Nordic Edge
One Time Password Server
Administration Manual V3
About Nordic Edge®
Nordic Edge AB is a provider of platform independent products focused on security and identity management. With extensive knowledge of directory services and security infrastructure, Nordic Edge provides products with unique applications for our customers to simplify information access and administration processes. As a result of the capabilities of Nordic Edge software and solutions, Intel acquired Nordic Edge in 2011 to serve as an important pillar of Intel’s secure cloud initiatives.
For more information, www.nordicedge.com
Trademarks
Nordic Edge is a registered trademark.
All third-party trademarks are the property of their respective owners.
3 One Time Password Server - Overview
OTP Client SDK (Software Developer Kit)
New improved configuration interface
Identity Manager for OTP is included
Pledge Enrollment for users is included
Expired Password Notification detection
New database type, RADIUS forward.
Support for YubiKey from Yubico
Support for OATH Token identifier auto enrollment
Support for multiple RADIUS UDP port listeners
Support for external OTP creation and verification by API
Native OTP Clients can be named
New OTP Client type, Web service
Force one-time password delivery method
Reply-Message for RADIUS Reject
Resynch of OATH devices (HOTP/TOTP)
Multiple OATH key support for SQL databases
Auto register SMS demo account
PIN code for one-time passwords
Fail-over user stores and one-time password servers
Pledge Enrollment for users is included
Expired Password Notification detection
New database type, RADIUS forward.
Support for YubiKey from Yubico
Support for OATH Token identifier auto enrollment
Support for multiple RADIUS UDP port listeners
Support for external OTP creation and verification by API
Native OTP Clients can be named
Hardware server or Virtual Machine
Installing One Time Password Server version 3
8 Configuration Interface and object overview
The Configuration Pane (Right)
Account Settings (HOTP not enabled)
Account Settings (With HOTP enabled)
Create New JDBC/ODBC (SQL) User Database.
SQL Queries (HOTP not enabled)
Create Forward RADIUS database
Advanced, RADIUS Client Attribute Detection, Listen on RADIUS ports
Advanced, Native Client Name Detection
Advanced Automatic OATH Enrollment with LDAP database
Proxy Sending of Prefetch OTPs
Force sending Prefetch OTP with Method
19 Starting and Stopping the OTP Server
OTP Server Statistics (Show Details)
Authentication | Authentication is the process of determining whether someone or something is who or what they declare to be. |
Authorization | Authorization is the process of deciding if someone or something has permission to access or use resources that have been permitted to them. |
JDBC | Java Database Connectivity (JDBC) is an application program interface (API) specification for connecting programs written in Java to the data in popular databases. |
ODBC | Open Database Connectivity (ODBC) is an open standard application programming interface (API) for accessing a database. |
LDAP | LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP). |
OATH | Open Authentication (OATH) is an open standard and designed to enable strong authentication for devices from multiple vendors. OTP Server has support for tokens using the OATH standards HOTP/TOTP.
http://support.nordicedge.com/nordic-edge-one-time-password-server-oath-integration |
OTP Server | Nordic Edge One Time Password Server |
OTP Client Native Client | Nordic Edge Client that uses the OTP Server APIs to communicate with the OTP Server. |
RADIUS | Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. |
Nordic Edge OTP OnDemand | This is a hosted service that enables our customers to use strong authentication without the need to install the product in their own environment. The Nordic Edge OTP On-Demand is accessed via Web Services. |
Pledge | The mobile client from Nordic Edge that uses HOTP (rfc 4226) or TOTP (rfc 6238) from OATH to turn the mobile device into to a security token device. |
Nordic Edge One-time password Server secures and protects applications and systems with strong, multi-factor authentication.
Nordic Edge One-time password Server (OTP Server) adds an extra layer of security that is flexible and efficient to implement in order to provide applications and systems with strong, multi-factor authentication. To combine the method username and password with a second method like a one-time password to a mobile device is a powerful way to protect the "key" (authentication process) to an organisations different applications and systems.
When the username and password is successfully verified by the OTP Server against the defined user store or stores, a one-time password is distributed to the end-user. The user is only authenticated to the application or system if the OTP Server successfully verifies the one-time password entered by the end-user.
The OTP Server has many methods to generate and distribute the one-time passwords to end-users like SMS to a mobile phone, E-mail, different Instant Messaging systems (Skype, Google Talk, MSN) and others.
The OTP Server also supports different type of devices (Tokens) that uses the HOTP standard (rfc 4226) or TOTP from OATH to generate the one-time passwords. Nordic Edge also offers the mobile client Pledge that uses this standard to turn the mobile device into to a security token device.
It is easy to integrate the OTP Server with systems and applications that has support for RADIUS or use one of the many native integration modules that Nordic Edge provides.
A wide range of integration modules exist for Citrix, Microsoft Outlook Web Access, GroupWise Web Access, VPN (Cisco, Checkpoint, F5, Bluecoat and Juniper etc), Apache Reverse Proxy and Web Server, Microsoft IIS and more. Other applications can easily be integrated using our API's or Web Services.
Any operating system that supports Java Virtual Machine (JVM) version 1.6 or higher, for example Microsoft® Windows® *, Linux™, Sun® Solaris®, IBM® AIX , MAC OS X.
64bit and 32bit operating systems are supported.
* Windows Server 2003/2008 R2 and earlier versions.
The Java Client API can be used for integration with applications where Nordic Edge® does not provide an integration module. It is described in the document “OTPClientAPI.pdf”.
COM/.NET API’s can be downloaded from http://www.nordicedge.com
There have been major changes in this release in terms of a new configuration Interface, new and updated functions and other improvements of the core product. Some of the new features are described below.
The configuration interface is new and has been updated to improve the functionality and logic in order to make it even easier to configure the OTP Server.
The OTP Server is now shipped with a preconfigured version of the Nordic Edge Identity Manager Portal applied on the included Tomcat server. It can be used by administrators and helpdesk personal to administrate specific user information in user stores (databases) that is used by the OTP server. It can also be used as a self-administration portal for end-user to change specific information about them self.
This web application is applied on the included Tomcat server and is used to let the end-users follow an easy step by step auto enrollment process to download a Pledge profile with included HOTP key. The application uses a web services interface to integrate with the Nordic Edge Profile Factory services where customers can design the look and feel and security options regarding their Pledge profiles.
The OTP Server can now detect and notify the end-users that their password has expired.
The OTP Server can separate connections from the same RADIUS Client based on the type of request that includes different RADIUS attributes.
The OTP Server can use this type of database to pass through and forward the RADIUS request to another RADIUS Server. It can be used to support RSA SecuredID or SafeWord tokens as well as integration with other RADIUS servers or be used in migrations scenarios with legacy tokens.
It is easy to import keys in to a database and store the key-information in a LDAP directory or SQL database.
The OTP Sever RADIUS module can be configured to listen on multiple UDP ports to support that clients can be assigned to a specific port.
Any algorithm can use the API to handle the creation and verification of OTPs.
Integration modules that use the native client API can now have a name assigned to it. It can be used to assign separate native clients to a specific configuration in the OTP Server even if it comes from the same IP-address.
A new Web service OTP Client for any application or system using Web service. The Web service OTP Client functionality is corresponding to the One Time Password Native Client API, as SOAP services. More information is available at http://support.nordicedge.com/otp-server-web-service-client-api-soap
One-time password delivery method can be configured at OTP Client level. This feature will override the automatic delivery method selection.
OTP Server supports Hashed PIN-codes, SHS, SSHA and MD5.
OTP Server can reply with a customizable message if authentication failes, a system error occures or if the one-time password is wrong.
The anti-replay check will only allow a TOTP once within the timeframe. The OTP Server keeps track of used OTPs for each TOTP device within the accepted timeframe.
Max out of synch time steps can be configured which allows TOTP devices to be used within the specified numbers of time steps.
OTP retries function allows end users to easily retry again if a they failed to answer with the correct one-time password the first time.
A new API for resynch of OATH by sending two OTPs in sequence. See more information http://support.nordicedge.com/nsd1326-how-to-re-synchronize-oath-tokens-with-oathresyncwebapp
Send one-time passwords using SMS and e-mail for an easy way to let users access remote applications using two-factor authentication.
This plug-in delivers one-time passwords using SMS via the Nordic Edge hosted SMS gateway. The Nordic Edge SMS Gateway supports automatic fail-over for service and SMS operator delivery, usage statistics, SMS status control and easy setup.
A demo account on the Nordic Edge SMS Gateway will be created automatically when installing the new version of OTP Server. This account can later be replaced with a production account or another means of SMS delivery.
Use any LDAP compliant directory service to look up users and user attributes. OTP Server does not use any propriety user stores.
Use any JDBC compliant database to lookup users and user attributes. OTP Server does not use any propriety user stores.
For one specific client you can add as many user stores as you want. This can be used for fail-over, users are in separate user stores, one set of users should use SMS and another set of users should use Mail for their one-time passwords.
The Test tool is a stand-alone application to test the OTP Server. Use this tool to test that the user store is configured correctly and that the one- time password distribution plug-in is working as expected. Test tool supports OTP native API and RADIUS protocol.
The API's can be used to read and set OTP Server configuration from a remote client. This is ideal for bundled applications, servers with limited access and graphical interfaces.
PLEDGE is a mobile client application used to generate one-time passwords based on the OATH algorithm. The one-time password can be used to achieve strong authentication to services.
The client supports multiple profiles and is available on multiple platforms such as iPhone, Android, Windows Mobile and any mobile phone that supports Java Micro Edition (JME).
OTP Server supports tokens based on the OATH standard (HOTP, TOTP). Nordic Edge is a member of the OATH initiative.
OTP Server can be configured to handle error alerts and send them to a list of administrators using SMS or e-mail. These way system administrators can be notified immediately when errors occur.
OTP Server can be configured in less than a day, with full user store, SMS delivery and application integration.
The API's can be used to create custom integrations to applications with OTP Server. The Java API is always included in the OTP Server installation. COM/.NET API's can be downloaded from this product site.
Use the plug-in interface to write custom one-time password distribution plug-in.
If there is a need for very specific demands on how to handle user stores, a custom database handler can be written to override the internal database handler. This is an advanced feature.
Use this feature to add an extra PIN code to the one-time passwords for extra protection. The PIN code is stored in the user directory.
The Prefetch feature can be used to let users or administrators store one-time passwords in scenarios where no mobile coverage is possible. The one-time passwords can be stored as an SMS in the mobile or mail account, printed on cards or paper etc. All controlled with a web administration application.
Multiple user stores can be grouped together for fail-over. If the user cannot be found in the first user store, look in the second. All client integrations can be configured for multiple OTP Servers.
OTP Server can act as a RADIUS server to support any RADIUS aware application. Most VPN solutions have RADIUS support. It is easy to configure integrations with Cisco, Checkpoint, Appgate, Juniper etc.
OTP Server comes with several integrations such as Microsoft Outlook Web Access, Microsoft Forefront Threat Management Gateway, Forefront Unified Access Gateway, Citrix Access Gateway, Microsoft SharePoint, EPiServer, Citrix Presentation Server, Citrix Web Interface, Citrix XenApp Server, Apache Reverse-Proxy, CA Siteminder and many more.
OTP Server can be run on any Java compliant platform. This includes Windows, Linux, Solaris, HP-UX, Mac OS X etc.
OTP Server can store both persistent and one time session data. This can be used in Single Sign-on scenarios or just when there is a need to store data in a session store.
The API's can be used to get any available user attribute from the directory service. Do you need to read the user’s mail address, last-logon-time or address? This is easy using the API's.
The OTP Server is now shipped with a preconfigured version of the Nordic Edge Identity Manager Portal applied on the included Tomcat server. It can be used by administrators and helpdesk personal to administrate specific user information in the directory that is used by the OTP server to authenticate users on behalf of configured Clients. It can also be used as a self-administration portal for end-user to change specified information about them self.
This web application is applied on the included Tomcat server and is used to let the end-users follow an easy step by step auto enrollment process to download a Pledge profile with included HOTP key. The application uses a web services interface to integrate with the Nordic Edge Profile Factory services where customers can design the look and feel and security options regarding their Pledge profiles.
A step by step guide is available here:
http://support.nordicedge.com/step-by-step-guide-to-implement-pledge-enrollment-to-otpserver-3/
The OTP Server can detect and notify the users that their password has expired.
The OTP Server can separate connections from the same RADIUS Client based on the type of request that includes different RADIUS attributes.
The OTP Server can use this type of database to pass through and forward the RADIUS request to another RADIUS Server. It can be used to support RSA SecuredID or SafeWord tokens as well as integration with other RADIUS servers or be used in token migration scenarios.
It is easy to import keys in to a database and store the key-information in a LDAP directory or SQL database.
The OTP Sever RADIUS module can be configured to listen on multiple UDP ports to support that clients can be assigned to a specific port.
Any algorithm can use the API to handle the creation and verification of OTPs.
Integration modules that use the native client API can now have a name assigned to it. It can be used to assign separate native clients to a specific configuration in the OTP Server even if it comes from the same IP address.
Nordic Edge One Time Password Server can be integrated with application and systems using different types of integration modules. It can be by using RADIUS to integrate with different VPN services, the Java and .NET/COM API's used by the integration modules from Nordic Edge or the on-demand web services.
Most VPN/RADIUS aware products can be integrated without any installation since the OTP Server can act as a RADIUS server. Just configure the VPN/RADIUS product and Nordic Edge OTP Server and the integration is done.
By using the OTP Server Client API's it is possible to add strong authentication into your custom applications. The integration can also be done by using the hosted service version The Nordic Edge OTP On-Demand that is accessed via Web Services.
Citrix Access Gateway 4.2
Citrix Access Gateway 4.5
Citrix Access Gateway 5.X VPX
Citrix Access Gateway Enterprise Edition (Netscaler VPX)
Citrix Presentation Server 4.6
Citrix Web Interface 4.0/4.2
Citrix Web Interface 4.5
Citrix Web Interface 5.4
Citrix XenApp Server 5.1
Citrix XenApp Server 5.2/5.3
ISA Server 2006
TMG 2010
UAG 2010
IIS 6.0
IIS 7.x - IIS Custom AD Membership Provider - ASP.NET
Outlook Web Access 2003
Outlook Web Access 2007
SharePoint 2007 AD Membership Provider - ASP.NET
SharePoint 2010 AD Membership Provider - ASP.NET
IIS Custom AD Membership Provider - ASP.NET
EPiServer AD Membership Provider - ASP.NET
EPiServer SQL Membership Provider - ASP.NET
IChain 2.3
Novell Access Manager
Groupwise Web Access 6
Groupwise Web Access 7
Apache Reverse Proxy
Apache Web Server 1.3/2.0
Siteminder
Lotus Domino (Apache Proxy)
Check http://nordicedge.com/products/one-time-password-server/integrations for information about new or updated integration modules and configuration guides.
OTP Server can act as a RADIUS server to support most VPN and other RADIUS aware applications. The VPN/RADIUS application should support RADIUS challenge/response standard for the best integration.
Below are some of the tested and approved vendors.
OTP Server can easily be integrated into custom applications by using our programming API's. There are a Java and a .NET/COM API available. The latest Java API is always included in the latest OTP Server release. The .NET/COM is usually updated after the OTP Server release and can be downloaded from the Nordic Edge web site.
* Windows Server 2003/2008 R2 and earlier versions.
We will use Windows as an operating system to show how the installation process is done on this platform. The install utility and process is pretty much the same on other operating system platforms.
There are two version of the install program for each operating system platform, one with a bundle version of java and one without. In this example we will use the bundle version which is the recommended version.
1. Start the installation program, in this case the file otp3install.exe and follow the instructions.
2. Click on Next to continue.
3. Read the license agreement and select “I accept the term of the License Agreement". Click Next.
4. Select the required Install Set. Full Installation or Remote Configuration GUI only.
5. Select where to install the OTP Server and Click on Next.
6. Choose the license.dat that you have received via e-mail or other media from Nordic Edge and Click on Next.
7. Click the checkbox if the OTP Server process will be installed as a Windows Service. Click Next to continue.
8. Select where to place shortcuts and product icons to manual start the OTP Server process and configuration interface. Click Next to continue.
9. Review the pre-Installation summary. Click on Install to continue the process.
10. The picture below shows that the installation is successful and that the installation process I finished. Click on Next to continue.
11. Decide if you want to start the OTP Server process as the last action and starting to configure the OTP Sever. Click Done to end the installation process.
Start the administration console OTP Configurator by selecting the product icon that was created during the installation or start the OTP Server process and click on the Configuration button (The location and start procedures is different depending on which operating system that is used).
The main configuration console window is divided in different parts.
In general, you perform administration tasks by selecting a configuration category object in the left pane and configure the options in the Right Pane. Some categories can have subcategories and they can be selected by expanding the category object in the same way you browse for folders in your file system.
This pane is used to select witch kind of object type that will be created, configured, deleted or show information about in the Configuration Pane (Right). It is divided in to nine categories.
The Server configuration object includes basic configuration options for the OTP Server. It includes options for IP Address, Port number, OTP- Length and the configured clients that are allowed to connect to the OTP Server etc.
Is used to enable and configure options for the OTP Server to act as a RADIUS server for other systems acting as RADIUS clients to the OTP Server.
The Logs configuration object includes configuration options for how the OTP server will handle logging and log files.
OTP Server can be configured to handle errors and alerts and send them to a list of administrators using SMS or e-mail. This can be used to notify administrators immediately when it happens.
The License configuration object includes configuration options and license information.
The database objects contain configuration on how the OTP server can connect to various user stores to authenticate users and if needed read information from.
The client objects contains configuration on how other systems (allowed clients) can connect and communicate with the OTP Server and witch database the client shall use to authenticate the users.
This category can be used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords. The following methods are available.
This category includes configuration objects for the following functions.
This Pane shows information on different options that can be configured depending on which kind of object type that is selected in the Select Pane (left).
Left Button
Right Button
The button Save Config writes the configuration from memory to the otp.properties file in the selected install directory. This file is read by the OTP Server when it starts or if a configuration change requires that it must save the configuration and reread it again to update the configuration.
Is used to exit and close the configuration Interface. The system checks if the configuration in memory has been changed before it closes the interface. If a change has occurred a warning message will be displayed and give the administrators the opportunity to save the configuration or cancel the exit operation.
This chapter will go through the overall configuration process. In general a typical configuration and integration of the OTP Server is done by going through these steps.
You can find quick start guides on how to configure the OTP Server in different environments from the Nordic Edge web site.
http://support.nordicedge.com/category/step-by-step-guides-to-implement-one-time-password-server
The Server configuration object includes basic configuration options for the OTP Server. It includes options for IP address, Port number, OTP-length and the configured clients that are allowed to connect to the OTP Server etc.
Option | Description |
Portnr | The Port number for the OTP Server native clients. Portnr 3100 is default. |
Bind to This IP Address | Binds to a specific IP-address at the OTP Server. If the check box ”All” is checked, the OTP Server will bind to all available IP-addresses. |
Client Session Timeout | The timeout in millisecond the Client connection can be idle to the OTP Server (0=No Timeout). |
Option | Description |
Check Mobile Number | If the Mobile Number should be checked for any non-number characters (MSISDN). Any such character will be removed (included space). The ”+” character is not affected by this control. |
Default Country Prefix | If the Mobile Number lacks a country prefix, this will add a default prefix to it (e.g. +46) and remove any leading zeros. |
Option | Description |
OTP Length | The number of characters to send as an OTP. |
OTP Time | If a one-time password has not been used before this time, it will be removed. (For unlimited time enter 0 or a blank value). |
OTP Retries | Enables end-user to automaticlly get a new OTP if the first OTP was not correct. Set the number of additional retries a user have for answering a correct OTP. Set "0" to disable this function. Only available for RADIUS OTP clients. |
Retry Message (OTP Retries) | The retry message to the end-user when a wrong OTP was entered. |
Regenerate Timeout | The time in seconds that users can request a single OTP. Use this parameter to prevent users from hitting submit/login button multiple times and generate multiple OTPs. Set value 0 to disable this. |
OTP Composition | Select the compositions of the one-time password. Select between: Digits Digits 0-9 are allowed. Letters & Digits Letters are case sensitive. Custom Characters Click on Edit button to define available OTP characters. Supported characters are Aa-Zz and 0-9. Other characters may not be transferred correctly. Note that characters are case sensitive. |
Option | Description |
All Clients are Allowed | If the check box is checked, all native clients are allowed. |
Allowed Clients | A comma (,) separated list of IP addresses for native clients that are allowed to use the OTP Server. ”,”. If blank, all clients can connect. |
Allow remote configuration | Check the box to allow remote configuration through the Nordic Edge Client API or the remote OTPConfiguration client. Enter a remote password for the connection. |
This part regards whether the messages between OTP Server and the OTP Client will be encrypted or not.
Option | Description |
No encryption | The message between OTP Server and OTP-client will not be encrypted. |
Encryption if Client does encryption | The message will be encrypted if the OTP-client encrypts. |
Always Encryption | The messages will always be encrypted. The OTP-client must accept encryption or be rejected. |
Option | Description |
Enable Monitor | Check this to start the Statistics Monitor when the OTP Server starts. The Monitor also allows dynamic configuration updates during runtime. This option requires GUI support on the server. |
Debug | Check this if debug should be displayed in the console window. |
Use Secure Random | Check this to use a more complex random algorithm (java.security.SecureRandom) when generating the Challenge. This function will require more CPU power. |
You can define Global configuration option for the server and clients.
Option | Description |
Prevent SQL Injection Attacks | For JDBC/ODBC user databases. Checks all usernames and passwords against the following patterns: ', ", or ,select ,drop ,--,insert If any of these patterns are detected in either the username or password, the user authentication will be denied. |
Use whitelist (SQL databases) | The OTP Server will only accept whitelisted characters. Define a list of acceptable characters for username and passwords. The list can be Regular Expression (RegEx) or a list of characters. |
Is RegEx | Enable Regular Expression in the Whitelist for SQL databases. |
Test | The test window enables administrators to verify characters against the configured Whitelist for SQL databases. |
Prevent LDAP Injection Attacks | For LDAP user databases. Checks all usernames against the following characters: *,(,),& If any of these characters are detected in the username, the user authentication will be denied. |
LDAP idle reconnect | The number of minutes an LDAP connection can be idle before the OTP Server forces a reconnect to the LDAP server. Set the value 0 to disable reconnect. Note. This value should be lower than any firewall idle timeout configured between the OTP Server and LDAP server. |
LDAP follow referrals | Check the box, to automatically follow LDAP referrals. |
Set System Charset | Can be enabled to select system character set other than the default UTF8. Note, this requires all the Native Clients to be configured to use the same character set. |
The RADIUS configuration object can be enabled to configure options for the OTP Server to act as a RADIUS server for other systems acting as RADIUS clients to the OTP Server.
Option | Description |
Enable Radius | This enables the RADIUS server |
Portnr | The RADIUS Port number. Note, RADIUS uses UDP not TCP! Default: 1645. |
Bind to this IP-address | Binds the RADIUS server to a specific IP-address. If the checkbox ”All” is checked, the RADIUS server will bind to all available IP-addresses. |
Timeout | Timeout The time in milliseconds the OTP Server will wait for an answer from the RADIUS client. (0=No timeout). |
Debug Packets | Enables or disables RADIUS Packets debugging to log file or system console. |
Check the box “Enable” to activate the OTP Server to listen on multiple RADIUS ports.
Option | Description |
Port Number | Choose the alternative Port number to listen on. |
Used by Client | Shows information on witch client that is listening on this Port number. |
The database objects contains configuration information about how the OTP server can connect to various user stores to authenticate users and if needed read information from. The following types of user databases are supported by the OTP Server:
There are 3 different ways to create, and configure database objects.
The type of configuration actions that can be performed are described below.
OTP Server can use any LDAP, ODBC or JDBC Database as an OATH Database with Nordic Edge Pledge, YubiKey or any OATH compliant tokens. By selecting the "Use HOTP or TOPT (OATH)" check box in the database configuration will activate OATH instead of sending OTP via SMS.
