4.2. Quick Start Guide Appliance#

4.2.1. Introduction#

Thank you for purchasing a LinOTP Virtual Appliance for strong user authentication

This quick start guide takes you through the basic configuration of the LinOTP Virtual Appliance (LVA).

  • In this chapter, you will learn how to access the appliance, set it up and then activate it via the appliance’s web interface https://<LVA-IP>:9090.

  • It describes how to create an administrator user for the LinOTP management interface https://<LVA-IP>/manage, which is required to manage the tokens.

  • You will receive instructions on how to restore a backup from a previous appliance.

  • It also explains how to set up and integrate certificates.

  • Finally, the configuration of RADIUS is covered.

Afterwards, follow Quick Start Guide Token Management to continue with LinOTP configuration.

Licensing#

LinOTP Virtual Appliance can be acquired with a existing LinOTP Enterprise Subscription and Support License. Subscription and Support are licensed for the number of active token managed in LinOTP. You can find instructions on installing the license file during the configuration wizard in part 2 of this Quick Start Guide. Please have a look at Install a new license.

Documentation, Support & Notes#

A complete introduction can be found in the LinOTP Manual, which you can download from the Appliance menu using the help function.

You will find more information for technical support as well as practical tips at: https://linotp.de/support

4.2.2. Part 1: Setup the LinOTP Virtual Appliance#

For accessing the web configuration interface of the Appliance you have to know the IP address. If you automatically receive your IP address, you can allow it to be displayed directly in the console of LinOTP Virtual Appliance. To do so, log in with the user name: “lva” and your password directly in the console. The IP address will be displayed or enter the command ip a.


../_images/LVAStart.jpg

Note

We recommend conducting all additional configuration of the web interface after installation!

When opening the configuration interface of the appliance https:<LVA-IP>:9090, a window will appear with a certificate warning that varies based on the browser used. In general, you should take this kind of certificate warning seriously when visiting websites, as these provide information regarding possible security risks and thus associated risks for the visitors of a website. In the case of LinOTP Appliance, however, there is no risk. The warning notification appears because LinOTP Virtual Appliance presents the browser with a self-signed certificate when opened. Therefore, please ignore the certificate warning and confirm the access to the IP address requested (your configuration interface of the appliance). If your browser allows, you can add the IP address of your LinOTP Virtual Appliance to the list of trusted sites.

As an alternative to the certificate delivered, you can also add your own certificate at a later time using the Appliance Management. To do so, please refer to the LinOTP manual Change the server SSL certificate.


../_images/LVA_Anmeldung.jpg

You will be asked for a user name and password on the login screen that then opens. Enter “lva” here as the user name and your password.

If LinOTP is intended to be operated behind a firewall, for example in a DMZ, please be sure to take the correct configuration of the firewall rules into account. You will find the corresponding section in the LinOTP Manual, (Chapter IV “LinOTP Appliance Manual”, Section 14 “Network Integration”)

4.2.3. Basic Configuration - Quick Start#

If you have not already done so, open your browser and call up the configuration interface of the LinOTP appliance as described on page 9 under number 11. You can ignore the certificate warning and log in with the lva user & password.

Immediately after logging in, you must start the services under LinOTP. To do this, go to LinOTP on the left and then to Services. Click on Start all Services.


../_images/dashboard.jpg

../_images/lva_dienste.jpg

You must then create an admin user for Manage, which you will need to manage the tokens. To do this, enter the following command in the terminal on the left-hand side:


../_images/adminuser.jpg

Note

Command to create an administrator with the name admin. linotp local-admins password admin You must then assign a password. You can now log in at https://<LVA-IP>/manage with the user you have created.

Restore backups#

Note

All services must be running in order to perform the migration.

../_images/lva_dienste.jpg

1.1 To restore a backup, proceed as follows: Select LinOTP on the left-hand side and go to the SVA migration tab. Then click to upload SVA backup.


../_images/backup1.jpg

1.2 Navigate to the storage location of your backup and select it.

../_images/Backup2.jpg

1.3 Then select Start migration and enter the password you entered when creating the backup.

../_images/backup3.jpg

../_images/Backup4.jpg

1.4 After you have entered your password, click on Start migration. The migration is carried out without further action.

Note

After restoring, the services are restarted automatically. After restoring, please check whether all tokens and UserIdResolvers have been restored. Remember that you will have to enter your update key again after the migration Install a new license


Insert certificate#

To integrate a certificate, log in to https:<LVA-IP>:9090. Then go to LinOTP on the left-hand side and click on Configuration. A self-signed certificate is used by default. To replace this, you need a certificate from the trusted CA. Enter your server certificate and server key in the spaces provided.


To integrate the certificate, please proceed as follows. Go to LinOTP on the left and then to Configuration. Here you can manage your root CA and server certificates.

