Configuring OATH OTP Settings

This page describes how to configure OATH OTP Issuance Profiles and Authentication Policies, and how to manage OATH OTP Tokens:
aa821test
This page describes how to configure OATH OTP Issuance Profiles and Authentication Policies, and how to manage OATH OTP Tokens:
2
Configuring an OATH OTP Issuance Profile
An OATH OTP profile can be used to specify the following attribute for an OATH One-Time Password (OATH OTP Token) credential:
  • Validity period
    : The period for which an OATH OTP Token is valid.
By configuring an OATH OTP profile and assigning it to one or more organizations, you can control the characteristics of OATH OTP Token credentials that are issued to users of those organizations. Use the OATH OTP Profiles page to create OATH OTP Token credential profiles.
Follow these steps:
  1. Click the 
    Services and Server Configurations
     tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the OATH OTP Token section, click the 
    Issuance
     link to display the OATH One Time Password Profiles page.
  4. Edit the fields in the 
    Profile Configurations
     section, as required.
    • Profile Configurations
      • Create
        To create a profile:
      • Select the Create option.
      • Specify the Configuration Name of the new profile in the field that appears.
      • Update
        To update an existing profile, select the profile that you want to update from the Select Configuration list that appears.
      • Copy Configuration
        Enable this option to create the profile by copying the configurations from an existing profile.
        Note: 
        You can also copy from configurations that belong to other organizations that you have scope on.
      • Available Configurations
        Select the profile from which the configurations are copied.
      • Validity Start Date
        Set the date from when the issued OATH OTP Token credential is valid.
        The validity can start from either the date when this credential is created or you can specify a custom date.
      • Validity End Date
        Set the date when the OATH OTP Token expires.
        You can use the following options to set the expiration date:
      • Specify the duration
      • Specify a custom date
      • Choose Never Expires option if you want the OATH OTP Token not to expire.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. In the
     Custom Attributes
     section, specify any extra information in the 
    Name
    -
    Value
     pair format. For example, the organization information that plug-ins can use.
  7. Set the following values in the 
    User Validations
     section:
    • Select the 
      User Active
       option if you want to verify the user status for the following operations involving the current credential:
      • Create credential
      • Reissue credential
      • Reset credential
      • Reset validity of the credential
    • Select the 
      User Attribute
       option if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
      • Date when the user was created
      • Date when the user details were modified
      • Email address
      • First name
      • Middle name
      • Last name
      • User status
      • Telephone number
      • Unique user identifier
      User attribute check feature is available
      only
      if you are performing configurations at the organization-level.
  8. In the 
    Multiple Credential Options
     section, enter the description to identify the purpose for which the OATH OTP Token is used in the 
    Usage Type
     field. For example, a user can have a temporary credential to perform a remote login to the network, the usage type for this credential can be 
    temporary
    .
  9. Click 
    Save
    .
  10. Refresh 
    all
     deployed CA Strong Authentication Server instances. 
Configuring an OATH OTP Authentication Policy
An OATH OTP Token authentication policy can be used to specify the following attributes for OATH OTP-based authentication:
  • User status
    : The status of the user, which can be active or inactive.
    If the user status check is enabled, then the authentication for users in inactive state results in failure.
  • Lockout criteria
    : The number of failed attempts after which the user credential are locked.
  • Unlocking criteria:
     The number of hours after which a locked credential can be used again.
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the OATH OTP Token section, click the Authentication link to display the OATH OTP Token Authentication Policy page.
  4. Edit the fields in the Policy Configuration section, as required.
    Policy Configurations
    • Create
      To create a new policy:
      • Select the Create option.
      • Specify the Configuration Name of the new policy in the field that appears.
    • Update
      To update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the policy by copying the configurations from an existing policy.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the policy from which the configurations are copied.
    • Authentication Look Ahead Count
      Specify the number of times the OATH OTP counter on the CA AuthMinder Server is increased to verify the OATH OTP entered by the user. The OATH OTP entered by the user is compared with all the OATH OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the OATH OTP entered by the user matches, then the user is authenticated.
      Note: 
      If the client and server OATH OTP matches, then that count is set as the current count on the server.
    • Authentication Look Back Count
      Specify the number of times the OATH OTP counter on the CA AuthMinder Server is decreased to verify the OATH OTP entered by the user.
      The OATH OTP entered by the user is compared with all the OATH OTPs that are generated from current count - Authentication Look Back Count to current count + Authentication Look Ahead Count on the server, and if the OATH OTP entered by the user matches, then the user is authenticated.
      Note:
       If the client and server OATH OTP matches, then that count is set as the current count on the server.
    • Synchronization Look Ahead Count
      Specify the number of times the OATH OTP counter on the CA AuthMinder Server is increased to synchronize with the OATH OTP counter on the client device.
      To synchronize the client and the server OATH OTPs, the user has to provide two consecutive OATH OTPs and if these OATH OTPs match with the consecutive server OATH OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second OATH OTP entered by the user.
    • Synchronization Look Back Count
      Specify the number of times the OATH OTP counter on the CA AuthMinder Server is decreased to synchronize with the OATH OTP counter on the client device.
      To synchronize the client and the server OATH OTPs, the user has to provide two consecutive OATH OTPs and if these OATH OTPs match with the consecutive server OATH OTPs in the lookup range (count - Synchronization Look Back Count to current count + Synchronization Look Ahead Count), then the server counter is synchronized with the count corresponding to the second OATH OTP entered by the user.
    • Lockout Credential After
      Specify the number of failed attempts after which the OATH OTP is locked.
    • Check User Status Before Authentication
      Select this option if you want to verify whether the user status is active, before authenticating them.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. Edit the fields in the section, as required.
    Advanced Configurations
    Issue Warning
    Specify the number of days before the warning is sent to the calling application about the user impending credential expiration.
    Allow Successful Authentication
    Specify the number of days for which the users can use an expired credential to log in successfully.
    Enable Automatic Credential Unlock
    Select this option if you want the credential to be automatically unlocked after the time you specify in the following field.
    This field is valid only if you specify the corresponding value in the Lockout Credential After field.
    Unlock After
    Specify the number of hours after which a locked credential can be used again for authentication.
  7. Alternate Processing Options
    The CA AuthMinder Server acts as a proxy and passes the authentication requests to other authentication servers, based on the following conditions:
    • User Not Found: If the user trying to authenticate is not present in the CA AuthMinder database, then the request is passed to the other server.
    • Credential Not Found: If the credential with which the user is trying to authenticate is not present in the CA AuthMinder database, then the request is passed to the other server.
    See "Configuring CA AuthMinder as RADIUS Proxy Server" for more information to enable this feature.
  8. Usage Type for Verification
    If you want the users to authenticate with the particular OATH OTP credential, then enter the name of its usage type in this field.
    If you do not specify the usage type, then the usage type mentioned in the default OATH OTP authentication policy is used.
  9. Click Save.
  10. Refresh 
    all
     deployed CA AuthMinder Server instances.
Managing the OATH OTP Tokens
You can use the Administration Console to bulk-upload OATH tokens or to bulk-fetch OATH tokens that are assigned at the global or organization level.
Fetching OATH OTP Tokens
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the OATH OTP section, click the Token Management link to display the OATH OTP Token Management page.
  4. Edit the fields in the Fetch Tokens section, as required.
    • Token Status
      Select the status to fetch the tokens. The possible statuses are:
      • Free: Indicates that the token is not assigned to a user
      • Assigned: Indicates that the token is assigned to a user
      • Abandoned: Indicates that the user for whom the token was assigned is no longer associated with the token
        For example, an employee who has obtained a new token or an employee who has left the organization.
        Abandoned tokens can be assigned to other users.
      • Failed: Indicates the tokens that failed during the upload operation
    • Batch ID
      The identifier that denotes the batch in which the OATH token is manufactured.
    • Token ID
      Specify the unique identifier of the token.
      You can also include wild characters such as, * (asterisk), "." (period), and \ (backslash) in your search criteria. You can use these characters as explained in the following example.
      If you have the following tokens in the database:
      • 12
      • 123
      • 1234
      • 123*4
      If you enter the token ID as 12*, then all the tokens listed above are fetched. If you enter the token ID as 12., then the token 123 is fetched. If you enter 123\*4, then the token 123*4 is fetched.
    • Fetch Tokens Available at Global Level
      Select this option if you want to fetch the tokens that are assigned at the global level.
    • Fetch Tokens Assigned to Organizations
      Select the organizations for which the tokens have been assigned. The tokens that are assigned to the selected organizations are fetched.
  5. Click 
    Fetch 
    to fetch the tokens.
Uploading OATH OTP Tokens
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the OATH OTP section, click the Token Management link to display the OATH OTP Token Management page.
  4. Click the Browse button corresponding to the XML File Containing OATH OTP Tokens to upload the XML file that defines the key container for OTPs that have to be issued by the CA AuthMinder Server.
    CA AuthMinder provides a sample XML file oath-token-upload.xml to upload OATH tokens to the users. This file creates OATH tokens for predefined users. It is available at the following location:
    On Windows
    <install_location>
    \Arcot Systems\samples\xml\webfort
    On UNIX
    <install_location>
    /arcot/samples/xml/webfort
  5. Click Upload.