How to Integrate NetIQ Access Manager with Symantec VIP two-factor authentication



Symantec Validation and ID Protection Service is a leading cloud-based strong authentication service that enables enterprises to secure access to networks and applications while preventing access by malicious unauthorized attackers. A unified solution providing both two-factor and risk-based token-less authentication, VIP is based on open standards and can easily integrate into enterprise applications.

For more information about Symantec VIP click here.

Symantec VIP offers different types of integration solutions.

  1. Radius server based integration

    • Authentication method 1 Username password Security code

  2. Authentication method 2 Username security code

  • Webservices based integration

    • User services

  • Manager (admin)services

  • Saml based integration

    • Self service portal SSO

  • VIP Manager SSO

Setup Details Using RADIUS

Symantec VIP Enterprise Gateway setup

  1. Install and Configure VIP enterprise gateway
    Install and configure VIP Enterprise Gateway then add the RADIUS validation server.

    • More information refer to the VIP Enterprise Gateway Installation and Configuration Guide.

  • Add validation server in one of the following modes

    1. Username password secure code

  • Username secure code

NetIQ Access Manager Identity Server setup details

a) Create Userstore or use configured default user store based on one’s requirement

b) Create a class using Radius Class from the dropdown

c) On step 2 of configuring radius class Enter required details

  1. Port – enter VIP radius validation server (configured in above steps) default 1812

  • Shared secret – enter VIP radius validation server shared secret

  • Remaining can be left as default values, for customized login page configure JSP refer to NAM documentation

  • Require password can be checked for the Username password secure code mode of VIP radius validation server, otherwise leave it unchecked when VIP radius validation in Usname securecode mode

  • Configure a authentication method using radius class create above and select OK

  • Configure a contract using created method above and select OK

  • Select Update IDP and wait for IDP health turns current with green.

Testing the configuration

a) Install Symantec VIP credentials into mobile or on Desktop

b) Access radius contract and Enter user name secure code generated by VIP credentials client and password ( password text box shows if required password is enabled in NAM configuration)

c) Submit form

Setup Details Using User webservices

NetIQ Access Manager Identity Server setup details

  1. Download VIP_UserServicesWSDL and extract archive

  • Download certificate from VIP Manager and save it as vip_cert.p12

  • Download Axis2 (check symantec documentation for version) tested using 1.6.2

  • Download apache ant package and extract locally.

  • Open DOS prompt and set AXIS2_HOME to extracted Axis2 directory in windows “set AXIS_HOME=<<dir>>”, for linux open putty and do “export AXIS2_HOME <<dir>>”

  • Add ANT_HOME environmental variable to extracted apache ant directory in windows “set ANT_HOME=<<dir>>”, for linux open putty and do “export ANT_HOME <<dir>>”

  • Add axis2 and ant package bin directory to path, in windows “set PATH=%PATH%;%ANT_HOME%\bin;%AXIS2_HOME\bin” in linux “export PATH=$PATH:$ANT_HOME/bin:$AXIS2_HOME/bin”

  • Change directory to VIP_UserServicesWSDL folder where wsdl file exits

  • Execute following commands to generate stubs for given wsdl “wsdl2java -uri vipuserservices-auth-1.1.wsdl -p -o gen-src-auth”

  • Execute following command to compile and create lib file or copy the generated to source to eclipse java project and add Axis2 libraries in class path and build project for binary code of generated source “ant -Dname=vipuserservices”

  • Create token form JSP refer to cool solution above how to define the JSP.

  • Copy downloaded vip_cert.p12 file to one of the folder of IDP

  • Copy the custom authentication class jar file to “/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib”

  • Restart IDP using command “/etc/init.d/novell-idp restart”

  • Wait for IDP to complete its start successfully.

  • Create Userstore or use configured default user store based on one’s requirement

  • Create a class using custom authentication class, select Other from the dropdown

  • Type classname with package structure

  • Select Next and finish

  • Create authentication method using above created authenticated class

  • Create contract using above created method.

  • Update IDP and wait for IDP health turn to current and green

Testing the configuration:

a) Install Symantec VIP credentials into mobile or on desktop

b) Access new contract created and Enter user name password and when asked for token enter secure code generated by VIP credentials

c) Submit form

Example TOTP verification code:

public static void validateUser() throws RemoteException
String pathToP12File = "/tmp/vip_cert.p12";
String password = "password"; // password given while downloading cert
System.setProperty("", "pkcs12");
System.setProperty("", pathToP12File);
System.setProperty("", password);
AuthenticationServiceStub authServiceStub = new AuthenticationServiceStub(
""); uReq = new; otpReqType = new;
uReq.setCheckOtpRequest(otpReqType); requestIdType = new;
requestIdType.setRequestIdType("rqstId" System.currentTimeMillis()); userType = new;
userType.setUserIdType("testuser1"); otp = new;
otp.setOtpType("770379"); otpType = new;


CheckOtpResponse checkOtpResponse = authServiceStub.checkOtp(uReq);

CheckOtpResponseType checkOtpResponseType = checkOtpResponse

System.out.println("Status : " checkOtpResponseType.getStatus());
System.out.println("Status message : "
System.out.println("Server detail message : "



How To-Best Practice
Comment List