../_images/cert1.jpg

1.1 Add the certificate from the CA to Trusted certificate authorities.

../_images/ca_stelle.jpg

1.2 Scroll down and enter the server certificate and the server key in the appropriate places and save the certificates.

../_images/cert2.jpg

Note

As soon as you have integrated your certificates, the services are restarted automatically. You can then only log in to the manage administration interface via the FQN.


The LinOTP appliance generally recognizes two different roles:#

LinOTP Administrator - the LinOTP Administrator manages LinOTP. He has no rights to the operating system or the network. They may only change the administration of the appliance, assign access rights and manage tokens. They can change passwords, but not the LVA password. The name is freely selectable and additional administrators can be configured later in the running system.

LVA Administrator - the LVA Admin has the most rights on the LinOTP Virtual Appliance. He has no access to the administration, but can manage everything on the appliance.


../_images/rechte.jpg

Note

Note regarding password complexity

For security reasons, be certain to select sufficiently complex passwords when changing the passwords. Passwords are deemed to be sufficiently complex by today’s standards when they meet the following criteria:

  • Password length of at least 10 characters

  • Combination of upper case and lower case letters, number and special characters.

Definition of the RADIUS Clients#

In this step, you define the first RADIUS client that is allowed to make authentication requests to the RADIUS server of the LinOTP appliance. Additional clients can be added and managed via the LinOTP Cocpit.

RADIUS (Remote Authentication Dial In User Service) is the most commonly used client-server protocol for authenticating, authorizing and managing users of dial-in connections in a computer network. In general, a distinction is made between the RADIUS server, which validates the login request, and the RADIUS client, which sends the authentication request. Typical examples of a RADIUS client are a VPN gateway, a firewall and a portal or terminal server.

LinOTP also works with the LinOTP RADIUS client “LinOTP Authentication Provider for Windows (LAP)”, which enables a RADIUS-based login to the Windows operating system or Windows terminal server. To use RADIUS, go to Linotp on the left-hand side and then to Services.


../_images/radius.jpg

Next click on Action under Freeradius. Select Configure Radius clients and give the RADIUS client a name and enter its IP address. You can freely choose the name of the “New RADIUS client”. The password (“Secret”) for RADIUS communication is also required


../_images/radius1.jpg

4.2.4. Part 2: Connecting to the User Directory, Rollout of Tokens#

Open the LinOTP Management Interface#

Open the browser on your administration computer and enter the IP address of your LinOTP server in the address line as you did previously when performing the network basic configuration https://<LVA-IP>/manage You may receive the certificate warning already mentioned at this point, deal with this as described on p. 10. Then log in with the access data of the previously defined LinOTP Administrator (the name can be freely issued before).

../_images/230.png

Creating User ID Resolvers#

User ID Resolvers are required in order to make a connection from LinOTP to user directories. These can be LDAP based directory services (Microsoft Active Directory, Novell eDirectory, Open LDAP, amongst others), SQL-based databases or flat files such as /etc/passwd.

A User ID Resolver represents the connection to the respective directory service or respective database. LinOTP only requires read permissions for its access to the target systems.

../_images/240.png

In the start screen, select the item “UserIdResolvers” in the “LinOTP Config” menu. In the window that opens, click on the option “New” and select the correct directory type (we will choose LDAP for the following example).

../_images/260.png

../_images/265.png

../_images/useridresolver_test_successful.png

Enter the following information in the input mask:

  • Resolver name (freely selectable)

  • Server URL (the URL address through which the directory service or database is accessible), this can be either ldap://ad1.example.net, ldap://ad2.example.net for LDAP (LinOTP will try to establish a secure connection via StartTLS) or ldaps://ad1.example.net, ldaps://ad2.example.net for LDAPS - a certificate is required for the latter method.

  • BaseDN (Base Distinguished Name), consisting of the domain components. The BaseDN determines the point at which the directory tree of the User ID Resolver begins to search for users. Please separate the domain components into multiple entries, for example, “linotp.local” becomes “dc=linotp,dc=local”.

  • BindDN (Bind Distinguished Name, also account, account name), what is meant here is the user account with which the access to the directory service is made (only read permissions are required). The form of the ntries that you have to use depends on the underlying LDAP and/or Microsoft Active Directory® (AD) structure.

For example, the LDAP directory “administrator@dir.linotp.de” would become “cn=administrator,cn=user,dc=dir,dc=linotp,dc=de”. The information “cn=user” is required because the “User” is located in the AD directory in our example. This is not always the case. Another, frequently encountered version that refers to organizational units can appear as follows: “cn=test.user,ou=users,ou=linotp, dc=linotp,dc=de”. Alternatively, the entry “user@domain” can also always be used with AD directories.