Tips: The same user store can be used for OTP over SMS as well as OATH token, just configure two Databases in OTP Server and select differens attributes. Eg. "Mobile" and "carLicense"
Option | Description |
Host Address | Enter the IP address or DNS name of the LDAP server. For multiple LDAP hosts (replicas) enter both the IP address/DNS name with port number and separate the LDAP hosts with the space character. Examples: myhost hishost:389 herhost:5000 whathost |
Port number | Port number (389 is default port for none SSL, 636 is default for SSL) |
SSL & TLS | Check the box if SSL or TLS are to be used for this connection. In order to use SSL or TLS, the LDAP-server certificate must be installed in the OTP Server. Use the “Certificates” button to configure SSL or TLS certificates. |
Admin DN | An Admin DN (Distinguished Name) for authentication that the OTP Server will use to search for users and modify the Account Disable attribute. This user account must have read and write access rights to the Account Disable attribute for all user objects. Note, if no Admin DN is provided, an anonymous bind will be performed against the LDAP server. |
Admin Password | The password for the selected admin user. |
Test LDAP connection | Test the LDAP connection with the specified values. |
Option | Description |
Search Base DN | The starting point from where the OTP Server will search for user objects in the directory, for example: ou=users,o=acme. Use the browse button to select the search base. |
Search Scope | BASE, search on only the Search Base DN object itself. ONE, search from the Search Base DN object and one level below. SUB, search from the Search Base DN and all levels below. |
Nr of Connections | The number of concurrent connections the OTP Server will have in the pool to this LDAP-server. |
Search Filter Start | The beginning of the search filter. The user input (username) will be added after this line. Example: (&(cn= |
Search Filter End | The search filter end. The user input (username) will be added before this line. Example: )(objectclass=inetorgperson)) With a Search Filter Start set to: “(&(cn=” and a user input of “jdoe” the search filter will be:(&(cn=jdoe)(objectclass=inetorgperson)) |
Samples | Select Search example based on the type of LDAP Directory Sample for Search Filter Start and Search Filter End. |
Test LDAP Authentication | Test an LDAP authentication. |
Option | Description |
OTP Attribute | The attribute(s) where OTPServer should look into to find out how to deliver OTPs. For example a mobile phone number or email address. When first attribute is empty OTPServer will look into next attribute. Use the browse button to search into the LDAP Schema & select the attribute(s). |
Login Retries | Specify the number of incorrect passwords a user can try before the user account is disabled. Blank=Disable this function. |
Accept Pwd change | Can be used to accept users that must change password. Note, Users will not be able to login if this option is note enabled. This is used by Microsoft Active Directory. |
Inactive Attribute | The LDAP attribute that will be read during authentication to check if the user account is locked. It will, if “Login Retries” above is set, also be used to lock the account if maximum number of failed logins has occurred. |
Inactive Value | The value that will be set in the Inactive Attribute when the Account is locked, for example LOCKED. If the Inactive Attribute has this value, the user account is considered to be locked. This value will also be set if max Login Retries has been reached. |
Disable OTP Attribute | If this attribute is defined, the OTP Server will read the value of this attribute from the user’s object and see if it matches the Disable OTP Value. If the value matches, ONLY authentication will be performed and no OTP will be required from the user! Leave this blank to always require OTP during authentication. |
Disable OTP Value | If this parameter is set, the OTP Server will read the value of this attribute from the user’s object and see if it matches the Disable OTP Attribute. If the value matches, ONLY authentication will be performed and no OTP will be required from the user. Leave this blank to always require OTP during authentication |
Not | If the Disabled OTP Attribute is NOT equal to the Disabled OTP Value |
Option | Description |
OATH Key | The attribute that stores the user’s OATH key. Use the browse button to browse the LDAP Schema to select the attribute. |
Login Retries | Specify the number of incorrect passwords a user can try before the user account is disabled. Blank=Disable this function. |
Inactive Attribute | The LDAP attribute that will be read during authentication to check if the user account is locked. It will, if “Login Retries” above is set, also be used to lock the account if maximum number of failed logins occurred. |
Inactive Value | The value of Inactive Attribute when the Account is locked, for example TRUE. If the Inactive Attribute has this value, the user account is considered to be locked. This value will also be set if max Login Retries has been reached. |
Accept Pwd change | Can be used to accept users that must change password. Note, Users will not be able to login if this option is note enabled. This is used by Microsoft Active Directory |
Prefetch OTPs offers the possibility for users to get a configurable number of OTPs in advance. A prefetched OTP can be used instead of using the normal method to send the OTP to a user’s mobile phone. This can be used when there is a problem with GSM coverage or as a normal method for a certain type of user.
The normal procedure for a user to retrieve the Prefetch OTPs is through a web server that is configured with the Nordic Edge Prefetch OTP web application. The Nordic Edge Prefetch OTP web application is a Java JSP page and is available in the PrefetchWebApp directory.
The user will login to the web server and request Prefetch OTPs, which is sent to the user’s mobile phone or mailbox. When the user has used the last Prefetch OTP, the OTP Server can be configured to automatically send a new set of Prefetch OTPs to the user.
Option | Description |
Prefetch OTP Attribute | Select the attribute that contains the Prefetch OTP string. |
Enable LDAP filter (opt) | Optional. Enter an LDAP filter that enables the user to use Prefetch OTPs. |
Max Nr of Prefetched OTPs | The maximum number of Prefetched Onetime Passwords that will be sent to users. Users can request fewer onetime passwords than this number but not more. |
Must be used in order | Check the box if the prefetched OTPs must be used in order. If it is not checked, users can use any available prefetched OTP. Note, this option is global for all user databases. |
OTP Length | The numbers of characters for each of the prefetched OTPs. |
Automatically send new Prefetch OTPs when last OTP is used | Check the box to send new Prefetch OTPs automatically when users have used the last OTP. |
Message to user | Enter the message that includes the Prefetched Onetime Password. The tag $$OTP$$ is replaced during send with the OTPs. The OTPs are appended after the string if the string does not include the tag. Note, this option is global for all user databases. |
Message Delivery | Select if the prefetched OTPs should be sent in one or several messages. |
Allow administration creation of Prefetch OTP | Check this box to allow administrators to create Prefetch OTPs for any user. If it is not checked only users themselves can request Prefetch OTPs. |
Option | Description |
Administrator Database | Select the database to authenticate administrators from. The selected database will define a group or a specific user that can create Prefetch OTP to other users. |
Allowed IP Addresses | Enter the IP Addresses separated by comma of the allowed administrator’s client from where they can create Prefetch OTPs. This is mandatory. Ex. 192.168.0.1, 192.168.0.2 |
The PIN Code feature will add another layer of security. When PIN Code is enabled, Users must set a PIN code value in their PIN Code attribute and then will have to enter both their PIN code and the one-time password combined during login.
Note: When no PIN code has been saved in PIN Code attribute Users can still login with OTP only.
For example, if the PIN code is 1234 and the one-time password is 999888, the user must enter: 1234999888 to login successfully.
The PIN code is read from a selected attribute in LDAP directories or queried for SQL databases.
NOTE: The PIN code will be used before the one-time password
PIN codes for OTP users can be read in hashed format from the user database. OTP Server supports Salted SHA (SSHA). Hashed PIN code is available in OTP version 3.1 and above.
Note: Settings for Hashed PIN codes are a global setting and affects all databases.
Option | Description |
Show advanced hashed PIN code options (Global) | Enable hashed PIN code |
Digest Charset | Select the character set used by the LDAP or SQL store where the hashed PIN codes are saved. Default ISO-8859-1. |
Hashed value format | Select which format to use when reading the PIN codes, Base64 or Hexadecimal. |
Example:
BASE64 SHA256 (32 bytes) value should look this:
{SHA256}A6xnQhbz4Vx2HuGl4lXwZ5U2I8iziLRFnhP5eNfIRvQ=
BASE64 SSHA256 (32 bytes + salt) value should look this:
{SSHA256}u+vw4gs7FD4V4M/2yZ60pBctOzpoJg1UrLUs1H7qzUZKVWVKTWhOanNaOVRGSVhNaFBpaW1rU1dTaFlpYkFlUQ==
OTP Server uses the first {} before the hashed value to recognize which algorithm is used. Valid algorithms are:
SHA1 20 byte length: {SHA1}
Secure SHA256 32 byte length + salt: {SSHA256}
Option | Description |
Samples | Select configuration samples to provide help regarding configuration options for Driver Manager and Database URL based on database type. |
Driver Manager | Enter the JDBC Driver Manager according to standard JDBC syntax. Example for ODBC “sun.jdbc.odbc.JdbcOdbcDriver” Example for MySql “com.mysql.jdbc.Driver” |
Database URL | Enter the JDBC Database URL. Example for ODBC “jdbc:odbc:Databasename” Example for MySql “jdbc:mysql://Ipaddress:portnr:/dbname |
Username | The Username for this JDBC/ODBC database. |
Password | The Password for this JDBC/ODBC database. |
Nr of Connections | The number of concurrent connections the OTP Server will have in the pool to this JDBC database. |
Test JDBC Connection | Test the connection to the database with the information in JDBC settings. |
Option | Description |
Authenticate | Enter the SQL Query that is used for authentication. It must return the username. Use the tags ‘$$NAME$$’ and ‘$$PASSWORD$$’ to enter what the user entered during the authentication process. Example: SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ AND PASSWORD='$$PASSWORD$$' |
OTP Field | Enter the SQL Query to get the user’s mobile phone number or e-mail address. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query. |
Login Retries | Specify the number of incorrect passwords a user can try before the user account is disabled. Blank=Disable this function can also be used to lock the account if maximum number of failed logins occurred. |
Get Locked (Get Disabled) | The SQL field to check during authentication to see if the account is locked. Use the tag $$NAME$$ to fill in the user’s name in query. INFO: This setting is called Get Disable in prior 3.0 versions. |
Set Locked (Set Disabled) | This SQL Query will be executed if failed Login Retries occurs. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query. INFO: This setting is called Set Disable in prior 3.0 versions. |
Get Disable OTP | SQL query to determine if end-user should be challenge with a OTP or not. If the SQL query match the end-user authentication will be performed and no OTP will be required from the user! Example: SELECT skipotpflag UserTable WHERE name='$$NAME$$' Leave this blank to always require OTP during authentication. |
Test JDBC Connection | Test the JDBC connection with the specified values. |
Option | Description |
Authenticate | Enter the SQL Query that is used for authentication. It must return the username. Use the tags ‘$$NAME$$’ and ‘$$PASSWORD$$’ to enter what the user entered during the authentication process. Example: SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ AND PASSWORD='$$PASSWORD$$' |
Get OATHKey | Enter the SQL Query to get the user’s OATH Key. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query.Example: SELECT OATHKey FROM UserDB WHERE NAME='$$NAME$$' |
Set OATHKey | Enter the SQL Update to set the user’s OATH Key. Use the tags ‘$$NAME$$’ and ‘$$KEY$$’ to fill in the user’s name and mobile key in the Query. Example: UPDATE users SET OATHKey ='$$KEY$$' WHERE name='$$NAME$$' |
Get Disabled | The SQL field to check during authentication to see if the account is locked. Use the tag $$NAME$$ to fill in the user’s name in query. |
Set Disabled | This SQL Query will be executed if failed Login Retries occurs. Use the tag ‘$$NAME$$’ to fill in the user’s name in the Query. |
Test JDBC Connection | Test the JDBC connection with the specified values. |
Please see the Enable OTP Prefetch section in Database configuration - LDAP Database.
Please see the PIN code section in Database configuration - LDAP Database.
The OTP Server can use this type of database to pass through and forward the RADIUS request to another RADIUS Server. It can be used to support RSA SecuredID or SafeWord tokens as well as integration with other RADIUS servers or be used in token migration scenarios.
Option | Description |
Shared Secret | Enter the shared secret for this client. Note! Must match the secret specified for the RADIUS Sever. |
Forward additional RADIUS attributes | Can be enabled if the OTP Server should forward the additional RADIUS attributes to the other RADIUS Server. |
Test RADIUS request | Makes a test authentication to the RADIUS Server selected in the list. Enter the username and password and click on the Test button. |
A User Database Group is a group of LDAP and/or JDBC user databases. This feature can be used to search for a user in more than one database. The OTP Server will search for the user in database groups in the order that the databases are listed, starting from top and going down.
If a user with a matching username and password is found in one of the databases, that database will be used for that specific user. Before creating a user database group, two or more LDAP and/or JDBC user databases must already exist.
OTP client objects are used to manage configuration parameters regarding the connection between OTP Server and the system to protect (called OTP client). For example the Client name, IP address, RADIUS Shared Secret, Database for authentication of OTP users, Web service username and password. There are three types of OTP clients, RADIUS, Native and Web Service. The Web Service client is available in OTP Server version 3.1 and above.
- Native clients are OTP Server clients using the OTP Server API to communicate with OTP Server. Examples of native clients are Microsoft Outlook Web Access, Microsoft SharePoint, CA SiteMinder, Novell GroupWise Web Access.
- RADIUS clients are OTP Server clients using the RADIUS challenge-response protocol to communicate with OTP Server. RADIUS is often used by network services such as firewall and VPN. Eg. Cisco, Juniper, F5, Bluecoat, Citrix etc.
- Web services clients are OTP Server clients using Web service to communicate with OTP Server. OTP Server enables client functionality, corresponding to the Native Client API as Web service (SOAP). Read more about the Web service client at http://support.nordicedge.com/otp-server-web-service-client-api-soap/
There are 3 different ways to create, and configure OTP clients.
The types of configuration actions that can be performed are described below.
RADIUS Client Attribute Detection
Click on the Advance button to define configuration for RADIUS Client attribute Detection. It is used to detect specific RADIUS attribute values and apply different client configurations and its selected databases that will be used to authenticate the users even if the requests comes from the same IP address (sending source). This can for example be used to separate configurations for different type of users like Employees, Partners, and Customers.
Option | Description |
Enable Attribute Detection | Enable or disable the attribute value detection. |
RADIUS attribute number | Select the RADIUS attribute number. |
RADIUS attribute value | Define the RADIUS attribute value. |
Match type | Select how the value should be matched. The Exact match or substring matches method Contains value. |
Match case | Select if the matching should be done case sensitive or not. |
Listen on RADIUS ports
The Advanced configuration is also used to define if the OTP Server should listen on all RADIUS Port Numbers if there are multiple ones configured or only specific ports.
Option | Description |
Listen on ALL available portnumbers | Enable or Disable this to choose which port numbers this client will listen on. |
Selected ports | Select one or more ports this client will listen on. Note! This option will only come up if “Listen on ALL available portnumbers” is unchecked. |
Encoding
Option | Description |
Charset encoding | Select character encoding. Note, the RADIUS standard defines UTF-8 standard character encoding. |
RADIUS Reject Error Messages
OTP Server can reply with pre-set error messages during the process of the one-time password. This gives the end-user more information if there is a system error or a problem with the one-time password.
Option | Description |
Failed Auth/Error | Type a message that will be sent via RADIUS attribute 18 if user fails to authenticate with their username/password or a system error occurs. Leave this field blank to disable this function. |
Failed OTP | Type a message that will be sent via RADIUS attribute 18 if the user fails with their OTP, Prefetch, OATH OTP. Leave this field blank to disable this function. |
Option | Description |
Shared Secret | Enter the Shared Secret for this client. Note! Must be the same Shared Secret as for the RADIUS client application. |
Supports Access-Challenge | Check if the RADIUS client supports RADIUS Access-Challenge (Challenge/Response). |
Response Message | Enter the message that will be sent to the RADIUS client when prompting the user to enter the one-time password. If the check box “Supports Access-Challenge” is unchecked, enter the IP-address to the Authentication Server instead. |
Auth. Server IP Address | The authentication server is needed and used if the RADIUS client doesn’t support Access-Challenge. Enter the IP Address to the server. The Authentication Server is the server in which: Step 1, initiates the user-login process (User Name and Password). Step 2, a one-time password is created by the OTP Server, which is then sent to the user’s mobile phone via SMS (or e-mail). Step 3 the user authenticates himself via the RADIUS client application against the OTP Server with his username and one-time password. |
This option can be configured if “Use ONLY Prefetch OTPs” is enabled.
It defines that this client only will use prefetched one-time passwords. This can be used for RADIUS clients that don’t support Access-Challenge. Use this configuration with Prefetch OTP enabled databases.
Option | Description |
Require Password AND Prefetch OTP | Enables that the users must enter their user database password together with the prefetched one-time password. Example: mysecretpassword12345 |
Generate Prefetch OTP if none exists | Enables that the users can automatically generate prefetched one-time passwords for the first time by logging in with their username and password. |
Select the user database this RADIUS client will use to authenticate users. If no user database exists, one must be created. See chapter “Database Configuration”.
Option | Description |
Uses external OTP API | Defines if an external code using the OTP API should generate and verify the one-time password instead of the OTP Server. Enter the java class name that implements the interface “se.nordicedge.interfaces.OTPVerificationHandler” |
RADIUS Attributes | RADIUS attributes that will be sent after a successful authentication has been done. Add Attributes and their Attribute Number in the list. The values can be a Static Value, UserDN, User Attribute, Login Name or some external code.. |
Click on the Advance button to define configuration for Native Client Name Detection. It is used to detect if a specific Name is used by the integration module that uses OTP client API when it communicates with the OTP Server. This enables the opportunity to apply different client configurations and its selected databases even if the request comes from the same IP address (sending source). ). This can for example be used to separate configurations for different type of users like Employees, Partners, and Customers.
Option | Description |
Enable Name Detection | Enable or disable the name detection. |
Client Name | Specify the Client Name used by the integration module. |
Option | Description |
Accept User Lookup only | Enable this if user lookup should be accepted (accept username only). A database authentication will NOT be performed if the user password is empty. Use this to verify a username and issue a one-time password without verifying the user password. Note, this will accept empty password! |
Client Name | Specify the Client Name used by the integration module. |
Select the user database this RADIUS client will use to authenticate users. If no user database exists, one must be created. See chapter “Database Configuration”.
Option | Description |
Uses external OTP API | If an external code using the OTP API should generate and verify the one-time password instead of the OTP Server. Enter the java class name that implements the interface: “se.nordicedge.interfaces.OTPVerificationHandler” |
Force OTP Delivery Method | Choose the delivery method to be used for this client. This option will override the general configured order for methods. |
Option | Description |
Accept User Lookup only | Enable this if user lookup should be accepted (accept username only). A database authentication will NOT be performed if the user password is empty. Use this to verify a username and issue a one-time password without verifying the user password. Note, this will accept empty password! |
Select the user database this Web service client will use to authenticate users. If no user database exists, one must be created. See chapter “Database Configuration”.
Option | Description |
Uses external OTP API | If an external code using the OTP API should generate and verify the one-time password instead of the OTP Server. Enter the java class name that implements the interface: “se.nordicedge.interfaces.OTPVerificationHandler” |
Force OTP Delivery Method | Choose the delivery method to be used for this client. This option will override the general configured order for methods. |
Read more about the OTP Web service: http://support.nordicedge.com/otp-server-web-service-client-api-soap
The Delivery Methods object category is used to enable and configure one or more delivery methods that the OTP Server can use to send the one-time passwords. The Delivery Method object category holds subcategories that represent the different delivery methods. There is also capability to show all, enabled or disabled delivery methods in this category and configure the sending order.
One or more delivery methods can be used to deliver the one-time passwords. The order in which they are used is determined based on how they are listed in the delivery method object category started from top as the first method and going down.
