Brunold Rainer Absent Member.
Absent Member.
320 views

use TOTP token stored in ldap on different NAM installations

Hello,

I have setup a TOTP configuration on an internal Access Manager that stores the secret in an ldap attribute of the user.
Everything works fine so far. Nice and easy process.

We have dedicated Access Manager for internet and intranet and if I configure the same TOTP configuration on the external Access Manager and point to the same attribute, I get the information that I need so setup a token for my user. so I guess the shared secret of the user contains a flag or value that is unique to each Access Manager.

Does anybody know if that flag can be disable via a class property of the TOTP class or something ?
Or do we have to take a look at he java classes to see how that secret gets created ?

Rainer
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: use TOTP token stored in ldap on different NAM installations

On 24-04-2019 7:44 PM, brunold wrote:
>
> Hello,
>
> I have setup a TOTP configuration on an internal Access Manager that
> stores the secret in an ldap attribute of the user.
> Everything works fine so far. Nice and easy process.
>
> We have dedicated Access Manager for internet and intranet and if I
> configure the same TOTP configuration on the external Access Manager and
> point to the same attribute, I get the information that I need so setup
> a token for my user. so I guess the shared secret of the user contains a
> flag or value that is unique to each Access Manager.
>
> Does anybody know if that flag can be disable via a class property of
> the TOTP class or something ?
> Or do we have to take a look at he java classes to see how that secret
> gets created ?


You can share this secret between various NAM instances if you want. I just tried and it worked for me (using 2 instances of NAM 4.5). It nothing more
than a seed, nothing special to NAM.


--
Cheers,
Edward
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: use TOTP token stored in ldap on different NAM installat

Hi Edward,

thanks for reply.
Do you have your two instances in the same NAM cluster ?

I have opened a SR yesterday about this and Klaus told me that he guess the encryption is done with a NAM cluster secret, that is different at the next NAM cluster.

Rainer
0 Likes
Knowledge Partner
Knowledge Partner

Re: use TOTP token stored in ldap on different NAM installations

On 25-04-2019 7:44 PM, brunold wrote:
>
> Hi Edward,
>
> thanks for reply.
> Do you have your two instances in the same NAM cluster ?
>
> I have opened a SR yesterday about this and Klaus told me that he guess
> the encryption is done with a NAM cluster secret, that is different at
> the next NAM cluster.


I have 2 completely independent NAM envs pointing to the same eDir instance. When i logged in with my test account on the first env i got challenged
with the QR code and scanned it. Retried auth and i got in with the code generated by the app. I then went to the 2nd instance and got challenged for
just the code (no QR code to be scanned so it recognized that the user was already enabled for TOTP) and provided the code from the app and was
authenticated.

On the totp class in each env I configured:
SECRET_STORE_CLASS USERSTORE
SECRET_LDAP_ATTRIBUTE_NAME auxTOTP

The value doesn't appear to be encrypted to be honest. I think its just a random seed generated which makes your totp tokens unique.


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.