How to Integrate NetIQ Access Manager with Symantec VIP two-factor authentication

0 Likes
over 7 years ago




Source: http://www.symantec.com/vip-authentication-service



Symantec Validation and ID Protection Service is a leading cloud-based strong authentication service that enables enterprises to secure access to networks and applications while preventing access by malicious unauthorized attackers. A unified solution providing both two-factor and risk-based token-less authentication, VIP is based on open standards and can easily integrate into enterprise applications.



For more information about Symantec VIP click here.


Symantec VIP offers different types of integration solutions.



  1. Radius server based integration

    • Authentication method 1 Username password Security code

  2. Authentication method 2 Username security code


  • Webservices based integration

    • User services

  • Manager (admin)services


  • Saml based integration

    • Self service portal SSO

  • VIP Manager SSO




Setup Details Using RADIUS



Symantec VIP Enterprise Gateway setup



  1. Install and Configure VIP enterprise gateway
    Install and configure VIP Enterprise Gateway then add the RADIUS validation server.

    • More information refer to the VIP Enterprise Gateway Installation and Configuration Guide.


  • Add validation server in one of the following modes

    1. Username password secure code

  • Username secure code




NetIQ Access Manager Identity Server setup details




a) Create Userstore or use configured default user store based on one’s requirement

b) Create a class using Radius Class from the dropdown

c) On step 2 of configuring radius class Enter required details


  1. Port – enter VIP radius validation server (configured in above steps) default 1812

  • Shared secret – enter VIP radius validation server shared secret

  • Remaining can be left as default values, for customized login page configure JSP refer to NAM documentation

  • Require password can be checked for the Username password secure code mode of VIP radius validation server, otherwise leave it unchecked when VIP radius validation in Usname securecode mode

  • Configure a authentication method using radius class create above and select OK

  • Configure a contract using created method above and select OK

  • Select Update IDP and wait for IDP health turns current with green.



Testing the configuration


a) Install Symantec VIP credentials into mobile or on Desktop

b) Access radius contract and Enter user name secure code generated by VIP credentials client and password ( password text box shows if required password is enabled in NAM configuration)

c) Submit form



Setup Details Using User webservices



NetIQ Access Manager Identity Server setup details




  1. Download VIP_UserServicesWSDL and extract archive

  • Download certificate from VIP Manager and save it as vip_cert.p12

  • Download Axis2 (check symantec documentation for version) tested using 1.6.2

  • Download apache ant package and extract locally.

  • Open DOS prompt and set AXIS2_HOME to extracted Axis2 directory in windows “set AXIS_HOME=<<dir>>”, for linux open putty and do “export AXIS2_HOME <<dir>>”

  • Add ANT_HOME environmental variable to extracted apache ant directory in windows “set ANT_HOME=<<dir>>”, for linux open putty and do “export ANT_HOME <<dir>>”

  • Add axis2 and ant package bin directory to path, in windows “set PATH=%PATH%;%ANT_HOME%\bin;%AXIS2_HOME\bin” in linux “export PATH=$PATH:$ANT_HOME/bin:$AXIS2_HOME/bin”

  • Change directory to VIP_UserServicesWSDL folder where wsdl file exits

  • Execute following commands to generate stubs for given wsdl “wsdl2java -uri vipuserservices-auth-1.1.wsdl -p com.verisign.vipuserservices.wsclient -o gen-src-auth”

  • Execute following command to compile and create lib file or copy the generated to source to eclipse java project and add Axis2 libraries in class path and build project for binary code of generated source “ant -Dname=vipuserservices”



  • Create token form JSP refer to cool solution above how to define the JSP.

  • Copy downloaded vip_cert.p12 file to one of the folder of IDP

  • Copy the custom authentication class jar file to “/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib”

  • Restart IDP using command “/etc/init.d/novell-idp restart”

  • Wait for IDP to complete its start successfully.

  • Create Userstore or use configured default user store based on one’s requirement

  • Create a class using custom authentication class, select Other from the dropdown

  • Type classname with package structure

  • Select Next and finish

  • Create authentication method using above created authenticated class

  • Create contract using above created method.

  • Update IDP and wait for IDP health turn to current and green



Testing the configuration:


a) Install Symantec VIP credentials into mobile or on desktop

b) Access new contract created and Enter user name password and when asked for token enter secure code generated by VIP credentials

c) Submit form



Example TOTP verification code:



public static void validateUser() throws RemoteException
{
String pathToP12File = "/tmp/vip_cert.p12";
String password = "password"; // password given while downloading cert
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", pathToP12File);
System.setProperty("javax.net.ssl.keyStorePassword", password);
AuthenticationServiceStub authServiceStub = new AuthenticationServiceStub(
"https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_1");

com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequest uReq = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequest();
com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequestType otpReqType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequestType();
uReq.setCheckOtpRequest(otpReqType);

com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.RequestIdType requestIdType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.RequestIdType();
requestIdType.setRequestIdType("rqstId" System.currentTimeMillis());

com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.UserIdType userType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.UserIdType();
userType.setUserIdType("testuser1");
com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpType otp = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpType();
otp.setOtpType("770379");
com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpAuthDataType otpType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpAuthDataType();
otpType.setOtp(otp);
/*uReqType.setRequestId(requestIdType);
uReqType.setUserId(userType);
uReqType.setOtpAuthDataType()*/

otpReqType.setUserId(userType);
otpReqType.setRequestId(requestIdType);
otpReqType.setOtpAuthData(otpType);

CheckOtpResponse checkOtpResponse = authServiceStub.checkOtp(uReq);

CheckOtpResponseType checkOtpResponseType = checkOtpResponse
.getCheckOtpResponse();

System.out.println("Status : " checkOtpResponseType.getStatus());
System.out.println("Status message : "
checkOtpResponseType.getStatusMessage());
System.out.println("Server detail message : "
checkOtpResponseType.getDetailMessage());

}

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended