How to Integrate NetIQ Access Manager with Symantec VIP two-factor authentication

0 Likes

over 8 years ago

Source: http://www.symantec.com/vip-authentication-service

Symantec Validation and ID Protection Service is a leading cloud-based strong authentication service that enables enterprises to secure access to networks and applications while preventing access by malicious unauthorized attackers. A unified solution providing both two-factor and risk-based token-less authentication, VIP is based on open standards and can easily integrate into enterprise applications.

For more information about Symantec VIP click here.

Symantec VIP offers different types of integration solutions.

Radius server based integration
- Authentication method 1 Username password Security code
Authentication method 2 Username security code

Webservices based integration
- User services
Manager (admin)services

Saml based integration
- Self service portal SSO
VIP Manager SSO

Setup Details Using RADIUS

Symantec VIP Enterprise Gateway setup

Install and Configure VIP enterprise gateway
Install and configure VIP Enterprise Gateway then add the RADIUS validation server.
- More information refer to the VIP Enterprise Gateway Installation and Configuration Guide.

Add validation server in one of the following modes
1. Username password secure code
Username secure code

NetIQ Access Manager Identity Server setup details

a) Create Userstore or use configured default user store based on one’s requirement

b) Create a class using Radius Class from the dropdown

c) On step 2 of configuring radius class Enter required details

Port – enter VIP radius validation server (configured in above steps) default 1812

Shared secret – enter VIP radius validation server shared secret

Remaining can be left as default values, for customized login page configure JSP refer to NAM documentation

Require password can be checked for the Username password secure code mode of VIP radius validation server, otherwise leave it unchecked when VIP radius validation in Usname securecode mode

Configure a authentication method using radius class create above and select OK

Configure a contract using created method above and select OK

Select Update IDP and wait for IDP health turns current with green.

Testing the configuration

a) Install Symantec VIP credentials into mobile or on Desktop

b) Access radius contract and Enter user name secure code generated by VIP credentials client and password ( password text box shows if required password is enabled in NAM configuration)

c) Submit form

Setup Details Using User webservices

NetIQ Access Manager Identity Server setup details

Download VIP_UserServicesWSDL and extract archive

Download certificate from VIP Manager and save it as vip_cert.p12

Download Axis2 (check symantec documentation for version) tested using 1.6.2

Download apache ant package and extract locally.

Open DOS prompt and set AXIS2_HOME to extracted Axis2 directory in windows “set AXIS_HOME=<<dir>>”, for linux open putty and do “export AXIS2_HOME <<dir>>”

Add ANT_HOME environmental variable to extracted apache ant directory in windows “set ANT_HOME=<<dir>>”, for linux open putty and do “export ANT_HOME <<dir>>”

Add axis2 and ant package bin directory to path, in windows “set PATH=%PATH%;%ANT_HOME%\bin;%AXIS2_HOME\bin” in linux “export PATH=$PATH:$ANT_HOME/bin:$AXIS2_HOME/bin”

Change directory to VIP_UserServicesWSDL folder where wsdl file exits

Execute following commands to generate stubs for given wsdl “wsdl2java -uri vipuserservices-auth-1.1.wsdl -p com.verisign.vipuserservices.wsclient -o gen-src-auth”

Execute following command to compile and create lib file or copy the generated to source to eclipse java project and add Axis2 libraries in class path and build project for binary code of generated source “ant -Dname=vipuserservices”

Create sample working code verification using Symantec VIP sample code. (sample verification method added at end of this article) https://www.novell.com/developer/ndk/novell_access_manager_developer_tools_and_examples.html

Write custom authentication class using above sample. Follow the custom authentication class implementation sdk and documentation, similar authentication class can be referred https://www.netiq.com/communities/coolsolutions/how-to-integrate-netiq-access-manager-with-google-authenticator-for-two-factor-authentication/

Create token form JSP refer to cool solution above how to define the JSP.

Copy downloaded vip_cert.p12 file to one of the folder of IDP

Copy the custom authentication class jar file to “/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib”

Restart IDP using command “/etc/init.d/novell-idp restart”

Wait for IDP to complete its start successfully.

Create Userstore or use configured default user store based on one’s requirement

Create a class using custom authentication class, select Other from the dropdown

Type classname with package structure

Select Next and finish

Create authentication method using above created authenticated class

Create contract using above created method.

Update IDP and wait for IDP health turn to current and green

Testing the configuration:

a) Install Symantec VIP credentials into mobile or on desktop

b) Access new contract created and Enter user name password and when asked for token enter secure code generated by VIP credentials

c) Submit form

Example TOTP verification code:

public static void validateUser() throws RemoteException
	{
		String pathToP12File = "/tmp/vip_cert.p12";
		String password = "password"; // password given while downloading cert
		System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
		System.setProperty("javax.net.ssl.keyStore", pathToP12File);
		System.setProperty("javax.net.ssl.keyStorePassword", password);
		AuthenticationServiceStub authServiceStub = new AuthenticationServiceStub(
				"https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_1");
		
		com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequest uReq = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequest();
		com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequestType otpReqType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequestType();
		uReq.setCheckOtpRequest(otpReqType);

		com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.RequestIdType requestIdType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.RequestIdType();
		requestIdType.setRequestIdType("rqstId"   System.currentTimeMillis());
		
		com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.UserIdType userType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.UserIdType();
		userType.setUserIdType("testuser1");
		com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpType otp = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpType();
		otp.setOtpType("770379");
		com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpAuthDataType otpType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpAuthDataType();
		otpType.setOtp(otp);
		/*uReqType.setRequestId(requestIdType);
		uReqType.setUserId(userType);
		uReqType.setOtpAuthDataType()*/
		
		otpReqType.setUserId(userType);
		otpReqType.setRequestId(requestIdType);
		otpReqType.setOtpAuthData(otpType);
		
		  CheckOtpResponse checkOtpResponse = authServiceStub.checkOtp(uReq);
		
		 CheckOtpResponseType checkOtpResponseType = checkOtpResponse
				.getCheckOtpResponse();
		
		System.out.println("Status : "   checkOtpResponseType.getStatus());
		System.out.println("Status message : "
				  checkOtpResponseType.getStatusMessage());
		System.out.println("Server detail message : "
				  checkOtpResponseType.getDetailMessage());
		
	}

Tags:

authentication

two factor

Labels:

How To-Best Practice

Comment List

Recommended

Menu

NetIQ Access Manager