4.2. Quick Start Guide Appliance#
4.2.1. Introduction#
Thank you for purchasing a LinOTP Virtual Appliance for strong user authentication
This quick start guide takes you through the basic configuration of the LinOTP Virtual Appliance (LVA).
In this chapter, you will learn how to access the appliance, set it up and then activate it via the appliance’s web interface
https://<LVA-IP>:9090.It describes how to create an administrator user for the LinOTP management interface
https://<LVA-IP>/manage, which is required to manage the tokens.You will receive instructions on how to restore a backup from a previous appliance.
It also explains how to set up and integrate certificates.
Finally, the configuration of RADIUS is covered.
Afterwards, follow Quick Start Guide Token Management to continue with LinOTP configuration.
Licensing#
LinOTP Virtual Appliance can be acquired with a existing LinOTP Enterprise Subscription and Support License. Subscription and Support are licensed for the number of active token managed in LinOTP. You can find instructions on installing the license file during the configuration wizard in part 2 of this Quick Start Guide. Please have a look at Install a new license.
Documentation, Support & Notes#
A complete introduction can be found in the LinOTP Manual, which you can download from the Appliance menu using the help function.
You will find more information for technical support as well as practical tips at: https://linotp.de/support
4.2.2. Part 1: Setup the LinOTP Virtual Appliance#
For accessing the web configuration interface of the Appliance you have to know
the IP address. If you automatically receive your IP address, you can allow it
to be displayed directly in the console of LinOTP Virtual Appliance.
To do so, log in with the user name: “lva” and your password directly in the
console. The IP address will be displayed or enter the command ip a.
Note
We recommend conducting all additional configuration of the web interface after installation!
When opening the configuration interface of the appliance https:<LVA-IP>:9090,
a window will appear with a certificate warning that
varies based on the browser used. In general, you should take this kind of
certificate warning seriously when visiting websites, as these provide
information regarding possible security risks and thus associated risks for the
visitors of a website. In the case of LinOTP Appliance, however,
there is no risk. The warning notification appears because
LinOTP Virtual Appliance presents the browser with a self-signed certificate
when opened. Therefore, please ignore the certificate warning and confirm the
access to the IP address requested (your configuration interface of the
appliance). If your browser allows, you can add the IP address of your
LinOTP Virtual Appliance to the list of trusted sites.
As an alternative to the certificate delivered, you can also add your own certificate at a later time using the Appliance Management. To do so, please refer to the LinOTP manual Change the server SSL certificate.
You will be asked for a user name and password on the login screen that then opens. Enter “lva” here as the user name and your password.
If LinOTP is intended to be operated behind a firewall, for example in a DMZ, please be sure to take the correct configuration of the firewall rules into account. You will find the corresponding section in the LinOTP Manual, (Chapter IV “LinOTP Appliance Manual”, Section 14 “Network Integration”)
4.2.3. Basic Configuration - Quick Start#
If you have not already done so, open your browser and call up the configuration interface of the LinOTP appliance as described on page 9 under number 11. You can ignore the certificate warning and log in with the lva user & password.
Immediately after logging in, you must start the services under LinOTP. To do this, go to LinOTP on the left and then to Services. Click on Start all Services.
You must then create an admin user for Manage, which you will need to manage the tokens. To do this, enter the following command in the terminal on the left-hand side:
Note
Command to create an administrator with the name admin.
linotp local-admins password admin You must then assign a password. You can now log in at
https://<LVA-IP>/manage with the user you have created.
Restore backups#
Note
All services must be running in order to perform the migration.
1.1 To restore a backup, proceed as follows: Select LinOTP on the left-hand side
and go to the SVA migration tab.
Then click to upload SVA backup.
1.2 Navigate to the storage location of your backup and select it.
1.3 Then select Start migration and enter the password you entered when creating the backup.
1.4 After you have entered your password, click on Start migration. The migration is carried out without further action.
Note
After restoring, the services are restarted automatically. After restoring, please check whether all tokens and UserIdResolvers have been restored. Remember that you will have to enter your update key again after the migration Install a new license
Insert certificate#
To integrate a certificate, log in to https:<LVA-IP>:9090.
Then go to LinOTP on the left-hand side and click on Configuration.
A self-signed certificate is used by default. To replace this,
you need a certificate from the trusted CA.
Enter your server certificate and server key in the spaces provided.
To integrate the certificate, please proceed as follows. Go to LinOTP on the left and then to Configuration. Here you can manage your root CA and server certificates.
1.1 Add the certificate from the CA to Trusted certificate authorities.
1.2 Scroll down and enter the server certificate and the server key in the appropriate places and save the certificates.
Note
As soon as you have integrated your certificates, the services are restarted automatically. You can then only log in to the manage administration interface via the FQN.
