Step by Step guide to implement Pledge Enrollment to OTPServer 3

Step by Step guide to implement Pledge Enrollment to One Time Password Server 3



Pledge is a mobile client used to generate one-time passwords based on the OATH algorithm. Being able to securely access critical data is imperative, but for many organisations the standard authentication method for accessing information is with a username and a password. This is too weak for protecting corporate assets. The mobile client Pledge solves the problem by securing the login with two-factor authentication. 

Pledge turns your mobile device into a security token and is available for most platforms. The product comes with a complete infrastructure for automation of key enrollment and customizable profiles. Instead of using a security token when logging in, you simply use your mobile phone. Using Pledge, you can log in securely to different applications and even sign different transactions using your mobile device. 



This guide describes how to integrate the Mobile Client Pledge together with Nordic Edge One Time Passoword Server version 3.


Table of Contents


1 Overview of Pledge Enrollment Process

Pledge Enrollment lets the end-user create its unique profile-id (session-id) by surfing to the Pledge Enrollment server placed at the customer site. Pledge Enrollment can be set to only allow certain administrators to enroll profile-id to end-users.

The end user must already have downloaded and installed the Pledge application.
When end-user or Administrator enroll for a Pledge Profile the Pledge enrollment service placed at Customer Site sends a request to the Nordic Edge Pledge Factory using a web services request, asking for an end user profile.

The Nordic Edge Pledge Factory will now perform the following steps:

1. Generate a unique symmetric key and a corresponding counter.
2. Pack the customers images like logotype, icon, backgrounds etc into a zip file (called branding data). Include customer contact information and PIN code policy.
3. Generate a unique profile number.
4. Combine all the above information into an XML message and associate it with the unique profile number
5. Reply back to the customer with the unique symmetric key and a corresponding counter and optionally the unique profile number.

The end-user or administrator depending on if you are using Self-enrollment or Admin-enrollment receives a unique Profile ID on the web page.

User starts the Pledge Client on their Mobile Phone, clicks on the key symbol in the left corner and enter the Profile ID. The Pledge Client does a request to Pledge Factory and receives the Profile ID for that User.

The mobile phone is ready to generate OTP's

Outline of Pledge enrollment



2 Download Nordic Edge One Time Password Server 3


Register and download Nordic Edge One Time Password Server. To do this go to www.nordicedge.se click download or click the url http://www.nordicedge.se/registrering.shtml


3 Register Pledge Profile Factory account

Surf to the Pledge Factory - https://www.nordicedge.se/pledge-im






3.2 Register Account

Click "Register here"


Type in your email address (this will be the default administrator for your Pledge Factory account)

Type in the name of your Company

Please note, if you are a partner setting this up for a Customer, enter your email address and create an account matching your Customers company name, not your own company.




Click "Register"


An email will be sent to the email account you registered with.



Click on the registration link in the email.


login with your email address and type in the captcha letters. Click "Login"


A one time password (OTP) will be sent your email address. 







Enter the OTP you received to your email address.

Click "OK"

3.3 Customize your Company Pledge Profile and settings.


Now you are logged in to Pledge Profile Factory. Here you can customize your Company profile, images like background, logo, icon and button, background color, text color, PIN code length, signing URL (optional)



To personalize your Companies Pledge Profile click "Design" and change your picture according to your need.


Depending on your Company profile's PIN code policy, the end-user can be required to assign a PIN code to the profile. Change the Pin length according to your Company policy.



If you don't want to use Pin Code, set the PIN code length to 0 for no Pin code.

Profile TTL:
The Profile TTL determines when a User Profile ID will expires before it has been downloaded to the Pledge Client on the users Mobile Phone. This means that if you for example as administrator, Enroll a Profile ID to a end-user, the he or she has default 120 minutes to download the Pledge Profile to the mobile phone before it expires. 

Change the TTL to a time that fits your organization and processes.

3.4 Important about the Pledge Factory Profile


If you change Logo or PIN Code length, the changes will not take effect until a user has been enrolled once again. 





Logout
Click on the button in the right corner.



4 Request Pledge Factory Web Service Account


During the enrollment process, creating Pledge Profile ID for the end-users the Pledge Enrollment Service (Installed at customer site, intergrated in OTPServer 3 or as external module) needs to communicate with the Pledge Profile Factory at Nordic Edge. In order to do that you need a Web Service Account.

Send an email, containing the account name you've used setting up the solution, to support@nordicedge.se.




Within 24 hours Nordic Edge Support will send back a Web Service Account and Password.








5 Configure Nordic Edge One Time Password 3 for use of Pledge

In Nordic Edge One Time Password Server 3 the Pledge Enrollment is integrated with the Server. If you want to use the external enrollment modules we offer for Tomcat and Microsoft IIS please see


In this Guide we will show how you configure the internal module included in One Time Password Server 3.

Start One Time Password Server and click "Configurator"









5.1 Configure Enrollment Database

The Enrollment Database is where you configure the settings for how the users shall be enrolled, like Admin user and which attribute on the user object you want to store the OATH-key.

In this setup we are going to use the LDAP database Microsoft Active Directory

Change to the Databases tab and click on the LDAP Database button.





5.1.2     Configure LDAP Host Settings

For our configuration we are going to use the Active Directory installed on the same server as the One Time Password Server. We will use the internal IP-address (127.0.0.1) as host address.

We will use the standard LDAP port no. (389) to communicate with Active Directory.

For Admin DN we are going to use the Administrator to search and modify users in the Active Directory. If you want to use an user with more specified rights please note that this user needs rights to read the user objects attributes and write the OATH-key to the attribute where you want to store the end-users OATH-key. You may also want to use the disable account feature in One Time Password Server 3 and will then also need rights to modify the disable account attribute.

Name the Database to something like Pledge Enrollment Database and configure your LDAP host settings and click test. You should now get a messages saying “LDAP connection success”


Click OK and Save



5.2.2   Configure the LDAP database settings

The BASE DN is the search base for where your users contains. Click on the button with three dots at the right side of the Base DN field to browse your LDAP Database.

Click on the Organization Unit or Organization where your store your users objects and click OK.



5.2.3   Configure search filter

Next step is to configure the search filter for letting the Pledge Enrollment Service search for the right object classes and attribute according to Microsoft Active Directory.

Click on the “Sample Button” and choose the filter template for MS Active Directory and click OK twice.





5.2.4 Test LDAP Authentication

As you can see the search filter has been changed to MS Active Directory model. 

Click on the Test LDAP Authentication button and type in the userid for a user you want to try to authenticate. 



Type in the password


If everything is correctly configured you will get a success message.



5.2.5 Configure OATH Key attribute


The OATH Key field is the attribute you decide to use to store the user’s OATH key. The attribute needs to be a String type with the possibility to contain at least 60 characters, for example the attribute "carLicense" which we are going to use in this guide.

Use the browse button to browse the LDAP Schema to select the attribute.


Save Config

You have now configured the Database for Pledge Enrollment Services. The page should look like this:



5.3 Configure Client for Pledge Enrollment Services

As earlier mentioned the Pledge Enrollment Services is integrated in the One Time Password Server 3 but can also be installed as a external module for Tomcat or Microsoft IIS. Whatever way you decide to install the Pledge Enrollment Process needs to be defined in the One Time Password Configurator to be allowed to communicate with the One Time Password Server. 

The Client is of "Native" type and communicates on TCP port nb 3100. During the Enrollment Process the Pledge Enrollment Services will contact the One Time Password Server as this client and through your Pledge Enrollment Database be able to do it's work, storing the OATH key etc.

In the left pane click "Clients" and then in the right pane click "New Native Client"


Type in a name for your Pledge Enrollment Client and the ipaddress to the Pledge Enrollment Service, which in this case when we use the internal one in the One Time Password Server 3 is the same ipaddress as the One Time Password Server. 

Choose the Pledge Enrollment Database you configured earlier as User Database.


You have now created a Client for the Pledge Enrollment Services and the Page should look like this:


5.4 Enable Pledge Enrollment Services 

In the left pane click "Identity Manager & Pledge Enrollment", in the right pane enable it.
Go to the HOTP-LDAP Database for Pledge Enrollment field and choose your Pledge Enrollment Database.
Type in the Web Service Account and Password you received from Nordic Edge Support earlier.
Click "Save Config"
Start the HTTP Service



5.5 Select group for "Pledge enrollment Admins"

Pledge Enrollment lets the end-user create its unique profile-id by surfing to the Pledge Enrollment server placed at the customer site, default url http://<IPaddress to OTPServer>:8080/PledgeEnrollment/enroll.jsp. 

Pledge Enrollment can be set to only allow certain administrators to enroll profile-id to end-users, default url http://<IPaddress to OTPServer>:8080/PledgeEnrollment/supportenroll.jsp.

Default settings for these certain administrators is "Default Admins" and the LDAP attribute that contains the group or role values is default set to memberOf.

This means that when you have installed the OTPServer 3 the users that shall be able to enroll end-users needs to be member of the Active Directory group "Domain Admins" i.e the Administrator. The LDAP attribute that contains the group values is set to memberOf which of course will work for Active Directory but not for other LDAP user databases, i.e eDirectory which uses the the groupMembership attribute.

