Echidna Concepts Guide

Similar documents
DIGIPASS Authentication for O2 Succendo

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for NETASQ

DIGIPASS Authentication for F5 BIG-IP

DIGIPASS Authentication for Check Point VPN-1

DIGIPASS Authentication for Check Point VPN-1

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Barracuda Networks SSL VPN

Authenticatr. Two-factor authentication made simple for Windows network environments. Version 0.9 USER GUIDE

One Identity Defender 5.9. Product Overview

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

RSA Authentication Manager 7.1 Administrator s Guide

Authlogics Forefront TMG and UAG Agent Integration Guide

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Mozy. Administrator Guide

Dell One Identity Cloud Access Manager 8.0. Overview

Barracuda Networks NG Firewall 7.0.0

Pass4sure CASECURID01.70 Questions

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

RSA Authentication Manager 8.0 Security Configuration Guide

Certificate Enrollment for the Atlas Platform

Microsoft Unified Access Gateway 2010

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

RSA Authentication Manager 7.1 Migration Guide

SafeNet Authentication Service for Your Business Introducing Strong Authentication as-a-service. Marko Bobinac PreSales Engineer CEE, Russia & CIS

SERVICE DEFINITION G-CLOUD 7 THALES PSN REMOTE ACCESS. Classification: Open

Horizon Workspace Administrator's Guide

Cloud Access Manager Overview

PlateSpin Forge 3.4. Getting Started Guide. July 31, 2013

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

HySecure Quick Start Guide. HySecure 5.0

CA Adapter. CA Adapter Installation Guide for Windows 8.0

DIGIPASS Authentication for Citrix Access Essentials Web Interface

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

RSA Authentication Manager 6.1 to 8.0 Migration Guide

Software Token. Installation and User Guide. 22 September 2017

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

Migration and Building of Data Centers in IBM SoftLayer

Access Manager 4.0 includes new features, improves usability, and resolves several previous issues.

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

VMware AirWatch Content Gateway Guide for Linux For Linux

KACE GO Mobile App 5.0. Getting Started Guide

Cloud Services. Introduction

SafeNet Authentication Service

SonicWall Mobile Connect ios 5.0.0

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Installation and Upgrade Guide

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

SailPoint IdentityIQ 6.4

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager vidm 2.7

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

VMware AirWatch Content Gateway Guide For Linux

Opengear Technical Note

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

7. How do I obtain a Temporary ID? You will need to visit HL Bank or mail us the econnect form to apply for a Temporary ID.

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Securing VMware NSX MAY 2014

McAfee Security Management Center

Quest vworkspace. What s New. Version 7.5

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Oracle Banking Digital Experience

KeyNexus Hyper-V Deployment Guide

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

The only authentication platform you ll

Busting the top 5 myths of cloud-based authentication

Microsoft Architecting Microsoft Azure Solutions.

One Identity Starling Two-Factor Authentication. Administration Guide

Firewall XG / SFOS v16 Beta

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Sophos Mobile Control Administrator guide. Product version: 5.1

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

Security Access Manager 7.0

Acronis and Acronis Secure Zone are registered trademarks of Acronis International GmbH.

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

MaaS360.com. MaaS360 On-Premises. Database Virtual Appliance Setup Guide

Sophos Mobile Control Super administrator guide. Product version: 3.5

Contains the Linux Identity Server, the Linux Administration Console, the ESP-enabled SSL VPN Server, and the Traditional SSL VPN Server.

ipad in Business Security Overview

Security context. Technology. Solution highlights

Remote Support Security Provider Integration: RADIUS Server

OneKey Mobile App USER GUIDE

vsphere Replication for Disaster Recovery to Cloud

Dell SonicWALL NSA 3600 vpn v

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3.1 April 07, Integration Guide IBM

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Transcription:

Salt Group Concepts Guide Version 15.1 May 2015

2015 Salt Group Proprietary Limited. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. Copies of software supplied by Salt Group must not be released to any party without written authorisation from Salt Group and remain the property of Salt Group for all time. They may not be transferred to any computer without both a service contract for the use of the software on that computer being in existence and written authorisation from Salt Group. Copies of software released by Salt Group to academic establishments may not be used for any commercial purpose without written authorisation from Salt Group and royalty payments made to the company. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Salt Group. Whilst Salt Group has made every effort in the preparation of this manual to ensure the accuracy of the information, the information contained in this manual is delivered without warranty, either express or implied. Salt Group will not be held liable for any damages caused, or alleged to be caused, either directly or indirectly by this manual. Licenses and Trademarks All other brands and their products are trademarks or registered trademarks of their respective holders and should be noted as such. All other trademarks acknowledged.

Contents Chapter 1: Before starting...4 1.1 About this book... 4 1.2 About... 5 Chapter 2: Benefits of...6 2.1 Reduces token costs... 6 2.2 Seamless migration from legacy solution... 6 2.3 Efficient deployment and operation... 6 2.4 Easy to customise... 7 2.5 Perpetual licensing... 7 2.6 Supports many token types... 7 Chapter 3: Deployment models...8 3.1 Two-factor authentication for an access point... 8 3.2 Replace legacy tokens... 9 3.3 Protect an Internet banking application... 10 Chapter 4: Integration with existing infrastructure... 11 4.1 runs in a virtual appliance... 11 4.2 Components of... 12 Chapter 5: High availability and disaster recovery... 14 5.1 Load balancing... 15 5.2 Failover... 15 5.3 Disaster recovery... 15 Chapter 6: Configure and manage... 16 Chapter 7: Licensing... 17

Chapter 1: Before starting 1.1 About this book This Concepts Guide is part of a set of books about. It describes and how it can be used. Person Book Tasks Concepts Guide Understand Administrator Installation Guide Administration Reference Install and configure Update, monitor, and manage User support Operations Guide Manage users and tokens Figure 1: When to use each book in the documentation set 4

1.2 About is a multi-factor authentication server, designed to let staff and users not only access applications securely, but also add other security features to existing applications. For example, can add transaction-signing capabilities to an Internet banking application. supports a range of authentication devices, allowing fit-for-purpose and no lock-in, irrespective of legacy systems. Other benefits include: s pricing model is below 40% of the costs of legacy authentication servers. can easily be skinned to allow branded deployments. can be fully customised on-the-fly without code changes. is suitable for financial institutions, government departments, and enterprises. accepts both RADIUS and HTTP/S requests, and it connects to your existing user store: Clients Other systems Timesheets application HTTPS server Active Directory Users VPN RADIUS Database Tokens Figure 2: How relates to other systems 5 Concepts Guide for 15.1

Chapter 2: Benefits of 2.1 Reduces token costs Authentication servers are usually restrictive on the various forms of authentication types that they support, leading to customers being locked in to having to continue to use them, due to their proprietary nature. supports a range of standards-based authentication devices, as well as proprietary authentication devices through its brokering services. When is used with free Salt mobile tokens, costs are further reduced because token replacement costs (which can be more than 30% 1 of total token cost per year) are eliminated. 2.2 Seamless migration from legacy solution allows users to gradually migrate from the legacy solution, without requiring a massive single change. can continue to support legacy hardware tokens, by brokering authentication requests to the legacy server. As the legacy tokens expire, users can be given newer, more cost-effective tokens. For more information, see Chapter 6: Brokering authentication in the Administration Reference. 2.3 Efficient deployment and operation Two-factor authentication servers are usually expensive to deploy and operate, due to a combination of user licensing costs, token costs (including mobile), replacement token costs, and token operational management, particularly when provisioning tokens to users. Not only can be deployed in under 20 minutes, but its operation model allows for users to be either self-managed or remotely managed. When combined with over-the-air provisioning, this provides a very easy-to-manage an efficient operational environment. For a full description of how to install and configure, see the Installation Guide. 1 The industry-standard churn rate on tokens that are lost, broken, or never returned. 6

