How to Integrate NetIQ Access Manager with Symantec VIP two-factor authentication

How to Integrate NetIQ Access Manager with Symantec VIP two-factor authentication




Source: http://www.symantec.com/vip-authentication-service



Symantec Validation and ID Protection Service is a leading cloud-based strong authentication service that enables enterprises to secure access to networks and applications while preventing access by malicious unauthorized attackers. A unified solution providing both two-factor and risk-based token-less authentication, VIP is based on open standards and can easily integrate into enterprise applications.



For more information about Symantec VIP click here.


Symantec VIP offers different types of integration solutions.



  1. Radius server based integration

    • Authentication method 1 Username + password + Security code

    • Authentication method 2 Username + security code


  2. Webservices based integration

    • User services

    • Manager (admin)services


  3. Saml based integration

    • Self service portal SSO

    • VIP Manager SSO




Setup Details Using RADIUS



Symantec VIP Enterprise Gateway setup



  1. Install and Configure VIP enterprise gateway
    Install and configure VIP Enterprise Gateway then add the RADIUS validation server.

    • More information refer to the VIP Enterprise Gateway Installation and Configuration Guide.


  2. Add validation server in one of the following modes

    1. Username + password + secure code

    2. Username + secure code




NetIQ Access Manager Identity Server setup details




a) Create Userstore or use configured default user store based on one’s requirement

b) Create a class using Radius Class from the dropdown

c) On step 2 of configuring radius class Enter required details


  1. Port – enter VIP radius validation server (configured in above steps) default 1812

  2. Shared secret – enter VIP radius validation server shared secret

  3. Remaining can be left as default values, for customized login page configure JSP refer to NAM documentation

  4. Require password can be checked for the Username + password + secure code mode of VIP radius validation server, otherwise leave it unchecked when VIP radius validation in Usname + securecode mode

  5. Configure a authentication method using radius class create above and select OK

  6. Configure a contract using created method above and select OK

  7. Select Update IDP and wait for IDP health turns current with green.



Testing the configuration


a) Install Symantec VIP credentials into mobile or on Desktop

b) Access radius contract and Enter user name secure code generated by VIP credentials client and password ( password text box shows if required password is enabled in NAM configuration)

c) Submit form



Setup Details Using User webservices



NetIQ Access Manager Identity Server setup details




  1. Download VIP_UserServicesWSDL and extract archive

  2. Download certificate from VIP Manager and save it as vip_cert.p12

  3. Download Axis2 (check symantec documentation for version) tested using 1.6.2

  4. Download apache ant package and extract locally.

  5. Open DOS prompt and set AXIS2_HOME to extracted Axis2 directory in windows “set AXIS_HOME=<<dir>>”, for linux open putty and do “export AXIS2_HOME <<dir>>”

  6. Add ANT_HOME environmental variable to extracted apache ant directory in windows “set ANT_HOME=<<dir>>”, for linux open putty and do “export ANT_HOME <<dir>>”

  7. Add axis2 and ant package bin directory to path, in windows “set PATH=%PATH%;%ANT_HOME%\bin;%AXIS2_HOME\bin” in linux “export PATH=$PATH:$ANT_HOME/bin:$AXIS2_HOME/bin”

  8. Change directory to VIP_UserServicesWSDL folder where wsdl file exits

  9. Execute following commands to generate stubs for given wsdl “wsdl2java -uri vipuserservices-auth-1.1.wsdl -p com.verisign.vipuserservices.wsclient -o gen-src-auth”

  10. Execute following command to compile and create lib file or copy the generated to source to eclipse java project and add Axis2 libraries in class path and build project for binary code of generated source “ant -Dname=vipuserservices”

  11. Create sample working code verification using Symantec VIP sample code. (sample verification method added at end of this article) https://www.novell.com/developer/ndk/novell_access_manager_developer_tools_and_examples.html

  12. Write custom authentication class using above sample. Follow the custom authentication class implementation sdk and documentation, similar authentication class can be referred https://www.netiq.com/communities/coolsolutions/how-to-integrate-netiq-access-manager-with-google-authenticator-for-two-factor-authentication/

  13. Create token form JSP refer to cool solution above how to define the JSP.

  14. Copy downloaded vip_cert.p12 file to one of the folder of IDP

  15. Copy the custom authentication class jar file to “/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib”

  16. Restart IDP using command “/etc/init.d/novell-idp restart”

  17. Wait for IDP to complete its start successfully.

  18. Create Userstore or use configured default user store based on one’s requirement

  19. Create a class using custom authentication class, select Other from the dropdown

  20. Type classname with package structure

  21. Select Next and finish

  22. Create authentication method using above created authenticated class

  23. Create contract using above created method.

  24. Update IDP and wait for IDP health turn to current and green



Testing the configuration:


a) Install Symantec VIP credentials into mobile or on desktop

b) Access new contract created and Enter user name password and when asked for token enter secure code generated by VIP credentials

c) Submit form



Example TOTP verification code:



public static void validateUser() throws RemoteException
{
String pathToP12File = "/tmp/vip_cert.p12";
String password = "password"; // password given while downloading cert
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", pathToP12File);
System.setProperty("javax.net.ssl.keyStorePassword", password);
AuthenticationServiceStub authServiceStub = new AuthenticationServiceStub(
"https://userservices-auth.vip.symantec.com/vipuserservices/AuthenticationService_1_1");

com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequest uReq = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequest();
com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequestType otpReqType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.CheckOtpRequestType();
uReq.setCheckOtpRequest(otpReqType);

com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.RequestIdType requestIdType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.RequestIdType();
requestIdType.setRequestIdType("rqstId" + System.currentTimeMillis());

com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.UserIdType userType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.UserIdType();
userType.setUserIdType("testuser1");
com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpType otp = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpType();
otp.setOtpType("770379");
com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpAuthDataType otpType = new com.verisign.vipuserservices.wsclient.AuthenticationServiceStub.OtpAuthDataType();
otpType.setOtp(otp);
/*uReqType.setRequestId(requestIdType);
uReqType.setUserId(userType);
uReqType.setOtpAuthDataType()*/

otpReqType.setUserId(userType);
otpReqType.setRequestId(requestIdType);
otpReqType.setOtpAuthData(otpType);

CheckOtpResponse checkOtpResponse = authServiceStub.checkOtp(uReq);

CheckOtpResponseType checkOtpResponseType = checkOtpResponse
.getCheckOtpResponse();

System.out.println("Status : " + checkOtpResponseType.getStatus());
System.out.println("Status message : "
+ checkOtpResponseType.getStatusMessage());
System.out.println("Server detail message : "
+ checkOtpResponseType.getDetailMessage());

}
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:06
Updated by:
Micro Focus Contributor
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.