocs.com
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Found 52 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Found 11 user data: ListInit,ListState,AppKeyInit,Device1Type,Device1Name,Device1Data,Device1State,TokenType,TokenKey,TokenState,TokenSerial
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] OTP List present (0/50 passwords used)
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Found 1 registered OTP token (HOTP)
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Requested login factors: LDAP & OTP
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] LDAP password Ok
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Authentication challenge required
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Started OTP authentication session of ID LZJ0SLEjPLjRNcxh valid for 90 seconds
[2025-01-16 15:20:58] [127.0.0.1:53992] [OpenOTP:WR600CKY] Sent login challenge response
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] New openotpChallenge SOAP request
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] > Username: john.doe
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] > Domain: rcdevsdocs
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] > Session: LZJ0SLEjPLjRNcxh
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] > OTP Password: xxxxxx
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] Found authentication session started 2025-01-16 15:20:58
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] Started transaction lock for user
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] HOTP password Ok (token #1)
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] Updated user data
[2025-01-16 15:21:04] [127.0.0.1:54004] [OpenOTP:WR600CKY] Sent login success response

FIDO

It is also possible to register the YubiKey as a FIDO device through WebADM. You can follow our documentation to know how to enroll it and then use it through authentications. It will just be required to tap it when asked.

Please refer to our FIDO documentation

PIV/Smartcard

Issue CSR from Yubikey manager Tool

For this part, we will need to use a different tool than the one used earlier in this documentation. Specifically, you need to install the YubiKey Manager software, which will allow us to complete this procedure.

Once the software is installed and launched, we can generate a CSR by following these steps. Navigate to the Applications tab and go to the PIV page.

Yubikey manager home page

Click on Configure Certificates and then on Generate.

Yubikey manager PIV page
Yubikey manager certificates page
Yubikey manager generation page 1
Yubikey manager generation page 2

At this point, the subject must match the WebADM domain name the user belongs to, followed by a double backslash \\ and then the login name.

Yubikey manager generation page 3
Yubikey manager generation page 4

Finally, you can choose the name for your CSR file. You will also need to enter the management key and the PIN code.

The default values are:

  • Management key: 010203040506070801020304050607080102030405060708
  • PIN code: 123456
Yubikey manager generation page success

Sign CSR with WebADM

Connect to your WebADM GUI and go to the Admin tab. There, click on Sign External Certificate Request. On this page, select the certificate you previously generated, then click on Sign Certificate Request File.

WebADM signing csr page
WebADM signing csr page success

Don't forget to download the signed certificate in order to inject it on the key.

Inject the CRT on the key

Go back to YubiKey Manager, navigate to the PIV menu, and select Configure Certificates. Then, click on Import to inject the signed certificate onto the key. You will be prompted to enter the management key again.

Yubikey Manager injection success

Key is now ready for Smartcard based authentication.

Certificat Import on the user account

To finalize the configuration of the key, we need to import the certificate for the user who will authenticate. In your WebADM GUI, go to the page of an activated user and click on Create Certificate from the LDAP actions box.

WebADM user certificate action

Click on the Import Cert button. On the following page, select the same certificate file that was imported into the YubiKey, then click on Import Certificate File.

WebADM user certificate import

After that, you should be able to see the imported certificate listed next to the User Certificate attribute on the user's page.

The smartcard can now be used with OpenOTP and supported integrations, such as Windows login through the OpenOTP Credential Provider.