These settings is found in <Install folder>\NordicEdge\OTPServer3\im4otp\webapps\PledgeEnrollment\constants.jsp


In constans.jsp you will find these lines:

            //For support enrollment
            String groupAttributeName = "memberOf"; //The name of the LDAP attribute that contains the group or role values, memberOf for AD
            String supportGroupName = "Domain Admins"; //The value that contains the support group, must be the CN value

Please note, If you are running Windows 2003 or above and Active Directory and you are fine with using the Domain Admins as Pledge admin group you can skip the rest of this chapter and continue at step 5.6.

In this setup we are going to let users that is members of a group called "Pledge Admins" enroll end-users.

Open Microsoft Management Console - Active Directory Users and Computers.

Create a group called Pledge Admins


Add your users that shall be able to enroll end-users to the Pledge Admins group.

Open <Install folder>\NordicEdge\OTPServer3\im4otp\webapps\PledgeEnrollment\constants.jsp and change the 

line:

String supportGroupName = "Domain Admins"; //The value that contains the support group, must be the CN value

to:

String supportGroupName = "Pledge Admins"; //The value that contains the support group, must be the CN value



Now you have configured a specific group for users with the right to enroll end-users.

Please note that it's still the user configured as Admin for the enrollment database in OTP-configurator that needs write access to the OATH key attribute (in this setup carLicense) to write down the OATH key during the enrollment process.

If you are running another User Database then Active Directory please change the groupAttributeName to the attribute that is used for group membership for your User Database.

Test 

5.6 Visit Pledge Enrollment

Click "Go to Pledge Enrollment"

 

If everything is configured correctly you should now see the Pledge Enrollment Web Page

The Admin Enrollment Page looks like this:





The Self Enrollment page looks like this:


You have now configured Pledge Enrollment Services

6 Test your Pledge Enrollment Services

In the Self Enrollment Page, enroll as your test user Jdoe.

Type in the user name and password and click "Login"

You should now see a page showing the test user jdoe's Profile ID, in this case 64647531




Pull out your Mobile Phone with the Pledge Client installed, see http://www.nordicedge.net/products/mobile-client-pledge

Open the Pledge Client on your phone. Click on the Key symbol with a plus sign in the left corner. You will be asked for an "Profile ID" or "email address".

Type in the Profile ID for Jdoe, in this case 64647531

If you decided to use PIN code in your earlier Pledge Factory Account Settings you will be asked to create one.

When you have created a PIN code you will enter your Pledge Profile.

Click Generate one-time password

Enter your PIN code.

Now you will see the OTP, in this case 063046.

Go back to the web page and type in your OTP.


You will receive a message saying you have succeeded.




7 What happens now?

You have now a working Pledge Enrollment Service which means that you have a Pledge Profile for your Company at Nordic Edge Pledge Factory where you have set your own logo, a PIN Code or not and a TTL (Time To LIve) that corresponds to your Organizations needs and processes.

Next step will be to implement the secure authentication to your Companies service that you want to protect with strong authentication.

Nordic Edge One Time Password supports many products as Citrix XenApp, Microsoft IIS, Microsoft ISA, Microsoft Outlook, Microsoft SharePoint, Novell Access Manager, Apache, IBM Lotus Notes and all the SSL/VPN and IpSec products like AppGate Security Server, Juniper SA Serie, Checkpoint VPN-1, Palo Alto SSL-VPN, Citrix Access Gateway Enterprise Edtion, Cisco ASA-5500 etc that do support RADIUS Access Challenge Response. For more information please see http://www.nordicedge.net/products/one-time-password-server

Depending on what product you are planning to secure with Strong Authentication, if it Radius or not you will create Clients for these in the OTP-Configurator.

You might also want to use different authentication methods besides pledge i.e SMS. 

You can find many instructions how do this at www.nordicedge.net 

If you have any technical question during the test or installation please don't hesitate to contact us att support@nordicedge.se

Best Regards,
Nordic Edge Support





  • Share/Save

Contact Me

Interested in our products?
Let us help you meet your challenge!






OTP 3 Integrations

Citrix Logo Check Point Logo Cisco Logo Juniper Networks Logo Palo Alto Logo Yubico Logo

Other Products

Mobile Client Pledge

Mobile Client Pledge

Pledge turns your mobile device into a security token and it is available for most platforms.

Read More Certificate Services

Certificate Services

Integration of various x509 certificate solutions for secure authentication.

Read More

AWARDS

Nordic Edge is one of Sweden’s fastest growing companies – identified as a Gazelle Company by Dagens Industri

DI Gazell Award
  • NORDIC EDGE AB
  • Augustendalstorget 9, 131 26 Nacka Strand, SWEDEN
  • +46(8) 122 07 500
  • info@nordicedge.se