Professional Documents
Culture Documents
The specifications and information in this document are subject to change without notice.
Companies, names, and data used in examples herein are fictitious unless otherwise noted. This
document may not be copied or distributed by any means, in whole or in part, for any reason,
without the express written permission of RCDevs.
Copyright (c) 2010-2013 RCDevs SA. All rights reserved.
http://www.rcdevs.com/
WebADM and OpenOTP are trademarks of RCDevs.
All further trademarks are the property of their respective owners.
Limited Warranty
No guarantee is given for the correctness of the information contained in this document.
Please send any comments or corrections to info@rcdevs.com.
1. Introduction!
2. Installing OpenOTP!
11
12
14
15
16
1. Introduction
OpenOTP is the RCDevs user authentication solution. The OpenOTP solution is composed of a
set of server applications and components which provide secure and reliable authentication of
users to applications and online services, intranet and extranet access, secure Internet
transactions... OpenOTP relies on proven technologies and open standards such as OATH (the
initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.
A one-time password (OTP) is a password that is only valid for a single login session or
transaction. OTPs avoid a number of shortcomings that are associated with traditional (static)
passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static
passwords, they are not vulnerable to replay attacks. This means that, if a potential intruder
manages to record an OTP which was already used to log into a service or to conduct a
transaction, he will not be able to abuse it since it will be no longer valid. On the downside, OTPs
cannot be memorized by human beings. Therefore they require additional technology in order to
work.
OpenOTP provides multiple One-Time Password-based authentication methods for your LDAP
users, including:
OATH event-based (HOTP) hardware and software tokens
OATH time-based (TOTP) hardware and software tokens
OATH challenge-response (OCRA) hardware and software tokens
YubiKey hardware tokens
SMS one-time password
Mail and Secure Mail one-time password (with integrated PKI)
Pre-generated OATH OTP password lists
The OpenOTP authentication solution is composed of the WebADM server application, the
OpenOTP SOAP/XML and JSON Web service (i.e. the OTP Authentication Server), the Radius
Bridge server (i.e. The OpenOTP RADIUS API), the User Self-Service Desk and Token Self
Registration end-user Web applications (WebApps) and the SMS Hub Server Web service.
This document is intended to provide a quick start guide to administrators who want to test and
implement RCDevs WebADM and OpenOTP Authentication Server. The reader should notice that
this document is not a guide for installing and using WebADM and its applications. Specific guides
are available through the RCDevs online documentation library at http://www.rcdevs.com/.
In this quick start guide, we will cover the following points :
1) How to install and configure your OpenOTP Authentication server in WebADM.
2) How to install and configure your OpenOTP Radius Bridge.
3) How to create a user and test the OTP authentication.
4) How to implement OTP in a PHP login page.
5) How to configure your VPN to enable OTP authentication.
WebADM and OpenOTP Radius Bridges installation and configuration manuals are not covered
by this guide and are documented in specific documents available through RCDevs online
documentations.
A detailed specification of the OpenOTP features and APIs is provided in the OpenOTP Technical
Specification document, available in RCDevs online documentations.
2. Installing OpenOTP
2.1. Install and configure WebADM
In order to setup RCDevs OpenOTP Server, you must have a working WebADM server installation.
This guide assumes your target system already has a running WebADM server, configured and
connected to a compatible LDAP directory.
If you do not have the proper environment in place, we recommend that you first download and run
one of the RCDevs pre-installed VMWare appliances. Please go to http://www.rcdevs.com/
downloads/ to get your VMWare appliance.
Your OpenOTP server is now installed in the /opt/webadm/websrvs/openotp/ directory and you will
need to configure the OpenOTP web service settings in WebADM (in section 3.1).
You can now install OpenOTP Radius Bridge like you did for the OpenOTP Server. Simply run the
following commands:
gunzip radiusd-1.0.x.sh.gz
Then run the installer with the commands:
chmod 755 radiusd-1.0.x.sh
./radiusd-1.0.x.sh
Your OpenOTP Radius Bridge is now installed in the /opt/radiusd/ directory and you will need to
configure Radius Bridge (in section 3.2).
The OpenOTP application is now registered but is still not fully configured. The registration created
a default configuration for your application. But some configuration changes are required for our
testing. Click the CONFIGURE button to enter the OpenOTP application configuration.
Most of the settings here are just fine to start using OpenOTP. We will only adjust the Default
Domain setting. Domains are a very important thing in WebADM. They are required by your Web
Services (ex. OpenOTP) to know where to search for users while processing requests. Your
WebADM server should have at least one Domain already setup and your testing users must be
located in a LDAP tree below the User Search Base setting of this Domain.
You can check the Default Domain checkbox and select your existing Domain (here Default).
Once the settings are configured, click the Save button and your OpenOTP application is now
configured. All the other settings are just fine for the moment.
The OpenOTP service is now running and the SOAP API is accessible under the web service
URLs in the Applications menu.
OpenOTP Radius Bridge can be configured by editing the files in the /opt/radiusd/conf/ directory.
There is no graphical configuration for the RADIUS server. For our tests, we will keep the default
configuration. To connect a VPN server to Radius Bridge, you will need to edit the clients.conf file
to register the VPN IP address and shared RADIUS secret.
A detailed configuration manual for Radius Bridge is available through RCDevs online
documentations. We strongly encourage you to read the manual in order to correctly setup your
VPN for use with OpenOTP.
3) Once the user is created, edit it and click the OTP Authentication Server button in the
Application Actions box.
6) Start the Google Authenticator application on your mobile phone and click the Scan button.
Scan the QRCode to register a new Software Token on your mobile phone. When done, click
the Register button on the screen. The Software Token is now registered in OpenOTP.
3) Check the OTP Type checkbox and select TOKEN. If TOKEN is already the default OTP
Type, then you do not need to configure this setting.
4) Save the user settings by click the Apply button at the bottom of the page.
2) You didnt enter the OTP in the login and OpenOTP also activates Challenged-OTP mode. A
new windows is displays with a message asking for your Token password. Enter the password
displayed on your Google Authenticator mobile application.
You can have a look at the Web Service Logs in the Database menu to see what happened.
Enter the username and LDAP password. You can enter the OTP password in this screen or in the
challenge screen (after pressing the Login button) like we did in our authentication test previously.
OpenOTP WSDL
This SOAP WSDL specification defines the interface explained just before.
<?xml version="1.0" encoding="UTF-8"?>
<definitions targetNamespace="http://www.rcdevs.com/wsdl/openotp/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://www.rcdevs.com/wsdl/openotp/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<message name="openotpSimpleLoginRequest">
<part name="username" type="xsd:string"/>
<part name="domain" type="xsd:string"/>
<part name="anyPassword" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
</message>
<message name="openotpNormalLoginRequest">
<part name="username" type="xsd:string"/>
<part name="domain" type="xsd:string"/>
<part name="ldapPassword" type="xsd:string"/>
<part name="otpPassword" type="xsd:string"/>
<part name="client" type="xsd:string"/>
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://
encodingStyle="http://