Configuring OATH OTP Settings
This page describes how to configure OATH OTP Issuance Profiles and Authentication Policies, and how to manage OATH OTP Tokens:
aa821test
This page describes how to configure OATH OTP Issuance Profiles and Authentication Policies, and how to manage OATH OTP Tokens:
2
Configuring an OATH OTP Issuance Profile
An OATH OTP profile can be used to specify the following attribute for an OATH One-Time Password (OATH OTP Token) credential:
- Validity period: The period for which an OATH OTP Token is valid.
By configuring an OATH OTP profile and assigning it to one or more organizations, you can control the characteristics of OATH OTP Token credentials that are issued to users of those organizations. Use the OATH OTP Profiles page to create OATH OTP Token credential profiles.
Follow these steps:
- Click theServices and Server Configurationstab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the OATH OTP Token section, click theIssuancelink to display the OATH One Time Password Profiles page.
- Edit the fields in theProfile Configurationssection, as required.
- Profile Configurations
- CreateTo create a profile:
- Select the Create option.
- Specify the Configuration Name of the new profile in the field that appears.
- UpdateTo update an existing profile, select the profile that you want to update from the Select Configuration list that appears.
- Copy ConfigurationEnable this option to create the profile by copying the configurations from an existing profile.Note:You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the profile from which the configurations are copied.
- Validity Start DateSet the date from when the issued OATH OTP Token credential is valid.The validity can start from either the date when this credential is created or you can specify a custom date.
- Validity End DateSet the date when the OATH OTP Token expires.You can use the following options to set the expiration date:
- Specify the duration
- Specify a custom date
- Choose Never Expires option if you want the OATH OTP Token not to expire.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- In theCustom Attributessection, specify any extra information in theName-Valuepair format. For example, the organization information that plug-ins can use.
- Set the following values in theUser Validationssection:
- Select theUser Activeoption if you want to verify the user status for the following operations involving the current credential:
- Create credential
- Reissue credential
- Reset credential
- Reset validity of the credential
- Select theUser Attributeoption if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
- Date when the user was created
- Date when the user details were modified
- Email address
- First name
- Middle name
- Last name
- User status
- Telephone number
- Unique user identifier
User attribute check feature is availableonlyif you are performing configurations at the organization-level.
- In theMultiple Credential Optionssection, enter the description to identify the purpose for which the OATH OTP Token is used in theUsage Typefield. For example, a user can have a temporary credential to perform a remote login to the network, the usage type for this credential can betemporary.
- ClickSave.
- Refreshalldeployed CA Strong Authentication Server instances.
Configuring an OATH OTP Authentication Policy
An OATH OTP Token authentication policy can be used to specify the following attributes for OATH OTP-based authentication:
- User status: The status of the user, which can be active or inactive.If the user status check is enabled, then the authentication for users in inactive state results in failure.
- Lockout criteria: The number of failed attempts after which the user credential are locked.
- Unlocking criteria:The number of hours after which a locked credential can be used again.
Follow these steps:
- Click the Services and Server Configurations tab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the OATH OTP Token section, click the Authentication link to display the OATH OTP Token Authentication Policy page.
- Edit the fields in the Policy Configuration section, as required.Policy Configurations
- CreateTo create a new policy:
- Select the Create option.
- Specify the Configuration Name of the new policy in the field that appears.
- UpdateTo update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
- Copy ConfigurationEnable this option if you want to create the policy by copying the configurations from an existing policy.Note:You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the policy from which the configurations are copied.
- Authentication Look Ahead CountSpecify the number of times the OATH OTP counter on the CA AuthMinder Server is increased to verify the OATH OTP entered by the user. The OATH OTP entered by the user is compared with all the OATH OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the OATH OTP entered by the user matches, then the user is authenticated.Note:If the client and server OATH OTP matches, then that count is set as the current count on the server.
- Authentication Look Back CountSpecify the number of times the OATH OTP counter on the CA AuthMinder Server is decreased to verify the OATH OTP entered by the user.The OATH OTP entered by the user is compared with all the OATH OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the OATH OTP entered by the user matches, then the user is authenticated.Note:If the client and server OATH OTP matches, then that count is set as the current count on the server.
- Synchronization Look Ahead CountSpecify the number of times the OATH OTP counter on the CA AuthMinder Server is increased to synchronize with the OATH OTP counter on the client device.To synchronize the client and the server OATH OTPs, the user has to provide two consecutive OATH OTPs and if these OATH OTPs match with the consecutive server OATH OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second OATH OTP entered by the user.
- Synchronization Look Back CountSpecify the number of times the OATH OTP counter on the CA AuthMinder Server is decreased to synchronize with the OATH OTP counter on the client device.To synchronize the client and the server OATH OTPs, the user has to provide two consecutive OATH OTPs and if these OATH OTPs match with the consecutive server OATH OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second OATH OTP entered by the user.
- Lockout Credential AfterSpecify the number of failed attempts after which the OATH OTP is locked.
- Check User Status Before AuthenticationSelect this option if you want to verify whether the user status is active, before authenticating them.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- Edit the fields in the section, as required.Advanced ConfigurationsIssue WarningSpecify the number of days before the warning is sent to the calling application about the user impending credential expiration.Allow Successful AuthenticationSpecify the number of days for which the users can use an expired credential to log in successfully.Enable Automatic Credential UnlockSelect this option if you want the credential to be automatically unlocked after the time you specify in the following field.This field is valid only if you specify the corresponding value in the Lockout Credential After field.Unlock AfterSpecify the number of hours after which a locked credential can be used again for authentication.
- Alternate Processing OptionsThe CA AuthMinder Server acts as a proxy and passes the authentication requests to other authentication servers, based on the following conditions:
- User Not Found: If the user trying to authenticate is not present in the CA AuthMinder database, then the request is passed to the other server.
- Credential Not Found: If the credential with which the user is trying to authenticate is not present in the CA AuthMinder database, then the request is passed to the other server.
- Usage Type for VerificationIf you want the users to authenticate with the particular OATH OTP credential, then enter the name of its usage type in this field.If you do not specify the usage type, then the usage type mentioned in the default OATH OTP authentication policy is used.
- Click Save.
- Refreshalldeployed CA AuthMinder Server instances.
Managing the OATH OTP Tokens
You can use the Administration Console to bulk-upload OATH tokens or to bulk-fetch OATH tokens that are assigned at the global or organization level.
Fetching OATH OTP Tokens
Follow these steps:
- Click the Services and Server Configurations tab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the OATH OTP section, click the Token Management link to display the OATH OTP Token Management page.
- Edit the fields in the Fetch Tokens section, as required.
- Token StatusSelect the status to fetch the tokens. The possible statuses are:
- Free: Indicates that the token is not assigned to a user
- Assigned: Indicates that the token is assigned to a user
- Abandoned: Indicates that the user for whom the token was assigned is no longer associated with the tokenFor example, an employee who has obtained a new token or an employee who has left the organization.Abandoned tokens can be assigned to other users.
- Failed: Indicates the tokens that failed during the upload operation
- Batch IDThe identifier that denotes the batch in which the OATH token is manufactured.
- Token IDSpecify the unique identifier of the token.You can also include wild characters such as, * (asterisk), "." (period), and \ (backslash) in your search criteria. You can use these characters as explained in the following example.If you have the following tokens in the database:
- 12
- 123
- 1234
- 123*4
- Fetch Tokens Available at Global LevelSelect this option if you want to fetch the tokens that are assigned at the global level.
- Fetch Tokens Assigned to OrganizationsSelect the organizations for which the tokens have been assigned. The tokens that are assigned to the selected organizations are fetched.
- ClickFetchto fetch the tokens.
Uploading OATH OTP Tokens
Follow these steps:
- Click the Services and Server Configurations tab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the OATH OTP section, click the Token Management link to display the OATH OTP Token Management page.
- Click the Browse button corresponding to the XML File Containing OATH OTP Tokens to upload the XML file that defines the key container for OTPs that have to be issued by the CA AuthMinder Server.CA AuthMinder provides a sample XML file oath-token-upload.xml to upload OATH tokens to the users. This file creates OATH tokens for predefined users. It is available at the following location:On Windows<install_location>\Arcot Systems\samples\xml\webfortOn UNIX<install_location>/arcot/samples/xml/webfort
- Click Upload.