Application Note. Gemalto s SA Server and OpenLDAP

Application Note Gemalto s SA Server and OpenLDAP

ii Preface All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 Printed in France. Document Reference: July 8, 2008

Contents Preface... v Who Should Read This Book...v For More Information...v Conventions...v Contact Our Hotline...vi Overview... 1 Architecture...1 Installing the Gemalto s SA Server... 2 Installation prerequisites:...2 OpenLDAP configuration:...2 Installing the SA Server:...3 Customizing the configuration:... 16 Updating the authserver.config file... 16 Updating the AUTHUSER database table... 17

iv Preface List of Figures Figure 1 : Architecture...1 Figure 2 : OpenLDAP configuration...3 Figure 3 : Modifying installer attributes...3 Figure 4 : Launching the SA Server install...4 Figure 5 : SA Server...4 Figure 6 : Introduction...5 Figure 7 : License agreement...5 Figure 8 : Choosing the installation type...6 Figure 9 : Selecting features...6 Figure 10 : Choosing install folder...7 Figure 11 : Entering the license number...7 Figure 12 : Choosing JVM...8 Figure 13 : Choosing web server...8 Figure 14 : HTTPS Settings...9 Figure 15 : Selecting HTTP port... 10 Figure 16 : Configuring HSM... 10 Figure 17 : Selecting Data Server Mode... 11 Figure 18 : Database server option... 12 Figure 19 : Selecting LDAP server option... 12 Figure 20 : Entering LDAP server information... 13 Figure 21 : Choosing first admin account... 14 Figure 22 : Choosing link forder... 14 Figure 23 : Pre-installation summary... 15 Figure 24 : SA Server installation... 15 Figure 25 : Finishing the installation... 16 Figure 26 : Editing the authserver.config file... 16 Figure 27 : Updating guid... 17 Figure 28 : Selecting user entryuuid... 17 Figure 29 : Database browser... 18 Figure 30 : Registering the Database... 19 Figure 31 : Tables tab... 19 Figure 32 : Updating the user account... 20 Figure 33 : Executing the statement... 20 Figure 34 : Committing the database change... 20 Figure 35 : Login on to the admin portal... 21 Figure 36 : Accessing to the admin portal... 21

v Preface The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets. This solution enables organizations to deploy a strong authentication solution for their end-users, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of users. Who Should Read This Book This document is intended for system administrators responsible for configuring the ISA, SA Server and SharePoint 2007 in order to use Gemalto OTP devices to authenticate mobile users with ISA 2006. Administrators should be familiar with: Linux environment. OpenLDAP. The Gemalto SA Server system architecture. For More Information For more information on Gemalto Strong Authentication Server, please refer to the documents available on http://www.protiva.gemalto.com. Conventions The following conventions are used in this document: In this manual, the following highlighting styles are used: Bold Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values. Italic Variables that you must replace with a value, book titles, news or emphasized terms. In this manual, hyperlinks are marked as described below Internal Links Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book.

vi Preface External Links Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or email program) to navigate to that Web address or compose an email. In this manual, notes and cautions are marked like this: Notes: Information that further explains a concept or instruction, tips, and tricks. Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure. Contact Our Hotline If you do not find the information you need in this manual, or if you find errors, contact the Gemalto hotline at http://support.gemalto.com/. Please note the document reference number, your job function, and the name of your company. (You will find the document reference number at the bottom of the legal notice on the inside front cover.)

1 Overview This aim of this document is to illustrate the installation and the integration of the Gemalto SA Server and the OpenLDAP directory. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your OpenLDAP directory server. Architecture The architecture we have installed in order to integrate the Gemalto SA Server with the OpenLDAP directory server is structured as follows: Figure 1 : Architecture A Redhat Linux Enterprise 5 hosting the OpenLDAP directory server. You have to configure the OpenLDAP server and add a user database. In our laboratory, the domain name was linux.gem. We have created to users to install SA Server in Mixed mode, saroot and sasadmin. In our laboratory the IP address affected to the network interface was 10.10.236.80. A Redhat Linux Enterprise 5 to host the Gemalto SA Server. In our laboratory the IP address affected to the network interface was 10.10.236.81.