  • Bind Password (the password assigned to the BindDN).

  • With AD structures, please also check the box “No anonymous referral chasing” (you can find more information in the LinOTP Manual, chapter I, article 3.2).

  • By clicking the button “Test LDAP connection”, it can be verified whether the user directory can be accessed with the information provided.

  • Click the “Preset AD” or “Preset LDAP” button in accordance with the selected user directory type. LinOTP will then automatically fill the fields in the lower third of the screen.

  • Close the process with “Save”.

A window will appear that shows the resolver you have created (name and type). You can now connect to additional user directories (“New”), editing existing resolvers (“Edit”) or delete them (“Delete”). To do so, the listed resolvers must be marked (highlighted). Then close this window with “Close”.

Note

Detailed information about UserIdResolver configuration can be found at Configuring UserIdResolvers.

Creating Realms#

A realm must be created after connecting to the user directory. Realms consist of a number of users that can come from different user directories. They offer extensive options for the grouping of users, which could allow them to be distinguished on the basis of their function or departmental affiliation. Multi-client infrastructures can also be easily depicted with realms.

../_images/270.png

To do so, select the corresponding menu item, “Realms”, in the “LinOTP Config” menu and click on “New” in the window that opens.

../_images/290.png

First of all, enter a name and then select the User ID Resolver of a connected user directory (the selection will be highlighted). You can select multiple User ID Resolver to join them together in one realm.

Save the configuation:

../_images/new_realm.png

Close the “Realms” dialog:

../_images/close_realm_popup.png

Now the users from the selected realm are displayed in the “User View” tab.

../_images/userlist.png

Token#

You will also find extensive information about this topic in the LinOTP Manual (Chapter I “LinOTP Management Guide”, Section 6 “Managing Tokens”).

Hardware Token#

In order to use the tokens, first import the file with the token seed files (import record). A seed file represents the secret key a token needs to generate the OTP value. To do so, select the item “Import Token File” from the menu and then the file type (“SafeNet/Aladdin XML” in our example).

../_images/330.png

First find the file with the token serial numbers and accompanying seed fi les that you received from your dealer. Now click the “Load Token File” button to load the token seed file/import record. The tokens loaded are now displayed in the “Token View”.

../_images/340.png

Soft Token#

In order to enroll an initial software token, switch to “Token View”.

../_images/350.png

Click on “Enroll” and select “HMAC event based” and “Generate HMAC key” to generate a new seed. The QR code generated can be read by various software tokens (Google Authenticator or FreeOTP, for example).

../_images/360.png ../_images/370.png

Assigning Tokens#

Now assign the newly loaded tokens to your users. To do so, search for the corresponding user in “User View” and mark them (the entry will be highlighted ).

Switch to “Token View” and select the token that should be assigned to the user (the entry will be highlighted).

../_images/380.png

Then click “assign” in the menu to the left to assign the token. If you switch back to “Token View” after this process, the name of the user will be displayed in the corresponding column behind the assigned token.

Setting the Token PIN#

../_images/390.png

Certain scenarios require a higher level of security in handling tokens. The underlying principle is strong or two-factor authentication. It is more secure than simple typing in a password or showing a card, as a user must prove both factors of possession (token) and knowledge (password or PIN) to receive access.

To do so, set a PIN for your token.

  • First select the desired token (the entry will be highlighted).

  • Click on the “SET PIN” button in the left-hand side menu. A dialog window will appear where you can set the PIN yourself.

Your LinOTP Appliance is now fully configured and the tokens have been rolled out and assigned. You can being using your Appliance!

Please make sure to correspondingly configure your RADIUS clients before the first use. We have compiled a practical test as well as some useful information and tips for you on the following two pages. Please read these carefully in order to avoid any later complications.

We wish you a great deal of success for the use of your LinOTP product!

Practical Test#

Before you place the LinOTP Appliance in live operation, you have the opportunity to test whether all of the configuration steps have been successfully completed using one of the rolled out tokens.

  • Select the token of a user whose user name you know.

  • Type https://[IP address of your LinOTP]/auth/index into the address line of your browser.

  • Enter the user name for the selected token in the login screen.

  • Generate an OTP value with the selected token and enter it along with the OTP PIN.

LinOTP will report a successful authentication process to you.

If the authentication fails, please check the configuration of your LinOTP Appliance, especially User ID Resolvers and tokens. The audit trail log in LinOTP Management can provide you with useful details for this. Also make sure that you have selected the proper token and that you have not made any typing errors. If you continue to be unable to make a valid authentication, please contact your LinOTP dealer.

HA Mode#

Additional, in part varying, configuration steps are necessary for use in HA mode. You will find an introduction for this in the LinOTP Manual (chapter IV, article 10).