2.4 Easy to customise can be fully customised without code changes, allowing organisations to use stronger authentication more easily across applications and work force. can better adapt to the various business authentication requirements and flows. For example, can support timed temporary passwords as a backup authentication method for users who have hardware tokens, but not for users with mobile tokens, or vice versa. 2.5 Perpetual licensing is sold using a perpetual licensing model based on active tokens/users. This means that two-factor authentication does not have to be restricted to a sub-set of your work force: you can bring the security, efficiency, and productivity benefits to everyone. 2.6 Supports many token types supports multiple authentication tokens, including but not limited to the following: Mobile token (Salt mcodexpress app) OATH hardware tokens OTP delivered by SMS OTP delivered by email Legacy hardware tokens Figure 3: Some of the tokens that supports Salt mcodexpress is an app that securely generates one-time passcodes (OTPs). Users can install Salt mcodexpress on their phone or tablet and then register it with their organisation's server. After registration, Salt mcodexpress generates OTPs that let the user sign in to their organization's VPN or other remote access system. OATH hardware tokens comply with the OATH HOTP, OATH TOTP or OATH OCRA standards. One-time passcodes (OTPs) are delivered to a user by SMS or email. Legacy hardware tokens such as RSA SecurID and Vasco tokens are supported by brokering authentication requests to a legacy server. For more information, see Chapter 5: Configure authentication in the Administration Reference. 7 Concepts Guide for 15.1

Chapter 3: Deployment models is flexible in the deployment models that it can support. The following diagrams show some of the ways it can be deployed within an organisation. 3.1 Two-factor authentication for an access point can receive RADIUS requests for authentication. The following diagram shows an example system. In this example, a remote staff member uses a VPN gateway to access protected resources behind the company firewall. In this example, works with the mcodexpress token. This is a Salt mobile app, downloadable for free from your favourite app store. When the user tries to access a protected application, they see a login page that requires them to enter a one-time passcode (OTP). The user generates the OTP using mcodexpress on their phone and types the new OTP into the Password box on the login page. When the user signs in, the VPN gateway delegates authentication to by sending the credentials via RADIUS. Remote staff Salt mcodexpress app on phone Protected application Enterprise network Enter PIN **** Enter OTP from app VPN gateway Resources Send OTP, via RADIUS validates OTP Figure 4: Example of a system in which provides two-factor authentication to a RADIUS client checks the credentials and returns a response to the VPN gateway, also via RADIUS. The gateway then grants or denies access to the user, depending on 's response. 8

3.2 Replace legacy tokens can broker authentication requests to a legacy authentication server, such as RSA Authentication Manager and Vasco IDENTIKEY. proxies the authentication requests to the thirdparty authentication server, allowing this third-party server to validate legacy or proprietary tokens. The organisation retains its existing authentication mechanisms and at the same time seamlessly introduces new lower-cost and convenient tokens. Users with legacy tokens continue to use the legacy server. As the legacy tokens expire, users receive their new lower-cost standards-based tokens. Because the legacy authentication server continues to respond to authentication requests, there is minimal user or technology impact. User with the new tokens are unaware that their tokens are now validated by the server, as brokering for the user will no longer be required. Before setting up After setting up to broker requests for RSA VPN server RADIUS Client RADIUS RSA Authentication Manager Authentication server RADIUS VPN server RADIUS RSA Authentication Manager RADIUS Client Legacy authentication server Figure 5: can be placed in front of a legacy authentication server This diagram shows how provides a single target for all authentication traffic for the enterprise. handles some authentication requests itself, and it forwards other requests to RSA Authentication Manager and then waits for the response. The following example shows a legacy RSA system. In this situation, receives all authentication requests, and delegates the requests that contain a SecurID OTP to RSA Authentication Manager. Staff Protected application Enter PIN and token OTP Payroll PIN: **** Token OTP: **** PIN + token OTP, via HTTPS combines PIN and token OTP to produce an OTP Auth request containing OTP RSA Authentication Manager Figure 6: Example of how can broker authentication requests to RSA Authentication Manager With this model, after the users have all been transparently migrated, the legacy authentication server can be either re-purposed or retired. For more information, see Chapter 6: Brokering authentication in the Administration Reference. 9 Concepts Guide for 15.1

