Configuring OTP Settings

This section describes configuring a one-time password issuance profile and a one-time password authentication policy for CA Strong Authentication:
aa82test
This section describes configuring a one-time password issuance profile and a one-time password authentication policy for CA Strong Authentication:
2
Configure an OTP Issuance Profile
An OTP profile can be used to specify the following attributes for a One-Time Password credential:
  • OTP strength
    : The type (numeric or alphanumeric) and length of the OTP
  • Validity period
    : The period for which an OTP is valid.
  • Usage:
     The number of times an OTP can be reused for authentication.
By configuring an OTP profile and assigning it to one or more organizations, you can control the characteristics of OTP credentials that are issued to users of those organizations. Use the One-Time Password Profiles page for creating OTP credential profiles.
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the OTP section, click the Issuance link to display the One Time Password Profiles page.
  4. Edit the fields in the Profile Configurations section, as required.
    • Profile Configurations:
    • Create
      To create a new profile:
      • Select the Create option.
      • Specify the Configuration Name of the new profile in the field that appears.
    • Update
      To update an existing profile, select the profile that you want to update from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the profile by copying the configurations from an existing profile.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the profile from which the configurations are copied.
    • Type
      Specify whether you want to issue numeric or alphanumeric OTPs to users.
      The default value is Numeric.
    • Length
      Set the length of an OTP.
      The minimum length of the OTP can be as low as 5 characters (the default value). The maximum length can be up to 32 characters.
    • Validity Period
      Set the interval for which the issued OTP credential is valid.
      You can specify this time in seconds, minutes, hours, and days, and even in months and years.
    • Allow Multiple Use
      Select this option if you would like the OTP to be used more than once.
    • Use
      Specify the total number of times an OTP can be used, if you selected the Allow Multiple Use option.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. In the
     Custom Attributes
     section, specify any extra information in the 
    Name
    -
    Value
     pair format. For example, the organization information that plug-ins can use.
  7. Set the following values in the 
    User Validations
     section:
    • Select the 
      User Active
       option if you want to verify the user status for the following operations involving the current credential:
      • Create credential
      • Reissue credential
      • Reset credential
      • Reset validity of the credential
    • Select the 
      User Attribute
       option if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
      • Date when the user was created
      • Date when the user details were modified
      • Email address
      • First name
      • Middle name
      • Last name
      • User status
      • Telephone number
      • Unique user identifier
      User attribute check feature is available
      only
      if you are performing configurations at the organization-level.
  8. In the 
    Multiple Credential Options
     section, enter the description to identify the purpose for which the OTP is used in the 
    Usage Type
     field. For example, a user can have a temporary credential to perform a remote login to the network, the usage type for this credential can be 
    temporary
    .
  9. Click Save.
  10. Refresh 
    all
     deployed CA Strong Authentication Server instances.
Configure an OTP Authentication Policy
An OTP policy can be used to specify the following attributes for OTP-based authentication:
  • User status
    : The status of the user, which can be active or inactive.
    If the user status check is enabled, then the authentication for users in the inactive state result in a failure.
  • Lockout criteria
    : The number of failed attempts after which the user credential is locked.
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the OTP section, click the Authentication link to display the OTP Authentication Policy page.
  4. Edit the fields in the Policy Configuration section, as required.
    • Policy Configurations:
    • Create
      To create a new policy:
      • Select the Create option.
      • Specify the Configuration Name of the new policy in the field that appears.
    • Update
      To update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the policy by copying the configurations from an existing policy.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the policy from which the configurations are copied.
    • Lockout Credential After
      Specify the number of failed attempts after which the OTP is locked.
    • Check User Status Before Authentication
      Select this option if you want to verify whether the user status is active, before authenticating them.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. Edit the fields in the section, as required. The following table describes the fields of this section:
    • Advanced Configurations:
    • Issue Warning
      Specify the number of days before the warning is sent to the calling application about the user impending credential expiration.
    • Allow Successful Authentication
      Specify the number of days for which the users can use an expired credential to log in successfully.
    • Enable Automatic Credential Unlock
      Select this option if you want the credential to be automatically unlocked after the time you specify in the following field.
      This field is valid only if you specify the corresponding value in the Lockout Credential After field.
    • Unlock After
      Specify the time period in seconds after which a locked credential can be used again for authentication.
    • Alternate Processing Options:
    • Alternate Processing Options
      The CA Strong Authentication Server acts as a proxy and passes the authentication requests to other authentication servers when the following conditions are met:
      • User Not Found: If the user trying to authenticate is not present in the CA Strong Authentication database, then the request is passed to the other server.
      • Credential Not Found: If the credential with which the user is trying to authenticate is not present in the CA Strong Authentication database, then the request is passed to the other server.
      See Configuring CA Strong Authentication as RADIUS Proxy Server for more information to enable this feature.
    • Multiple Credential Options:
    • Usage Type for Verification
      If you want users to authenticate with the particular OTP credential, then enter the name of its usage type in this field.
      If you do not specify the usage type, then the default usage type is used.
  7. Click Save.
  8. Refresh 
    all
     deployed CA Strong Authentication Server instances.