2 Installing the Gemalto s SA Server Installation prerequisites: In order to install the Gemalto s Strong Authentication Server on the Redhat Enterprise Linux Server in a Mixed mode (Data Base with LDAP), the following steps are supposed to be accomplished accomplish: Install, configure and populate the Open LDAP Server. We chose to install the Open LDAP server on a dedicated server. The server that will host the SA Server must be configured to have access to the remote Open LDAP Server. You will have to download, unpack and install a Data Base browser. We installed flamerobin data base browser, you can download the.tgz file that meet you server configuration on: http://heanet.dl.sourceforge.net/sourceforge/flamerobin/ Copy the saserver.bin file on the hard drive of the Redhat server. OpenLDAP configuration: The OpenLDAP installation and configuration steps will be not documented in the following chapters. We assume you have already installed and configured it. The users database we created is summarized by the following figure.

3 Figure 2 : OpenLDAP configuration Installing the SA Server: Here are the steps of the SA Server installation: Log on to the Redhat Enterprise Server and in a command line console; go to the directory containing the saserver.bin file. Enter the chmod u+x saserver.bin command line to modify the saserver.bin attributes. Figure 3 : Modifying installer attributes Enter the./saserver.bin command line to launch the installer,

4 Figure 4 : Launching the SA Server install Once the extraction finished, the following window appears, Figure 5 : SA Server On the Introduction window, click on Next,

5 Figure 6 : Introduction On the License Agreement window, select I accept the terms of the License Agreement and click on Next, Figure 7 : License agreement On the Choose Install Set window, select Advanced Install, click on Next.

6 Figure 8 : Choosing the installation type Verify that the SAS Complete and the Batch Client are selected and click on Next, Figure 9 : Selecting features On the Choose Install Folder window, enter the location in which you want to install the SA Server and click on Next. Note: By default, the SA Server is installed in /opt/gemalto/saserver.

7 Figure 10 : Choosing install folder On the Enter SA Server License Number, enter your license number. Click on Next, Figure 11 : Entering the license number On the Choose Java Virtual Machine window, select Install a Java VM specifically for this application and click on Next,

8 Figure 12 : Choosing JVM On the Web Server Information window, select Install New Web Application Server (Apache Tomcat). In the SA Server Base URL field, enter a name for the base URL and click on Next. Note: The SA Server Base URL we entered was saserver. Figure 13 : Choosing web server

9 On the HTTPS Settings window, make sure that the Enable HTTPS radio button is unchecked and click on Next, Note: We chose to not use the HTTPS protocol in order to reduce the configuration s steps. To get more information on how to enable HTTPS protocol, please refer to the SA Server documentation. Figure 14 : HTTPS Settings On the Web Application Server Port window, enter the HTTP Port you want to use and click on Next,

10 Figure 15 : Selecting HTTP port On the HSM Information window, make sure that Configure SA Server with HSM radio Button is unchecked and then click on Next, Figure 16 : Configuring HSM On the Select Data Server Mode window, select Mixed Mode (DB + LDAP) and click on Next,

11 Figure 17 : Selecting Data Server Mode On the Select Database Server Option window, under Database Server Information, select Install New DB Server Select Firebird in Select Database Server, Under Database Schema Information, o Select Create New Database, o In Database Name, enter a name for the SA Server database, o Enter a new password for the sysdba admin account. Under Database Connection Information, o Select Create New User, o In New User Name, enter the user name, o Enter a new password for the user account. Click on Next,

12 Figure 18 : Database server option On the Select LDAP Server Option window, select Novell edirectory as LDAP server, Click on Next, Figure 19 : Selecting LDAP server option On the LDAP Server Information window, enter the following information: o In Host Name, enter the OpenLDAP Server hostname or IP address,