3.3 Protect an Internet banking application can receive authentication requests via its web services API, over HTTP/S. The following diagram shows an example of how can protect an Internet banking application. Customer 1. Customer enters username and password 6. Customer enters OTP from SMS Protected application Internet banking * * * * * * 2. Username and password, via HTTPS 7. OTP, via HTTPS 3. generates OTP 4. sends mobile number and OTP 8. validates OTP 5. Gateway sends OTP via SMS SMS gateway Figure 7: Example system shows working with a messaging gateway to provide OTP tokens via SMS In this diagram, works with an SMS OTP token, which is an OTP produced and validated by. The user wants to sign into a secure banking application, which requires a one-time passcode (OTP). To get this OTP, the user signs in with their usual password, and is then prompted to check their phone for an SMS. The application sends the credentials to via HTTPS. generates an OTP and gives it to an SMS gateway to be sent to the user's mobile number. The user enters the OTP in the banking application, which sends the OTP via HTTPS to for validation. If the OTP is correct, the user is granted access to the Internet banking application. Deployment models 10

Chapter 4: Integration with existing infrastructure 4.1 runs in a virtual appliance is supplied as a virtual appliance 2, which is a virtual machine that already contains. is served by Apache Tomcat. In addition, the virtual machine automatically includes OpenJDK and a selection of JDBC drivers. Virtual machine Operating system: Ubuntu Apache Tomcat (an application in Tomcat) OpenJDK JDBC drivers Figure 8: is an application within Tomcat, which is already set up in a virtual appliance Salt Group supplies the virtual appliance in Open Visualization Format (OVF) format, which most hypervisors can use. To set up, the administrator deploys a new VM, using the OVF file as a template. In the new VM, the administrator then configures the new server, and connects it to other systems in the organisation. The Ubuntu operating system is configured to restrict access to only the services provided by, the Virtual Appliance System Management Interface, and SSH. For a full description of how to set up, see the Installation Guide. 2 can be supplied as an installation package, upon request. 11

4.2 Components of In this architecture diagram, the orange items are the components and the blue items are the other systems in the organisation that connects to. Web services clients HTTP(S)/1888 User store RADIUS clients or servers RADIUS/1812 HTTPS/443 User support console server Internal database (users, tokens and audit data) or External database (tokens and audit data) Web browser HTTPS/443 Self service console HTTPS/8443 Admin console config.xml Internal keystore or External keystore Figure 9: Architecture of and the systems it connects to 4.2.1 Clients When a user attempts to log in to an application, the application sends the request to for validation. Each application is a client of. In this diagram, they are shown in the top left corner. Each client must be configured to send authentication requests to the server. can receive requests via RADIUS and via web services (HTTP and HTTPS). 4.2.2 Consoles Staff and end users use a web browser to access a console, which lets them do relevant tasks with. For more information, see Chapter 6: Configure and manage on page 16. 4.2.3 User store needs user records to authenticate against. If an organisation already has a user store (such as a database or Active Directory), can connect to that user store. If there is no existing user store, use 's internal database to store user records. For more information, see Chapter 4: Configure the user data in the Administration Reference. Integration with existing infrastructure 12

4.2.4 Database stores token records and audit data in a database. If the organisation already has a database, can connect to these. Alternatively, can use its own internal database and keystore if these do not already exist. In addition, this internal database can store user records if required. For more information, see Chapter 3: Configure the database in the Administration Reference. 4.2.5 Keystore uses cryptographic keys and certificates to encrypt sensitive data such as administrator passwords, client credentials, and token seed material. These keys and certificates are also used to establish SSL connections to and from. stores its keys and certificates in standard Java cryptographic keystores, which can be hardware-based if required. If the organisation already has a keystore management process, can make use of it. Alternatively, can use its own internal keystores. For more information, see Chapter 9: Configure passwords, keystores, and SSL in the Administration Reference. 4.2.6 Configuration stores its configuration in XML format. The configuration file can be scrutinised by auditors, and managed under change control. Administrators can export this configuration and then import all or some of it. To permit failover and high availability, two servers can share the same XML file if it includes licenses for both servers. For more information, see Chapter 12: Manage Configuration in the Administration Reference. 13 Concepts Guide for 15.1

Chapter 5: High availability and disaster recovery When provides authentication services in a mission-critical system, you need enterprise-grade disaster recovery and high availability. is ready to be deployed in a high-availability environment. stores its essential information outside its own server, which lets multiple instances of share the same user and token information. This allows for both failover and load balancing. It also supports backup and recovery. uses information in the following external locations: Configuration - Stored in an external XML file User data - Stored in a user store or in 's database Token state data - Stored in a database Cryptographic key data - Stored in Java cryptographic keystores 14

Load balancer 5.1 Load balancing In a high-traffic system, you can use a load balancer to distribute requests across multiple instances of. Configure each instance of to use the same sources of user and system information, as shown in this example: Many applications send authentication requests to Many instances of Each shares the same user store, database, etc Share trading User store Database Internet banking config.xml Online insurance Keystore Figure 10: Example load-balancing setup for To keep your service capacity level high, the load balancer spreads the requests across all instances of. 5.2 Failover In a high-sla environment, set up failover to prevent system outage and allow for maintenance downtime. Configure clients to fail over to a second server. In addition, ensure that the user, token, configuration, and SSL data is all replicated. 5.3 Disaster recovery Ensure that the configuration file, the user store, the token database, and the keystores are backed up using your usual backup procedures. In the event of a disaster requiring recovery of, restore each of the four components first, then restore. Alternatively, because runs in a virtual machine, administrators can take snapshots of the entire machine. 15 Concepts Guide for 15.1

Chapter 6: Configure and manage comes with three console applications, which users access with a web browser. This diagram shows the three consoles, and the people who use them: Person Web page Components User support User Support console Database (tokens and audit data) End user Self Service console server User store Administrator Admin console Figure 11: Consoles that come with Administrators install, configure, maintain, and monitor, using the Administration console. Administrators have the highest level of access to 's configuration. Administrators are responsible for keeping working smoothly. Support staff manage and monitor tokens and users, using the User Support console. They take calls from users about login problems and they troubleshoot these problems. If support staff cannot fix an end user's problem, they escalate the problem to an administrator. End users log in to applications with their tokens. If the organisation permits it, end users can register tokens and change their preferred authentication method using the Self Service console. If the organisation does not let end users manage their own tokens, support staff do these tasks on behalf of users. 16

Chapter 7: Licensing is installed with an evaluation license. This is valid for one month from the time the server is configured. The evaluation license limits to only two tokens for each authentication method, and no connection to an SMS gateway. To remove these limitations, register by applying for a permanent license. To receive a permanent license, use the Administration console to create a license request, and then email the request to your supplier. You will receive an email with an attached license file, which is an XML file that updates the configuration. The administrator imports the license and then saves the configuration. Each permanent license permits a certain number of tokens to be used. Each license can include an overall token limit, plus a limit for each authentication method. For example, if an organisation s license has an overall token limit of 100 plus limits of 100 mcodexpress tokens and 10 OATH TOTP tokens, allows up to 100 mcodexpress tokens and up to 10 OATH TOTP tokens, provided the total does not exceed 100. The Salt mcodexpress mobile app is free and has no expiry date. An organisation's users can install Salt mcodexpress on as many mobile devices as they like. When a user registers their Salt mcodexpress app with their organisation, counts it as a token, for licensing purposes. For more information, see 12.9 Licensing for in the Administration Reference. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback