Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
lxzndr Super Contributor.
Super Contributor.

Secure access options

Due to new government rules we must protect certain data using MultiFactor Authentication, as well as log connections and watch for inappropriate access. (different issue than this topic)
require a certain set of users to use Multi-Factor Authentication to access specific OES servers.
Do not allow any access to those servers that was not using MFA.
Most users do not require access to that data, so do not need to use MFA.

We have been looking at NetIQ Advanced Authentication, but I do not see any process for integrating it for eDirectory logins.
Plus, it appears that if you don't have the AA client, you can bypass the MFA requirements. (though there is a LogonFilter option in Active Directory, I don't see such a feature in eDirectory)

I did find documentation on using Counter based one time passwords with e-directory and NMAS, but I think that will mess up things like Filr and Messenger?
Are there options for TOTP for eDirectory? or other intergration with Advanced Authentication?

My thoughts on options:
Place the sensitive data servers into their own eDirectory tree, synchronize selected accounts between the trees (we already have IDM) and require HOTP in the sensitive tree. (solves issues with messenger, and such)

Place the sensitive data servers behind a VPN firewall and require MFA on initiating the VPN connection, the VPN firewall would allow for eDirectory communication between the servers.

Place the sensitive data on Windows servers, which will allow for proper MFA requirements through AD.

I think the VPN options is quickest to implement, and likely has better tracking options for access. plus can set timeout to require re-authentication.
Other suggestions? Should this be posted in a different location?

Thank you,
Labels (2)
1 Reply
lxzndr Super Contributor.
Super Contributor.

Re: Secure access options

We do have existing windows servers and other services that also need MFA, that is where Advanced Authentication and Access Manager are being looked at.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.