13 o In Port, enter the OpenLDAP Server port, by default the port number is set to 389, o In Base DN, enter the OpenLDAP Base Distinguish Name, o In Login DN, enter the OpenLDAP user DN, o In Login Password, enter the password associated to OpenLDAP user you entered, o In User Base DN, enter the users Base DN, Click on Next, Note: In our laboratory, we have installed the OpenLDAP Server under linux.gem as Base DN. We have created a user named saroot under the ou users. Figure 20 : Entering LDAP server information On the First Admin Account window, enter the name of the user you want to give administration rights, Click on Next, Note: The fist admin account must be in the OpenLDAP directory.

14 Figure 21 : Choosing first admin account On the Choose Link Folder window, select In your home folder and click on Next, Figure 22 : Choosing link forder Click on the Install button to launch the installation,

15 Figure 23 : Pre-installation summary The window shown by the figure 23 shows the installation progression. Figure 24 : SA Server installation Once the installation is completed, the window Install Complete is shown, click on Done to close it.

16 Figure 25 : Finishing the installation Customizing the configuration: In order to integrate the OpenLDAP server with the Gemalto s SA Server, there are some steps needed. Updating the authserver.config file Using a command line console, go to /opt/gemalto/saserver/authenticationserver/webapps/saserver/web-inf/classes and type vi authserver.config to edit the file. Figure 26 : Editing the authserver.config file In the authserver.config file, go to the User Migration section, modify the authuser.attr.guid line to get authuser.attr.guid=entryuuid as shown in the figure 26. Save the change you made and close the file.

17 Figure 27 : Updating guid Updating the AUTHUSER database table The entryuuid attribute associated to the first admin user in the OpenLDAP directory is stored in ASCII. This attribute must be converted to the HEX format and stored in the database. To retrieve the first admin entryuuid, use the command ldapsearch x H ldap://<openldap_ip-address> first_admin_username entryuuid. Note: In our laboratory, the openldap server ip address was 10.10.236.80 and the fist admin username we entred during the SA Server installation was sasadmin. In this case, the command is shown on the figure 27. Figure 28 : Selecting user entryuuid

18 Use a Hex converter to convert the entryuuid of the first admin user from ASCII to HEX format. Note: The sasadmin entryuuid was ad37b272-f2c7-102c-929e-47378d29715f. After conversion, the HEX code is: \61\64\33\37\62\32\37\32\2D\66\32\63\37\2D\31\30\32\63\2D\39\32\39\65\2D\34\37\33\37\38\ 64\32\39\37\31\35\66. After you convert the first admin entryuuid to the suitable format, run the FlameRobin database browser. On the FlameRobin Database Admin window, right-click on Localhost and select Register existing database Figure 29 : Database browser On the Register Existing Database window, enter the following information: o In Display name, enter a name for the connection, o In Database path, enter the database path related to the SA Server. In our laboratory, the saserver.gdb is located under /opt/gemalto/saserver/datastore. This path is defined during the installation process at figure 9. o In Username, enter sysdba o In Password, enter the password you previously entered during the installation, figure 17. o In Charset, select UTF8, o Click on Save.

19 Figure 30 : Registering the Database Under the Localhost tree, in Tables, right-click on AUTHUSER and click on Select from, Figure 31 : Tables tab In the EXUUID array, enter the entryuuid corresponding to the first admin user. Note: The entryuuid must be in the HEX format.

20 Figure 32 : Updating the user account After you update the EXUUID filed, click on the button as follows, Figure 33 : Executing the statement Click on the green tick to commit the transaction. Figure 34 : Committing the database change

21 In order to make the previous changes effective, you have to reboot you server. You can login on to the adminportal using the first administrator username and the OpenLDAP password associated it. Figure 35 : Login on to the admin portal You have now a working installation of SA Server and OpenLDAP. Figure 36 : Accessing to the admin portal