This method will use the Nordic Edge hosted SMS gateway to deliver the one-time password over SMS to the end-users. The Nordic Edge SMS Gateway supports automatic fail-over for service and SMS operator delivery, usage statistics, SMS status control and easy setup.
Nordic Edge provides OTP Server customers with a trial SMS Gateway account at no charge.
Option | Description |
Username | Enter the username for the service provided by Nordic Edge. |
Password | Enter the password for the service provided by Nordic Edge. |
Flash SMS | Check the box to enable the support for sending flash SMS to user’s mobile phone. |
Message | The message to be sent to the mobile phone. The OTP will be added to this message unless the tag $$OTP$$ is inserted in the message. The OTP will then replace the $$OTP$$ tag. Example: The passcode is $$OTP$$ |
Enable HTTP Proxy server | Check the box to Enable HTTP Proxy. Server: Enter the proxy server IP address or DNS name. Port: Enter the proxy server port number. |
Disable PF SMS Status | Disable SMS status to check if users have Prefetch OTP enabled. This will send a notification to the SMS gateway to disable status control of SMS on users that have Prefetch OTPs stored on their user database. This will reduce the waiting time up to 5 seconds on OTP enabled users. |
Username in accounting file | Check the box to include the username in the accounting file. Ignore this if the accounting file is not being used. |
Request a demo account. This can be done by selecting the “Request a demo account” button. This will create a demo account in Nordic Edge hosted SMS gateway and fill in the right information in the username and password field. It will also make a list of URL:s to the Nordic Edge hosted SMS gateways.
The option to configure this section is available if a demo or real account is defined.
Option | Description |
Test | Click on the Test button and enter a mobile phone number in the field to send a test SMS to the mobile phone through the Nordic Edge SMS Gateway Service. |
Update Config | Click on the button to manually update the configuration for the Nordic Edge SMS Gateway Service. |
Debug | Check the box to enable debug information to be included in the log files. |
Option | Description |
Enable max Limit | Enable to set max limit for sending SMS |
Max SMS per user per day | Set the maximum number of SMS that a single user can send in one day. |
Max SMS total per day | Set the maximum number of SMS that the OTP Server can send on behalf of all users in one day. |
Enables the OTP Server to send one-time passwords (OTP) via HTTP or HTTPS protocol to a SMS provider.
Option | Description |
User Header | The HTTP Header name for the user’s mobile number or e-mail address. |
OTP Header | The HTTP Header name for the OTP (Challenge). |
Headers in Query String | Check if headers should be placed in the Query string as GET parameters. For example: ?USER=070112233&CHALLENGE=123456 |
Template file | Enter a file name if a template file will be used instead of headers. The file shall contain two values which will be replaced when posted; $$IDENTITY$$ and $$CHALLENGE$$. Leave blank if only headers are to be used. See sample file from Vodafone/Mobilerelations: smstemplate.xml |
Auto-Accept SSL Certificates | Enables auto trust of certificates received from HTTPS. |
Debug | Enables extensive logging of HTTP sending. Could be used in troubleshooting. |
Option | Description |
Enable HTTP Authentication | Check the box to enable HTTP Authentication. |
Username | Enter the username to be used for authentication. |
Password | Enter the password to be used for authentication. |
Option | Description |
Enable Proxy Server | Check the box to enable HTTP through a Proxy Server. |
Proxy Server | The DNS name of the proxy server to be used for all HTTP requests. |
Proxy Port | The port number for the proxy server. |
Option | Description |
Content Type | HTTP mime content type. Default is application/x-www-form-urlencoded. |
HTTP (HTTPS) URL | Enter the URL to post the OTP to. |
Success string to look for | Enter what the HTTP server will respond back to the OTP Server. If the OTP Server finds this string it will assume a successful posting. If it does not find this string it will assume a failed post of the OTP. |
Enables the OTP Server message sending service to support HTTP or HTTPS protocol to send one-time passwords (OTP). This module is similar in function with the HTTP module. One of the big differences is that the extended HTTP provides more fault tolerance because you can define more than one HTTP(S) URLs.
Option | Description |
User Header | The HTTP Header name for the user’s mobile number or e-mail address. |
OTP Header | The HTTP Header name for the OTP (Challenge). |
Remove leading + | Removes the + from mobile phone numbers |
Replace + with 00 | Removes the + from mobile phone numbers and replace it with 00 (two zeros) |
Template file | Enter a file name if a template file will be used instead of headers. The file shall contain two values which will be replaced when posted; $$IDENTITY$$ and $$CHALLENGE$$. Leave blank if only headers are to be used. See sample file from Vodafone/Mobilerelations: smstemplate.xml |
Edit (Template file) | Edit the template file. |
Auto-Accept SSL Certificates | Enables auto trust of certificates received from HTTPS. |
Debug | Enables extensive logging of HTTP sending. Could be used in troubleshooting. |
Use GET | Use GET instead of POST as the HTTP method |
Option | Description |
HTTP Auth | Check the box to enable HTTP Authentication. |
Username | Enter the username to be used for authentication. |
Password | Enter the password to be used for authentication. |
Option | Description |
Proxy Server | Check the box to enable HTTP through a Proxy Server. |
Proxy Server | The DNS name of the proxy server to be used for all HTTP requests. |
Proxy Port | The port number for the proxy server. |
Option | Description |
Client Cert | Check the box to enable a certificate to be used for authentication. INFO: The HTTPS URL must be HTTPS. |
PKCS12 file | The full path to the certificate file (PKCS12 format). |
Password | The password to the certificate. |
Option | Description |
Content Type | HTTP mime content type. Default is application/x-www-form-urlencoded. |
HTTP (HTTPS) URL 1-3: | Enter the URL:s to post the OTP to. INFO: OTP Server will use the URLs in order 1, 2, 3. If URL 1 fails the OTP server will automatically start with the last URL that worked. |
Success string to look for | Enter what the HTTP server will respond back to the OTP Server. If the OTP Server finds this string it will assume a successful posting. If it does not find this string it will assume a failed post of the OTP. |
Set SOAPAction request header | Add SOAPAction as a request header. |
Enables the OTP Server message sending service to support SMTP protocol to send one-time passwords (OTP). If the methods HTTP or Netsize are activated, all messages to users with the @-sign in the address will be sent via SMTP.
Option | Description |
SMTP Host | IP-address or DNS-name to the SMTP Host. |
Mime Encoding | The Mime encoding for SMTP. Default is: Iso-8859-1. |
Port | The SMTP port number (Default is 25). |
SSL/TLS | If SSL/TLS will be used. |
Force TLS | Forces use of TLS instead of SSL. |
Option | Description |
Enable SMTP Authentication | Check the box to enable HTTP Authentication. |
Username | Enter the username to be used for authentication. |
Password | Enter the password to be used for authentication. |
Option | Description |
Mail sender Address | The sending e-mail addess. |
Mail To Address | Add the static e-mail address here. Another option is to add the tag $$IDENTITY$$ anywhere in the string to insert the users identity (eg. Mobilenr etc) Sample: $$IDENTITY$$sms@acme.com will be: +4670123456sms@acme.com |
Mail address | Check to use the user’s e-mail address as Mail To Address. |
Subject | The SMTP subject line. |
User ID | Check to place the user’s Mobile number or e-mail address in the Subject field. |
Body Text | The SMTP message body that will include the one-time password. The tag $$OTP$$ will be replaced with the OTP during sending. If the tag does not exist in the string, the OTP will be appended to the end of the string. Use the text editor button to enable the text editor. |
Is filename | Check this box if the Body Text is a file temple and enter the full path to the file. The tags $$IDENTITY$$ and $$OTP$$ can be used in the template file. |
Debug | Enables or disables SMTP debugging to the log files. |
Lookup mailaddress in database | If the users mail address does not contain a @ character OTP Server will look in another attribute for the e-mail address. Enable this function and enter the attribute uses for storing the complete e-mail address for users. Note: This can be useful when using e-mail as a backup method for other authentication methods like SMS. |
Test | Sends a SMTP test message. |
Enables the OTP Server message sending service to use to use Netsize SMS gateway services. You need an account to use the Netsize services.
Option | Description |
SMS Gateway | The IP-address or DNS name to the Netsize SMS-gateway. |
Port nr | The Port Number to the gateway. |
Option | Description |
Login | Enter the username to be used for authentication. |
Password | Enter the password to be used for authentication. |
Option | Description |
Message | The message to be sent to the Mobile phone. The tag $$OTP$$ will be replaced with the OTP during sending. If the tag does not exist in the string, the OTP will be appended automatically to the end of the string. Use the Text Editor button to enable the text editor. |
Option | Description |
Sending, Receiving, Notification | Netsize parameters. See Netsize Agreement/Documentation. |
Option | Description |
Debug | Debugs Netsize packets in the system console or log file. |
Encryption | Check this box if encryption will be used between the OTP Server and the Netsize gateway. Agreement with Netsize is required. |
Message Type | Select how the SMS will be presented in the Mobile phone: Immediate Display (Flash-SMS) Stored on Mobile phone Stored on SIM-card |
Enables the OTP Server message sending service to simultaneously send the one-time passwords with more than one delivery method. Two or more delivery methods must be configured and selected in the list.
Enables the OTP Server to send one-time passwords (OTP) to end-users via different Instant Messaging methods.
The instant messaging method supports sending one-time passwords to three different instant messaging services, Skype, Microsoft Live(MSN) and Jabber (Google Talk). The method supports all services or an individual service to be activated.
Enter the message that should be sent to the user’s mobile phone. The OTP will be added to this message unless the tag $$OTP$$ is inserted inside the message. The OTP will then replace the $$OTP$$ tag. Example, Passcode is $$OTP$$, by Nordic Edge
The User Prefix concept can be used to target which instant messaging service that should be used when the Nordic Edge OTP Server receives a users instant messaging userid. By configuring User Prefix, the Instant Messaging plug-in can select which services to use by looking at the incoming userid. All three instant messaging services support the User Prefix concept.
If the userid has a prefix, for example GOOGLETALK; attached to the userid, eg:
GOOGLETALK;johndoe@nordicedge.se and the Jabber service is configured with the User Prefix: GOOGLETALK; the Nordic Edge OTP Server will know that it should only use the Jabber service.
Both MSN and Jabber use mail address as userid. If both are enabled and no User Prefix is specified, the Nordic Edge OTP Server will first try to send to the MSN services and if it fails then send it to the Jabber services.
The Skype method requires that a Skype client is installed on the OTP Server and is active and logged into the Skype network. During the first message the Skype client will ask a question if the OTP Server is accepted to pass on messages to the Skype client. Select Yes when this question appears.
Use the Test button to test the Skype method. Note, do not include the User Prefix when using the Test button.
The Microsoft Live/MSN method requires a valid MSN account to be specified in the Login id and password fields.
Use the Test button to test the MSN method. Note, do not include the User Prefix when using the Test button.
The Debug checkbox can be used for debugging the MSN method.
The Jabber/GoogleTalk method requires a valid Jabber account to be specified in the Login id and password fields.
It also requires a Server hostname (or IP address), a port number and the option to use SSL. If the server hostname contains Google, then Google Talk will automatically be enabled.
Use the Test button to test the Jabber/Google Talk plug-in. Note; do not include the User Prefix when using the Test button. The Debug checkbox can be used for debugging the Jabber/Google Talk method.
Enables the OTP Server message sending service to support SMPP protocol to send one-time passwords (OTP).
Enables the OTP Server message sending service to support Nokia CIMD2 protocol to send one-time passwords (OTP).
Enables the OTP Server message sending service to support UCP File Creator in order to create files with the one-time passwords.
Option | Description |
File Directory to drop file | Select the directory to store one-time password files in. Each one-time password will be a separate file in this directory. |
Filename starts with | Enter the name the files will start with. A random number will be added after this name in the files. Eg. "ucp" |
Filename ends with | Enter the end of the filename. Eg. ".txt" |
Template File | Select the template file which contain the text with variables for the one-time password. A default template file is included with the OTP Server. Eg. C:\Program Files\NordicEdge\OTPServer3\UCPTemplate.txt |
Control +New Line (0D 0A) | Creates the output file with DOS style line breaks |
File characterset | Select the character encoding for the ucp-file. |
The Logs configuration object includes configuration options for how the OTP server will handle logging and log files.
Option | Description |
System Log file | The name of the system log file. The system log file will also contain all debugging information.Leave blank if no log file will be used. |
Accounting file | The name of the accounting file. All successful OTP messages will be saved to this file. Leave blank if not used. |
Roll Accounting File Now | Click on this button to Roll the Accounting file |
Loglevel | Select required log level. Trace, Debug, Info, Warn, Error, Fatal. INFO: Default log level is Debug. |
Max logfile size | Enter maximum size of the logfile before it will be rolled. INFO: Default 5000kb |
Max backup index | The number of bakup files before OTP Server will start removing backup files. INFO: Default 100. Eg. 100 x 5000kb = 500Mb disk space required for logs. |
Append sessionnumber | Adds sessions numbers in the log file for better tracking. Default enabled. |
External log Handler | Enter the Java class name for an external logger. This class needs to implement the se.nordicedge.interface.OTPlogging interface. Leave this blank to use the default logger. Note, this parameter requires restart to activate or deactivate the loghandler. |
Option | Description |
Check for config changes every | Check if any changes has occurred in the OTP Server config file every X seconds. Set to 0 do disable this function. |
Check classpath during startup | Check this box if changes in the lib directory should be read during OTP Server startup. |
The Alerts Tab configures which method that will be used to alert and notify recipients. You can also define which components that generate alerts. The Alert configuration object includes configuration for which methods the OTP Server can use to alert and notify recipients. You can also define the modules that that are allowed to generate the alerts.
Option | Description |
Use method | Select the which delivery method the OTP Server will send the alert with. Delivery method must be configured under Delivery Methods before it appears in the drop down list. |
Alert events | Select which event the OTP Server will send alert for. Default is all events. |
Message Prefix | Enter a prefixed used added before the alert message. Eg. “Alert for otpsrv01 <message>” |
Recipients | Enter the addresses (mail, phone number, etc) to the recipients of the alert messages. Enter one address per line. |
The License configuration object includes configuration options and license information. The license system for the OTP Server version 3 is new and not compatible with version 2 which means that in order to upgrade you need new license files. Contact Nordic Edge for how the license can be upgraded.
The new license system controls how many unique user identities that has been used and checks this against the total number of license that has been registered. New users that are above the limit of the registered user limit won’t be able to authenticate by the OTP Server. Alerts can be configured to notify administrators that the amount of user license is very close to the limit of registered users. This will give organizations the opportunity to buy more licenses.
The new licenses system also supports multiple license files. This means that one file can include a 50 user license and another 100 user which means that the total amount of user license is 150.
The license files must be placed in the license file directory and the filename must end with the extension “.dat”.
Option | Description |
Registered Licenses | The total number of licenses detected in the license files. |
Detect New | Checks for new licenses in the license directory. |
Unused Licenses | The number of license available for new users. |
Counter Started | The time and date when the license counter started. |
Refresh | Refresh the license statistics. |
The Misc configuration object category object hold configuration for other functions and it includes configuration for:
OTP Server supports AES encryption and decryption. AES can be used to store OATH keys or other important information in databases used by OTP Server. AES Encryption is available in OTP version 3.1 and above.
The General Settings section configures specific attributes to encrypt by the OTP Server. Click on the Add button and add a specific attribute to encrypt.
INFO: AES encryption of OATH keys are enabled by the option Encrypt keys in keystorage database in Misc - OATH Configuration.
Option | Description |
AES Key | The AES Key for encryption and decryption. 32 characters string for 128bit and 64 characters string for 256bit INFO: Do not change this key in a production environment. All data encrypted with a specific key can not be read if the key is changed and Nordic edge or any one else can not recover encrypted data. |
Key size | Select 128, 192 or 256bit encryption/decryption. |
Key type format | Select the format of the Key. Select Hex or Base 64. Default Hex. |
AES prefix | The AES data prefix. This prefix is used in front of the encrypted value and indicates the encryption format. Default "{AES}". |
Data format | The format of the data. Select Hex or Base 64. Default Hex. |
Use CBC | Enables or disables cipher-block chaining (CBC) |
IV (CBC) | The initialization vector (IV) required for CBC. Note: Must be in HEX format and 16 bytes long (32 Hex characters) |
Lock | Lock button locks the configuration above form accidentally being changed. Click again to unlock the settings. |
The Test encryption & decryption section helps administrators to verify AES settings for encryption and decryption.
Option | Description |
Value | Type a value to encrypt or decrypt. INFO: Make sure to use a sufficient length of the AES Key corresponding with the specific AES encryption level. See AES Advanced Setting, AES Key and Key size. |
Results | Displays the results for encryption or decryption. |
The Expired Password Notification can be enabled to detect and notify the end-users that their password has expired.
Option | Description |
User attributes to send message to | Select the attribute or attributes the sending delivery method can read to collect the address to the user. It can be the mobile attribute holding the telephone number or the mail attributes with the e-mail address. Separate the attribute with comma "," Example: mobile,mail |
Message to the user | Enter the message the end-user will see when they are notified that their password has expired. |
Method to send notifications with | Select the method that will be used to send the notifications to the end-users from the list. |
Enables the OTP Server to support hardware based tokens and the mobile client Pledge that uses the HOTP or TOTP algorithm from OATH. Detail information on how to store the OATH information in the user databases con be found here:Detail OATH Keyinformation
It is also used to configure the automatic enrollment feature for Tokens that sends Token identifier.
Configuration of HOTP OATH settings.
Option | Description |
Encrypt Key and counter | If the HOTP key and counter should be encrypted in the database. |
Validation LookAhead Value | The maximum number of counter checks for a users OTP. Example: If the OATH device has a counter with the value of 20 and the value at userobject accessable by the OTPServer is at 10, then it will require a lookahead value of 10 to catch up. If the lookahead value is to small the OATH device will be out of sync and needs to be resynchronized. |
OTP Length/Variable Length | Enter the fixed or variable length of the OTP. Select the required length of the OTP. |
Truncation value | The offset value for OATH devices. This value should not be changed. Use -1 for variable truncation. |
Use variable OTP length | If both 6 and 8 length OTP should be accepted. Info: Available in OTP Server up to version 3.0. |
Configuration of TOTP OATH settings. Available in OTP version 3.1 and above.
Option | Description |
Accept time drift | Accept the previous, current and future OTP instead of only the current OTP. If a token device or the OTP Server drifts in time, this can compensate by accepting the previous or future OTP. |
Anti-replay check | If a TOTP will only be allowed once within the timeframe. The OTP Server keeps track of used OTPs for each TOTP device within the accepted timeframe. The Timeframe is set by the token device, standard 30 or 60 seconds. |
Encrypt Key value | If the TOTP key value is stored encrypted in the database. |
Max Out of Synch Time Steps (Accept time drift) | The number of time steps a OTP device can be out of synch. Eg. Time step 30 seconds (set by the token device) and Max out of Synch Time Steps = 2 gives 2x30+30+2x30 = 2min and 30sec time diff is accepted by the OTP server. |
This settings are general for both OATH HOTP and TOTP.
Option | Description |
Pincode placement | If using PIN code, should the OTP user enter the PIN code before or after the HOTP/TOTP. Select Before or After. |
Accept OATH Token Identifier | Enable to accept Token devices that send Token Identifier together with the OTP. |
Enable Automatic Enrollment | Enable Automatic Enrollment for Class A – Token Identifier. Defines if the automatic enrollment process will pick up the OATH Key and counter from a key database and store it on the user object using the OATH Token identifier specification. |
This section can be configured if the option Accept OATH Token Identifier and Enable Automatic Enrollment is enabled.
Option | Description |
Keystorage database | Select the database that contains or will contain the keys and token identifier. |
Check SQL Database | This button is visible if the database type selected in the Key database list is a SQL database. Click on the button to test if the selected database has a database called TOKENDB with the table Token which is a requirement. If the TOKENDB database and Tokens table are not created, click Yes to create them. |
Object DN: | This option is visible if the database type selected in the Keys database list is a LDAP database. Select the LDAP object to store the keys in. |
Attribute | This option is visible if the database type selected in the Key database list is an LDAP database. Select the specific attribute to store the keys in. The attribute must be of the type multivalue string. |
Upload keyfile to database | Click on the button to upload keys from file to the selected database. The file format must be either semicolon or comma separated or PSKC (RFC 6030) format. - Semicolon separated format: ub0000011111;69fc80be0e757941013c35b70b517d8d9f441fa;0 - Comma separated format: Number id, Token identifier, countervalue, HOTP key (hex), Config Password (not used), Timestamp Example: 125,ub9020000125,0,7e4baa15979ee53e2695bed18a10259f4bd6ebd5,000000000000,2010-04-19T01:48:51, |
Allow multiple token assignments | Accept if a user already has a OATH token and enrolls for a additional token |
Encrypt keys in keystorage database | If the keys should be encrypted in the key database. INFO: If AES is configured in Misc - AES the keys will be encrypted with AES encryption. |
In some LDAP databases there is a default limit of 1000 entries in an LDAP attribute. Advanced OATH enrollment enables the use of multiple object/attributes to store OATH Keys to overcome this LDAP limitation.
Option | Description |
Maximum nr of keys per object | Set the maximum of keys stored in each object |
The Prefetch Proxy Config configuration object includes configuration how the OTP Server will send the Prefetch one-time passwords.
Identity Manager & Pledge Enrollment
Enables Identity Manager and Pledge enrollment web applications. Identity manager for OTP is a preconfigured version of the Nordic Edge Identity Manager Portal applied on the included Tomcat server. It can be used by administrators and helpdesk personal to administrate specific user information in user stores (databases) that is used by the OTP server. It can also be used as a self-administration portal for end-user to change specific information about them self.
Pledge Enrollment is a web application applied on the included Tomcat server and is used to let the end-users follow an easy step by step auto enrollment process to download a Pledge profile with included HOTP key. The application uses a web services interface to integrate with the Nordic Edge Profile Factory services where customers can design the look and feel and security options regarding their Pledge profiles.
A step by step guide for Pledge Enrollment is available here:
http://support.nordicedge.com/step-by-step-guide-to-implement-pledge-enrollment-to-otpserver
Enables the OTP Server integration for Yubico.
Click here for a detailed documentation of the Nordic Edge and Yubico integration
There are different ways of starting/stopping the OTP Server on Microsoft® Windows®:
The OTP Server can be started in the following ways on UNIX/Linux/OSX:
The OTP Server Monitor can be displayed when the OTP Server process is started if the option Enable Monitor is configured in the Server object category. This option requires GUI support on the server.
The monitor can be used to configure the server, display statistics (Show Details) and shutdown the server process.
Configuration
Click on the button Configuration to start the configuration program.
Click on the button Shutdown to shutdown the server process.
Click on the button Show Details to see the statistics from the OTP Server.
Option | Description |
Total OTP’s | The total number of OTP’s created. |
Option | Description |
Successful OTP’s | The number of OTP’s, successfully answered by clients. |
Failed OTP’s | The number of OTP’s, which the clients failed to answer. |
Unfetched OTP’s | The number of OTP’s that have not yet been retrieved by a client. |
Expired OTP’s | TThe number of OTP’s that have expired. |
Option | Description |
RADIUS Packets Sent | The number of sent RADIUS packets. |
RADIUS Packets Received | The number of received RADIUS packets. |
Option | Description |
Active Connections | Nr of native client connections at this moment. |
Successful connections | The total number of successful native client connections to this OTP-Server. |
Failed Connections | The total number of failed native client connections to this OTP Server by a client. |
Option | Description |
Encrypted Requests | The number of encrypted requests from native clients to the OTP Server. |
Unencrypted requests | The number of unencrypted requests from native clients to the OTP Server. |
Rejected Unencrypted Requests | The number of requests from native clients that were rejected by the OTP Server because the client did not encrypt the request (Requires Always Encryption or ”EncryptionLevel=2” in otp.properties). |
Option | Description |
Successful Logins | The number of successful User Authentication to LDAP or JDBC/ODBC databases. |
Failed Logins | The number of failed User Authentication to LDAP or JDBC/ODBC databases. |
Locked Accounts | The number of times the OTP Server has locked out users because the maximum number of login attempts to LDAP or JDBC/ODBC databases has occurred. |
This is a hosted service that enables our customers to use strong authentication without the need to install the product in their own environment. The Nordic Edge OTP On-Demand is accessed via Web Services.
This is a hosted service that enables our customers to use SMS distribution without the need to install the product in their own environment. The Nordic Edge SMS On-Demand is accessed via Web Services.
This plug-in delivers one-time passwords using SMS via a Nordic Edge hosted SMS gateway. The Nordic Edge SMS Gateway supports automatic fail-over for service and SMS operator delivery, usage statistics, SMS status control and easy setup.
All truth passes through three stages. First, it it ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident. - Arthur Schopenhauer -
모든 진실은 3가지 단계를 거친다. 첫째는 조롱이고, 둘째는 거센 반발이며, 셋째는 자명한 것으로 받아들여지는 것이다. - 아르투르 쇼펜하우어 -
All the people needed to make them happy was food and entertainment and "BREAD AND CIRCUSES" that have been used by a corrupt politician on democracy.
« Prev How to Remove Active Directory Domain Name From LDAP Search R...
How to Remove Active Directory Domain Name From LDAP Search R... 2012.07.20by 텅날개NordicEdge OTP with Pledge method for Palo Alto Networks SSLVPN Next »
NordicEdge OTP with Pledge method for Palo Alto Networks SSLVPN 2012.07.05by 텅날개![[레벨:13]](http://jroh.kr/modules/point/icons/default/13.gif "포인트:16875point (68%), 레벨:13/30"){kind=icon}
텅날개![[레벨:3]](http://jroh.kr/modules/point/icons/default/3.gif "포인트:885point (11%), 레벨:3/30"){kind=icon}
2인자범이![[레벨:2]](http://jroh.kr/modules/point/icons/default/2.gif "포인트:435point (16%), 레벨:2/30"){kind=icon}
송시![[레벨:1]](http://jroh.kr/modules/point/icons/default/1.gif "포인트:205point (42%), 레벨:1/30"){kind=icon}
도너츠
돌핀
매맞는아이