The LinOTP appliance generally recognizes two different roles:#
LinOTP Administrator - the LinOTP Administrator manages LinOTP. He has no rights to the operating system or the network. They may only change the administration of the appliance, assign access rights and manage tokens. They can change passwords, but not the LVA password. The name is freely selectable and additional administrators can be configured later in the running system.
LVA Administrator - the LVA Admin has the most rights on the LinOTP Virtual Appliance. He has no access to the administration, but can manage everything on the appliance.
Note
Note regarding password complexity
For security reasons, be certain to select sufficiently complex passwords when changing the passwords. Passwords are deemed to be sufficiently complex by today’s standards when they meet the following criteria:
Password length of at least 10 characters
Combination of upper case and lower case letters, number and special characters.
Definition of the RADIUS Clients#
In this step, you define the first RADIUS client that is allowed to make authentication requests to the RADIUS server of the LinOTP appliance. Additional clients can be added and managed via the LinOTP Cocpit.
RADIUS (Remote Authentication Dial In User Service) is the most commonly used client-server protocol for authenticating, authorizing and managing users of dial-in connections in a computer network. In general, a distinction is made between the RADIUS server, which validates the login request, and the RADIUS client, which sends the authentication request. Typical examples of a RADIUS client are a VPN gateway, a firewall and a portal or terminal server.
LinOTP also works with the LinOTP RADIUS client “LinOTP Authentication Provider for Windows (LAP)”, which enables a RADIUS-based login to the Windows operating system or Windows terminal server. To use RADIUS, go to Linotp on the left-hand side and then to Services.
Next click on Action under Freeradius. Select Configure Radius clients and give the RADIUS client a name and enter its IP address. You can freely choose the name of the “New RADIUS client”. The password (“Secret”) for RADIUS communication is also required
4.2.4. Part 2: Connecting to the User Directory, Rollout of Tokens#
Open the LinOTP Management Interface#
Open the browser on your administration computer and enter the IP address of
your LinOTP server in the address line as you did previously when performing
the network basic configuration https://<LVA-IP>/manage
You may receive the certificate warning already mentioned at
this point, deal with this as described on p. 10. Then log in with the access
data of the previously defined LinOTP Administrator (the name can
be freely issued before).
Creating User ID Resolvers#
User ID Resolvers are required in order to make a connection from LinOTP to user directories. These can be LDAP based directory services (Microsoft Active Directory, Novell eDirectory, Open LDAP, amongst others), SQL-based databases or flat files such as /etc/passwd.
A User ID Resolver represents the connection to the respective directory service or respective database. LinOTP only requires read permissions for its access to the target systems.
In the start screen, select the item “UserIdResolvers” in the “LinOTP Config” menu. In the window that opens, click on the option “New” and select the correct directory type (we will choose LDAP for the following example).
Enter the following information in the input mask:
Resolver name (freely selectable)
Server URL (the URL address through which the directory service or database is accessible), this can be either
ldap://ad1.example.net, ldap://ad2.example.netfor LDAP (LinOTP will try to establish a secure connection via StartTLS) orldaps://ad1.example.net, ldaps://ad2.example.netfor LDAPS - a certificate is required for the latter method.BaseDN (Base Distinguished Name), consisting of the domain components. The BaseDN determines the point at which the directory tree of the User ID Resolver begins to search for users. Please separate the domain components into multiple entries, for example, “linotp.local” becomes “dc=linotp,dc=local”.
BindDN (Bind Distinguished Name, also account, account name), what is meant here is the user account with which the access to the directory service is made (only read permissions are required). The form of the ntries that you have to use depends on the underlying LDAP and/or Microsoft Active Directory® (AD) structure.
For example, the LDAP directory “administrator@dir.linotp.de” would become “cn=administrator,cn=user,dc=dir,dc=linotp,dc=de”. The information “cn=user” is required because the “User” is located in the AD directory in our example. This is not always the case. Another, frequently encountered version that refers to organizational units can appear as follows: “cn=test.user,ou=users,ou=linotp, dc=linotp,dc=de”. Alternatively, the entry “user@domain” can also always be used with AD directories.
Bind Password (the password assigned to the BindDN).
With AD structures, please also check the box “No anonymous referral chasing” (you can find more information in the LinOTP Manual, chapter I, article 3.2).
By clicking the button “Test LDAP connection”, it can be verified whether the user directory can be accessed with the information provided.
Click the “Preset AD” or “Preset LDAP” button in accordance with the selected user directory type. LinOTP will then automatically fill the fields in the lower third of the screen.
Close the process with “Save”.
A window will appear that shows the resolver you have created (name and type). You can now connect to additional user directories (“New”), editing existing resolvers (“Edit”) or delete them (“Delete”). To do so, the listed resolvers must be marked (highlighted). Then close this window with “Close”.
Note
Detailed information about UserIdResolver configuration can be found at Configuring UserIdResolvers.
Creating Realms#
A realm must be created after connecting to the user directory. Realms consist of a number of users that can come from different user directories. They offer extensive options for the grouping of users, which could allow them to be distinguished on the basis of their function or departmental affiliation. Multi-client infrastructures can also be easily depicted with realms.
To do so, select the corresponding menu item, “Realms”, in the “LinOTP Config” menu and click on “New” in the window that opens.
First of all, enter a name and then select the User ID Resolver of a connected user directory (the selection will be highlighted). You can select multiple User ID Resolver to join them together in one realm.
Save the configuation:
Close the “Realms” dialog:
Now the users from the selected realm are displayed in the “User View” tab.
Token#
You will also find extensive information about this topic in the LinOTP Manual (Chapter I “LinOTP Management Guide”, Section 6 “Managing Tokens”).
Hardware Token#
In order to use the tokens, first import the file with the token seed files (import record). A seed file represents the secret key a token needs to generate the OTP value. To do so, select the item “Import Token File” from the menu and then the file type (“SafeNet/Aladdin XML” in our example).
First find the file with the token serial numbers and accompanying seed fi les that you received from your dealer. Now click the “Load Token File” button to load the token seed file/import record. The tokens loaded are now displayed in the “Token View”.
Soft Token#
In order to enroll an initial software token, switch to “Token View”.
Click on “Enroll” and select “HMAC event based” and “Generate HMAC key” to generate a new seed. The QR code generated can be read by various software tokens (Google Authenticator or FreeOTP, for example).
Assigning Tokens#
Now assign the newly loaded tokens to your users. To do so, search for the corresponding user in “User View” and mark them (the entry will be highlighted ).
Switch to “Token View” and select the token that should be assigned to the user (the entry will be highlighted).
Then click “assign” in the menu to the left to assign the token. If you switch back to “Token View” after this process, the name of the user will be displayed in the corresponding column behind the assigned token.
Setting the Token PIN#
Certain scenarios require a higher level of security in handling tokens. The underlying principle is strong or two-factor authentication. It is more secure than simple typing in a password or showing a card, as a user must prove both factors of possession (token) and knowledge (password or PIN) to receive access.
To do so, set a PIN for your token.
First select the desired token (the entry will be highlighted).
Click on the “SET PIN” button in the left-hand side menu. A dialog window will appear where you can set the PIN yourself.
Your LinOTP Appliance is now fully configured and the tokens have been rolled out and assigned. You can being using your Appliance!
Please make sure to correspondingly configure your RADIUS clients before the first use. We have compiled a practical test as well as some useful information and tips for you on the following two pages. Please read these carefully in order to avoid any later complications.
We wish you a great deal of success for the use of your LinOTP product!
Practical Test#
Before you place the LinOTP Appliance in live operation, you have the opportunity to test whether all of the configuration steps have been successfully completed using one of the rolled out tokens.
Select the token of a user whose user name you know.
Type https://[IP address of your LinOTP]/auth/index into the address line of your browser.
Enter the user name for the selected token in the login screen.
Generate an OTP value with the selected token and enter it along with the OTP PIN.
LinOTP will report a successful authentication process to you.
If the authentication fails, please check the configuration of your LinOTP Appliance, especially User ID Resolvers and tokens. The audit trail log in LinOTP Management can provide you with useful details for this. Also make sure that you have selected the proper token and that you have not made any typing errors. If you continue to be unable to make a valid authentication, please contact your LinOTP dealer.
HA Mode#
Additional, in part varying, configuration steps are necessary for use in HA mode. You will find an introduction for this in the LinOTP Manual (chapter IV, article 10).
4.2.5. Appendix: Practical Tips and Legal Notes#
License Conditions#
The software of the Virtual Appliance, Hardware Appliance and LinOTP are protected by copyright. You can find the complete license conditions at Install a new license. In addition, they are displayed upon the first use of the Appliance as the first step of the configuration wizard.
We would like to expressly thank the members of the Debian project here.
Support Addresses#
In the event of support questions or hardware defects, please contact us. If you would like information regarding our standard support offers, hardware replacement service as well as the additional support options which incur charges, please contact or inform yourself of our support offer at: https://linotp.de/support
Alternatively, you can reach us at +49 30 264745 7277 or via email to support@linotp.de
About LinOTP#
LinOTP is the leading vendor of secure connection technologies centered around vendor independent logon security and identity management.
LinOTP is developed by netgo software GmbH, part of netgo group.
Unternehmensdaten:
Corporate data:
Contact: