PINSafe v3.3 User Manual
Contents
1. Password voen e c c nc Allow self signed certificates No Username attribute sAMAccountName PIN attribute Password attribute Import disabled state Ignore FQ name changes Mark missing users as deleted No Port 389 Domain LDAP vi Synchronization schedule Every at minutes past the hour Reply Figure 14 AD Repository configuration Page 34 of 101 Version 3 5 PINsafe Manual Select the repository name from the left hand menu and complete the form The entries required are summarised in the table below Host IP The hostname or IP address of the Domain Controller that PINsafe will connect to Us rhame This username needs to be a fully qualified username for a user within the Active Directory domain that has the required privileges Password Mput the password associated with the above account Password Set the synchronisation schedule This determines how often PINsafe will update its user list from Active Directory See Appendix D Setting Schedules and CRON Strings for details certificates Set the username attribute this is the attribute within the Active Directory repository that will form the username within PINsafe The default for this is sAMAccountName This is generally the most appropriate as it is the username that will be used for other Windows based authentication Select the required port number If you2. Username fred Password eeee Figure 9 Selecting MySQL5 Database Once you have entered this information select your chosen database from the drop down list then click Apply PINsafe will now try and create the tables in the database Check the log files to see if there are any errors If for any reason PINsafe could not open the database the database setting reverts to what it was to prevent the user being locked out If the database tables were created successfully you will see a Database Opened message You can now move to the next step of the initial set up Setting the Database Mode PINsafe supports two different database modes synchronized and slave Synchronized will mean that the PINsafe server will synchronize with a user repository e g Active Directory in order to create or delete accounts from the PINsafe server A PINsafe server running in slave mode will not create or remove accounts from the database but act as an authentication server for all the accounts that exist in the database A slave PINsafe server relies on another PINsafe server to add and remove accounts Configuring Slave Mode In slave mode there is no user repository When configuring PINsafe to use slave mode it is therefore important that the database that you have defined has users and admin users already in it Once you select the slave mode you should go to the user admin screen to ensure that the users exist on the server Conf
3. 5 Once this entry has been made the transport will appear in the left hand pane under the Transport heading You can then configure the modem interface as required from the Transport gt GSM Modem screen 6 To configure the modem interface select the serial port that you are going to use and set the other parameters to match those of the modem 7 Configure the modem and connect it to the selected serial port Notes on Modems Swivel Secure can recommend a number of modems that we have tested with PINsafe It is recommend that you configure the modem to a specific baud rate rather than using autobauding You can effect this change by connecting to the modem via a terminal emulation program such as minicom Linux or Winterm Windows and typing the commands AT IPR 9600 for 9600 baud AT amp W To save the settings The modem should respond with OK after each command It is also recommend using hardware handshaking Page 46 of 101 Version 3 5 PINsafe Manual How to integrate PINsafe with an SMS service Provider As an alternative to using a GSM Modem PINsafe can be configured to use an SMS service provider To do this you need to obtain an account with an SMS provider that can deliver SMS messages to the PINsafe user base There are a number of such providers A transport class is required to act as an interface between PINsafe and the SMS provider it receives messages from PINsafe and forwards them to the SMS provider in whatev
4. Licensed to Licensed users User accounts Locked user accounts Disabled user accounts Active user repository RADIUS server enabled Server IP address 127 0 0 1 Server hostname ITHO00136 Figure 49 PINsafe Status Screen The entries for the Locked and Disabled are hyperlinks to the user administration page clicking on these links will take you to a list of all Locked accounts and all Disabled accounts respectively On the User Administration screen locked accounts are shown in bold and disabled accounts are in talics test10 testil test12 test13 1 E 1 5 z Figure 50 Accounts listed on User Administration screen To unlock an account click on the account in question and then on Unlock To enable a disabled account click on the Policy button and uncheck the disabled checkbox Resetting Resending Credentials You can manually set a PIN to a know value if required by selecting the Reset PIN option Alternatively you can make PINsafe create a new PIN for a user and set that new PIN to the user via their Alert Transport if they have one configured This is useful where a user has forgotten their PIN or lost the credentials alert message It is recommended that the logs are checked to ensure that the new PIN message has been successfully despatched Page 88 of 101 Version 3 5 PINsafe Manual Page 89 of 101 Version 3 5 PINsafe Manual Appendix A Windows Installation of the Java Co
5. Page 61 of 101 Version 3 5 PINsafe Manual Integrating with 3 Party Authentication systems PINsafe can be integrated with 3 party authentication systems via its third party API If this is required a class needs to be developed that implements PINsafe third party API and interfaced to the third party authentication system The details of developing such as class are outside the scope of this document Assuming that this class exists PINsafe can be configured to use the third party authentication system via this class for some or all users To configure PINsafe to do this you need to go to the Sever gt Third Party Authentication screen Enter an identifier for the Authentication the class that needs to be installed on the PINsafe server repository group that the user of the third party system will be associated with and any license key required by the third party system Once this configuration is in place the authentication process will be 1 Agent submits authentication request including credentials required by the third party system 2 The PINsafe server checks the user PINsafe credentials 3 If this stage of authentication is successful and the user is a member of the repository group associated with the third party authentication class the PINsafe server makes an authentication request to the third party system passing the required credentials 4 The third party class returns a success code and if this stag
6. AD CN PINsafeAdmins OU Groups DC test DC local Name Definitions PINsafe1 AD Apply Reset Figure 16 Repository Groups definition with Active Directory Unlike previous versions of PINsafe administrators of PINsafe do not have to be members of the PINsafeUsers group as long as either the Single or Dual channel option is ticked for PINsafeAdministrators It is no longer necessary to ensure that there is at least one user in the administrators group as long as there is at least one in one repository but if you have removed the admin user from the XML repository and this is the only other repository you must ensure that there is at least one user in the administrators group Go to User Administration and select _User Sync _ Page 36 of 101 Version 3 5 PINsafe Manual This will then create PINsafe accounts associated with the active directory accounts including PINsafe accounts with admin rights for active directory accounts that belong to the relevant group if any These accounts will be listed on the User Admin screen Assuming you have created an administrator account select it Select RESET PIN for the account and enter a new PIN Make a note of this PIN It is recommended that you open a new browser window navigate to the admin console and log on using this new administrator account before you exit the existing admin console session For more details and advice about integration with Active Directory refer
7. Page 78 of 101 Version 3 5 PINsafe Manual Policy gt PIN and OTC Y Please enter the policies to apply to PINs Minimum PIN size PIN expiry days PIN expiry warning days Require PIN change after auto setting Require PIN change after admin reset PINless OTC length Maximum repeated PIN digits Allow numerical sequences for PIN No Y Figure 40 PIN Policy Screen From this screen you can set the minimum PIN size from 4 to 10 characters You can also set a PIN expiry period This determines how long a PIN is valid for for example setting this figure to 90 days will ensure that users will need to change their PIN at least every 90 days Setting this value to O zero would mean that the PINs would never expire You can ensure that users are warned about their impending PIN expiry Setting the PIN expiry warning will determine how many days in advance the users will be prompted to change their PIN The content and delivery of the warning will depend on which alert group the user is a member of Another PIN policy that PINsafe can implement is to require a PIN change after the user has had a PIN auto created e g via auto credential creation or where a user has had their PIN changed by the Administrator Where these policies are in force a user must authenticate and then change their PIN the PINs that have been created for them will only work once For PINless users you
8. Swivel can provide a range of samples to help support this integration for example how to make authentication requests from within a jsp For more details e mail support swivelsecure com How to use the custom attribute It is possible to assign a custom attribute to a user from the user admin screen When a user successfully authenticates via the Agent XML interface this custom attribute is returned This can be used to add granularity to the access rights granted on successful authentication When using the XML repository this custom attribute can be set manually When using Active Directory the custom attribute can be mapped to an Active Directory attribute Integrating using RADIUS PINsafe can operate as a RADIUS server for working with external systems such as SSL VPNs NB In order to authenticate via RADIUS a user must be a member of the RADIUS users group as defined on the Repository gt Groups page How to configure PINsafe to operate as a RADIUS server In order to integrate PINsafe with an external system the PINsafe RADIUS server first needs to be enabled and then configured to receive authentication requests from the external systems or Network Access Server NAS using RADIUS terminology The RADIUS server is configured by going to the Radius gt Server config page Enter the required configuration details and then select Apply Page 55 of 101 Version 3 5 PINsafe Manual RADIUS gt Server Please ent
9. AcceptSecurityContext error data 525 2006 ece Indicates the username or password were not valid 14 25 27 20 ERROR 192 168 0 13 admin Exception occured during repository attribute query object attribute efaultNamingContext exception javax naming CommunicationException 192 168 0 199 389 Page 35 of 101 Version 3 5 PINsafe Manual Root exception is java net NoRouteToHostException No route to host December 2006 Indicates the server could not be reached Once you have confirmed that you can connect to the AD server you need to set up the repository groups 4 Configure Groups Go to Repository gt Groups Assuming you have not added new groups there will be just the two groups defined PINsafeUsers and PINsafeAdministrators The definitions for the AD server will be blank Enter fully qualified domain names for the appropriate groups in the Active Directory which represent normal users and administrators Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP definition For XML repository please copy the group name into the definition Single Dual Swivlet Admin Helpdesk PINless Name PINsafeUsers Vv Vv Vv m F F Definitions PINsafet PINSafeUsers AD CN PINsafe OU Groups DC test DC local Name PINsafeAdministrators Po F Definitions PINsafe1 PINsafeAdministrators
10. Activating the Filter The filter is applied to the admin console by specifying the filter servlet relationship in the web xml file found in the webapps pinsafe WEB INF folder In versions of PINsafe that have the filter bundled there is no need to change this file If the filter is being used with a 3 1 x version of pinsafe then the web xml file will need editing The segment that needs inserting is in the web xml fragment file and is shown below The lt filter gt element describes the filter and the lt filter mapping gt element applies it to the AdminLogin Servlet and the fragment needs inserting at the top of the web xml file before the first servlet definition as illustrated below Page 20 of 101 Version 3 5 PINsafe Manual To activate these new settings TOMCAT must be restarted Filter in operation When someone attempts to access any part of the admin console they are redirected to the admin log in page At this point the filter intercepts the request and checks to see if the IP address is on the allowed list If it is not it returns the error code and message defined in the filter properties file Session Sharing PINsafe will uses multicast for session sharing therefore no IP addresses need specifying PINsafe will use session sharing if there is a cache xml defined under the webapps pinsafe WEB INF classes It is recommended that anyone wishing to use session sharing consult with a Swivel Technician for advice as ther
11. Page 43 of 101 Version 3 5 PINsafe Manual Integrating with Transport Classes A transport class is the mechanism by which a security string is delivered to the end user for dual factor authentication The default method for this is via SMS and PINsafe comes with a class that enable this via a GSM Modem However the transport class can be used to interface PINsafe with any suitable mechanism for carrying the string PINsafe comes with a number of pre defined transports to choose from others are available and new ones can be developed as required The API that a transport class needs to implement is very simple and need only consist of a single method To use a transport class you need to configure destination attributes on PINsafe These represent a mapping of an attribute name to its definition within the connected repositories For example to send security strings to a mobile phone an attribute called phone is required this would map to phone for the local XML repository and telephoneNumber or Mobile for Active Directory Transport gt Attributes Please enter the repository attributes for the transport types e g Email Mobile Phone Name phone Attribute local phone activeDirectory telephoneNumber Name email Attribute local email activeDirectory Maill Figure 20 Setting Transport Attributes Once the attributes have been defined they can be used as part of the transport definition as shown
12. Tomcat x x webapps pinsafe WEB INF conf config xml to a safe location 4 Back up the PINsafe User Repository by taking a copy of Tomcat x x webapps pinsafe WEB INF data repository xml to a safe location 5 Back up the PINsafe user data by taking a copy everything under Tomcat x x webapps pinsafe WEB INF db to a safe location Back up any customized transport user repository classes residing on the PINsafe server Rename the Tomcat x x webapps pinsafe folder to Tomcat x x webapps pinsafeold Copy the new pinsafe war file to the webapps folder 0 ee ae Start the Tomcat server service tomcat5 start this will deploy the PINsafe application 10 Stop the server 11 Copy the backed up config xml file from step 3 to Tomcat x x webapps pinsafe WEB INF conf overwriting the installed version 12 If you are using an XML repository restore the backed up copy from step 4 to Tomcat x x webapps pinsafe WEB INF data overwriting the installed version 13 If you are using an internal database restore the database files backed up in step 5 to Tomcat x x webapps pinsafe WEB INF db 14 Ensure that the ownerships and permissions on the file that you have restored are correct drwxrwxr xX 2 swivel swivel ADDS Des 12913 elo For example to change the ownership of data run the chown command from the WEB INF directory chown R swivel swivel db To change the permission of data run the chmod command from the WEB INF director
13. gt General screen the email SMTP transport will be configured as follows Identifier SMTP Class com swiveltechnologies pinsafe transport SmtpTra Strings per E message Destination mal attribute Repository NONE group Alert repository PINsafeUsers gt group Figure 52 Simple repository groups example transport page On the RADIUS gt NAS screen a single NAS will need to be defined as follows Identifier Nas Hostname IP 192 168 0 111 Secret evceee EAP protocol None gt Group PINsafeUsers Figure 53 Simple repository groups example RADIUS NAS page With this set up to add a normal user to PINsafe you just need to add them to the PINsafeUsers group and synchronize To create an Administrator add a user to the PINsafeAdministrators group and synchronize NOTE When multiple PINsafe servers are using the same repository it is very important that either the group definitions are the same for both PINsafe servers or if the servers are sharing the same database that the repository is only defined on one of the PINsafe servers Users will still be able to authenticate on the other server More Complex AD Group and Attribute example In this example it is assumed that PINsafe is being to authenticate a number of different users groups in a number of different methods In this case PINsafe is being used to authenticate access a website and a VPN All users can use th
14. 3 5 PINsafe Manual De User CASO a a A A a ia 71 EEN eee AB nA wae Win nt A A A ulbustncwibetbiete 7i Logs and A lafi A A AE A cco T 72 A NG E E E A Suecanes deomumadeciauaesedeedelnenboonsees 72 o aici alee wines aiu nhieu nino nhiin nt upin oii nhl uta un oii nhin nut ufuareiaroina uiainla nisinjofalaleinroiuiora aiuiniaia aluie atsin e slut 73 SMTP emaili role re pele eee ee Ce Lee A ce CeCe eee eee ce ee eer eee cece err 73 Ani US wai hn hn aah einen A nachna a hahaa a ia 75 SEECIR POLE la 75 U oDe POIS A A A A AS crc crt 81 cingle Channel ci 82 EOD Ciel ii 82 ASES SS SN MOC e CeCe RCC eee eC Cree Ce eer ec ce err 83 Manag VESES a A 84 Adding User EOS li 84 AS MESES id A A A re Ce eeCe Ter rCne rT ere r ror 85 Appendix A Windows Installation of the Java Comm APlecccsonocsonoccncnaconnaronsnncnnnaronnnronarano 90 Appendix B Active Directory LDAP Groups and Abii DUCES criar ia tines 91 Uzar TIMES A A TERT CCL CTE TC eT ECT eR A CTC ror Cee rece ree ron 91 Simple AD Group and Attribute exampl Sv sssanecscnensneesscnneeseneeseeeseceneeseneeGEeSeSGuesuseneeanenunas 92 More Complex AD Group and Attribute example sevccscnenscnecccnueesencnscuescesseeeuescnsseeeunssanaues 93 Appendis PINsafe Installation d tail lS oie a a else aaa 97 Appendix D Setting Schedules and CRON StrindSssssscccnescccccencuscscnecsucuseseussauecussueseuenuses 98 Mi 99 Page 4 of 101 Version 3 5 PINsafe Manual Int
15. PINsafeAdministrators AD cu PINsafeAdmins OU Groups DC test DC local Name T O O Definitions PINsafe1 AD Apply Reset Figure 12 Repository Groups definition with Active Directory Page 29 of 101 Version 3 5 PINsafe Manual A new PINsafe installation will have 2 groups defined PINsafeUsers and PINsafeAdministrators representing ordinary users and administrators respectively These two groups may be enough for basic use but some companies may wish to have finer control over usage in which case more groups will need to be defined If the installation is an upgrade from PINsafe 3 2 the groups in this list will reflect the distinct groups defined in the old configuration including any Transport Agent or RADIUS NAS groups There are two parts to defining a new group defining what rights the group has and mapping the group to user groups within the repositories This screen defines six basic rights e Single connect using single channel authentication e Dual connect using dual channel authentication e Swivlet use the Swivlet application e Admin administer the entire PINsafe configuration e Helpdesk administer PINsafe users e PINIless user has no PIN just a password Users of previous versions of PINsafe will recognise that these are equivalent to six of the eight groups in the old Repository Groups menu There is no longer a PINsafe users group as members of any of the defined g
16. a madsen ae enamel Serting The Internal Database ee Peet ter er Cer rr eer reer rr reer a eee er cer rer errr rer tcc re ner ern tr ter Configuration for an external MySQLS database mc seis sense ONAA setting the Database MOS A A A sa eareiian eeeamiam eta Contiguring Silay Medea Configuring Synchronized Mo Se wis ii aiiin a emda a a a diia iaiia To use this mode go to the Mode gt General screen and select Synchronized and TRES at O aa Page 2 of 101 Version 3 5 6 PINsafe Manual Integrating mue User repos iTO iE a a rr rrr rr ra Using Groups with User Repos LLOC LESS ii a a A Importing Disabled EST A A AAA AA A seem a Ignoring Fully Qualified FO Rae changes coo ana a Marking missing users as deleted ssmscncsnnsnnconosnnconnonncnnnsanronnsnnrnnnsnranrsanrnnrsancnrsnenasaes Considerations for multiple TROPAS CEOTLES nr SN emer Contiguring the XML Repos EST Fica A abe bin acahcin A a olshaia acale dein white cinta Configuring an Active Directory REPOS COE Yicmnissirc deen ane Configuring LDAP Directory Servers as Repositori8OSissscsrosasosononconosnsonnonanonsnnnanas Other repository TENDER emia a non mun ie di Deleting a BSS PGE p anina oia ai an aad A a dahaa ananena dei lien raring Vith Transport CLASS Sirri aaa a aE Configuring transports in shared database PINsafe installatiONMS commmnssannannnansas How to integrate PINsafe with a GSM MOdeMsesssssscscccuu
17. all accounts have a password as well as a PIN associated with them If passwords are required then if auto credential creation is set PINsafe will create a random password for the user The random password will conform to the password mask The password mask allows administrators to ensure that certain character types are included in the password in the specified order where a alpha d digit and s special character An example of a password conforming to the above password mask would be r4p amp dl2a Another way of using passwords with PINsafe is to use the password that the user has from their AD account or other repository type If the Check Password with Repository option is set to true when a user attempts to authenticate no does PINsafe check their OTC but also checks the password they submitted against their repository To do this the PINsafe server must be able to connect to the user s repository Page 80 of 101 Version 3 5 User self reset PINsafe Manual Policy gt Self Reset Please enter the policies to apply to user self reset Allow user self reset No v Maximum self reset tries 3 Figure 42 Self Reset Policy Screen PINsafe supports a self reset policy whereby if a user s account has been locked they can unlock it They do this by being sent an unlock code via their alert transport they then enter this code to authenticate The above screen enables this feature and stipulates the maximum n
18. are using SSL for the connection between PINsafe and Active Directory you need to select Port 636 and decide whether to accept self signed certificates If you are connecting to a multi domain AD installation ou may need to use Global Catalogue LDAP 3268 or its SSL equivalent 3629 eee ee set the attributes within active directory that will form in the initial values PIN Password for password and PIN Import Disabled Set the flags to import disabled state and ignore FQ name changes as described earlier Ignore FQDN fone If a user account no longer exists in the repository do not delete the account but Mark missing ki bled of purged from the admi users as deleted Mer it as deleted Accounts can be re enabled of purged from the admin console Figure 15 AD Values Synchronization schedule Username attribute Click then go to the User Admin screen and click EA At this stage we have not defined what groups within active directory we are interested in so no users will be synched across Go to the log viewer if you have connected successfully you will see a message saying synch started and synch completed If this was not successful you will see an error in the log for example 14 22 23 192 168 0 13 admin Exception occured during repository attribute query object attribute 20 ERROR efaultNamingContext exception javax naming AuthenticationException LDAP error code 49 December 80090308 LdapErr DSID 0C090334 comment
19. available Setting this value is recommended as it will allow users who have navigated directly to the login page to access the protected resource A path that causes the cookie to be deleted and authentication to be required on any subsequent request This must be a path protected by the IIS filter The virtual web path for the IIS filter authentication pages Version 3 5 PINsafe Manual El File Action View Window Help e Am EAR Y S nn System Tools Default Web Site E Event Viewer 43 Shared Folders 2 Local Users and Groups Performance Logs and Alerts z Device Manager Removable Storage Disk Defragmenter Disk Management de Services and Applications Services WMI Control 23 Indexing Service E B Internet Information Service Default Web Site Properties Directory Securi HTTP Headers Web Site ISAPI Filters Home Directory Filters installed here are active for this Web site only Filters are executed in the order listed below Status Filter Name Priority piso gh 1 Web Sites 45 Default SMTP Virtual Sery Details Filter Name pinsafe Status Loaded Executable C netp PINsafellSFilter dll Priority High Figure 24 Screenshot of IIS filter installation Once the filter has been configured it can be applied to the web site In the Control Panel select Administrative Tools then Internet Information Services Navigate to the default web site assuming t
20. can set a policy of how long the one time code should be This is set to 6 as a default but can be from 4 to 8 digits For PINs you can also set policies on what PINs are valid There are two optional policies that can be enforced Page 79 of 101 Version 3 5 PINsafe Manual e Maximum repeated digits This indicates the maximum number of repeated digits that are allowed in the PIN This allows the administrator to define what PINs are valid E g it allows them to enforce a no repeated digits policy e Allow series This sets whether ascending or descending arithmetic series are allowed as PINs For example not allowing such series would prevent 1234 2468 6543 etc from being set as PIN numbers Administrators should be aware that enforcing these policies does reduce the number of possible valid PIN combinations and if they wish to enforce them all they may wish to consider increasing the PIN length These policies are enforced when users set their own PINs via the change PIN function and also when PINs are generated by PINsafe An administrator can override these policies and manually set any PIN number Password Policies Policy gt Password Y Please enter the policies to apply to passwords Require password No v Password mask adsxxx Check Password with Repository No Figure 41 Password Policy Screen Passwords are an optional part of the PINsafe authentication model If required the Administrator can ensure that
21. definition For XML repository please copy the group name into the definition Single Dual Swivlet Admin Helpdesk PINless Name PINsafeUsers Vv Vv Vv O O E Definitions ithooo140 PINsafeUsers S LDAP cn vpnsslusers ou group dc banquecramer dc ct Name PINsafeAdministrators _ Definitions ithooo140 PINsafeAdministrators LDAP cn vpnssladmins ou group dc banquecramer dc lt Name Definitions ith000140 LDAP Apply Reset Figure 47 Simple Active Directory Group Structure In addition you can specify that one or more groups for users will operate PINlessly To implement this simply make sure that the PINless box is checked for the appropriate group s Allocating Users to Transports Users need to be associated with transport classes for the delivery of security strings and for system alerts e g notification of PIN The Transport gt General screen shows which groups are associated with which transports It also shows the destination attribute therefore the Administrator needs to ensure that this attribute is set for the user Page 86 of 101 Version 3 5 PINsafe Manual Identifier csm Modem Class com swiveltechnologies pinsafe transport GsmTran Strings per i message Destination Ehone Sd attribute Pp Repository IE SMModemUsers y group Alert repository GSMModemUsers group Figure 48 Screen showing AD groups associated with GSM Modem transpo
22. disabled but at the very least it is strongly recommended that the PIN is changed It is not normally necessary to modify the configuration of the XML repository except possibly to change the synchronisation schedule but the details for doing so are given here Select Repository and then the name of the XML repository which should be the name of the PINsafe server The configuration screen should look like this Page 32 of 101 Version 3 5 PINsafe Manual Repository gt ptest Y Please enter the details for the XML repository Username attribute username PIN attribute pin Password attribute password Synchronization schedule Every hour j at 0 Y minutes past the hour Figure 13 XML Repository configuration Username initial PIN and Initial password are provided for compatibility with other repositories but there is little point in changing these It may well be worthwhile however changing or removing the synchronization schedule Since XML repository users can be added and edited within the administration console it is easy to synchronize the repository manual after making changes Having an automatic synchronization therefore serves little purpose To remove it set the schedule to never Configuring an Active Directory Repository Swivel provides a class for the integration of PINsafe with an Active Directory This class acts as an interface between the PINsafe and the external active di
23. for multi office installation Another application of this is to support the inter working of different user repositories although this configuration is deprecated by Version 3 3 s ability to connect to multiple repositories One PINsafe server can be configured to work with Active Directory another to work with the XML repository The two servers can be configured as peers so that a user from either user repository can authenticate to a VPN or web application authenticating via either PINsafe server Page 63 of 101 Version 3 5 PINsafe Manual Active Directory Proxied request for XML user From AD PINsafe Figure 31 Example of peering fro multi repository installation It is possible to deploy both these servers on the same PINsafe appliance thus avoiding increased hardware costs To implement peering each PINsafe Peer must know the IP address context and port details of every other PINsafe server in the peering network Each PINsafe server also has a shared secret used for authentication To make authentication requests the requesting server must present the shared secret to authenticate itself to its peer To set up this relationship enter the details on the Server gt Peers screen on each PINsafe server Using the London New York example on the London PINsafe server the following would be entered Server gt Peers Please enter the details for any peer PINsafe servers below P
24. in the table below Page 44 of 101 Version 3 5 PINsafe Manual Identifier A name for the transport this is especially important where multiple PINsafe servers are sharing a database see below Class The class that implements this interface Strings per Message For some transports you may wish to configure them to send multiple security strings within the same message You can specify this here Destination Attribute This is the attribute within the repository that will be used as the destination for the user This will be one of the previously defined transport attributes Repository Group The group in the repository that users will be a member of in order to use this transport to send their security stings Alert Repository The group in the repository that users will be a Group member of in order to use this transport to send alert messages to Configuring transports in shared database PINsafe installations When a repository is synchronised with PINsafe the PINsafe database stores the name of the transport that the user has been allocated Where you have multiple PINsafe servers connecting to the same database it is important that the transport configurations are consistent across the servers The easiest approach is to ensure that the configuration is identical however this is not the only approach and some extra resilience can be achieved For example you can have two PINsafe servers one that uses a GSM modem to send SMS
25. messages and another that is part of the same installation that uses an SMS provider To achieve this you would need to configure a transport called SMS on both servers and associate that transport with the same groups on both servers However on one server the calls would be the GSM Modem class and on the other server it would be the class associated with the SMS provider NB You can only use transports that use the same destination attribute NB You need to configure transports on PINsafe servers that are operating in Slave mode even though they do not have a repository The group definitions entered on the transport general screen are not important but the transports still need to be configured Page 45 of 101 Version 3 5 PINsafe Manual How to integrate PINsafe with a GSM Modem PINsafe supplies a transport class that allows PINsafe to send text messages via an AT compatible GSM modem The GSM modem obviously needs a valid SIM card and GSM coverage The transport class operates the modem by sending AT Modem commands via the serial port Therefore before configuring the PINsafe server an AT Compatible modem needs to be connected to the serial port To configure the PINsafe server to use the modem 1 Go to the Transport gt General tab 2 Ensure that the modem class details are entered on the screen as shown below 3 Enter a repository group name for the class e g modem if you are using the XML repository 4 Click Apply
26. re provision the accounts and allocate those users new PINs Since version 3 5 it is now possible to not automatically delete users that are missing from the repository If this option is chosen the missing account will not be deleted but merely disabled If in subsequent jobs the account re appears the error being rectified the account is re enable without the user needing to be assigned a new PIN If there is a requirement to delete the account it can be purged from the User List screen on the admin console Considerations for multiple repositories PINsafe has the ability to support multiple repositories If you are planning on using multiple repositories you should be aware that usernames must be unique across all repositories For example it is not possible to have a user called admin in the XML repository and one also called admin in an Active Directory repository If you are not going to be using the XML repository it is advisable to remove all users from it both from the point of view of security and of simplifying synchronization of the Active Directory If it is going to be difficult to guarantee uniqueness of username across multiple repositories it might be advisable to use email address for example as the login name instead Configuring the XML Repository A new installation of PINsafe has a single repository based on an XML file It starts with a single user admin with a PIN of 1234 This user can be removed or
27. redirected once they have successfully changed their PIN this is an optional setting You should now be able to use the Change PIN application Go to http lt ipaddress gt 8080 changepin The Change PIN form will be displayed Username OTC New OTC Confirm new OTC Start Session Figure 23 Change PIN screen shot Enter a username and select Start Session if the user is configured as a single channel user then a TURing image will be displayed Alternatively if the user is a dual channel user they may already have been sent a security string via SMS To change their PIN the user must enter their one time code based on their current PIN and then their new one time code therefore in the above example if the user has a PIN of 2378 that they wish to change to 9243 they would enter 0932 in the OTC box and 1089 the New OTC and confirm new OTC boxes To change their PIN the user would then select change PIN Page 51 of 101 Version 3 5 PINsafe Manual PIN change successful Please wait while you are redirected If your browser doesn t automatically redirect click here to continue At which point they will be redirected to the defined redirect page if one was defined If you check the PINsafe logs you should also see the corresponding entries 16 52 01 03 January 2007 16 51 47 03 January 2007 INFO 192 168 0 13 changepin Change PIN successful for user testi INFO 192 168 0 13 change
28. required Performance Local database means good Performance needs to be performance considered but PINsafe is not a particularly database intensive application Availability Availability determined by the Available can be improved by using server it is deployed on database clustering technologies Difficult to back up database External database easier to back therefore not easy to support site up and replicate resilience Security Internal and encrypted All sensitive data is encrypted Page 22 of 101 Encrypted database drivers can also be used Version 3 5 PINsafe Manual It is assumed that an external database will be more appropriate to larger multi site installations and the internal database for use for single site installations Username Case Sensitivity You can select whether usernames are case sensitive or not You may need to set usernames to be case insensitive if that is what the users are used to When user names are not case sensitive a user with a username of Chris can authenticate a Chris chris chrIS etc NOTE Case sensitivity is also affected by settings in your database if you use an external database If you require case sensitive passwords you also need to ensure that your database is set to be case sensitive Setting the Internal Database To use PINsafe s internal database go to the Database menu select Internal from the drop down menu then click apply There may be a slight delay as PINsafe creates th
29. to account PIN management for example PIN length and PIN validity periods There are two modes of operation for PINsafe standard and PINless these two modes are explained below Standard Users are assigned a PIN They are sent a random security string and use their PIN to extract a one time code PINless Users do not have a PIN they are sent a random one time code which they enter to authenticate Both modes can be supported on a PINsafe server Group memberships are used to define which mode a user uses To make a group PINless check the PINless property for the group in the Repository gt Groups page Page 75 of 101 Version 3 5 PINsafe Manual Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP definition For XML repository please copy the group name into the definition Name Definitions ith000140 LDAP Name Definitions ith000140 LDAP Name Definitions ith000140 LDAP Name Definitions ith000140 LDAP PinsafeUsers PinsafeUsers Jen PINsafeUsers de test dc local PINsafeAdministrators PINSafeAdministrators fen PINsafeAdmins dc test dc local PInlessUsers PInlessUsers en PINlessUsers dc test dc local m m m Single Dual Swivlet Admin Helpdesk PINless M v M m E E Figure 37 Groups screen showing PINless user group Some policies
30. to section on Integrating with User Repositories The server is now configured to pull in user information from the Active Directory There are two ways of instigating the pull of this data Manually By going to the User Administration screen and selecting User Sync Automatically The schedule for a given repository is set on the configuration screen for that repository as described above After you have synchronised with the AD repository you should see the accounts that have been created in the User Administration screen Remember to reset the PIN on any new admin accounts that you have created if they are not created automatically Page 37 of 101 Version 3 5 PINsafe Manual Configuring LDAP Directory Servers as Repositories Swivel provides a class for the integration of PINsafe with LDAP directory servers This has been tested for use with OpenLDAP Sun Directory Server Novell eDirectory and IBM Tivoli Directory Server and will probably work with most other LDAP compatible repositories that implements group membership according to the LDAP recommendations Rec 2256 To set up PINsafe to integrate with an LDAP repository 3 Set up the required groups within LDPAP and add users to those groups See Appendix B Active Directory LDAP Groups and Attributes 4 Add the LDAP server as a repository on PINsafe 5 Configure the interface between PINsafe and LDAP 6 Configure the group definitions for the repository 7 Synchronise the
31. version 1 0 encoding UTF 8 gt lt DOCTYPE properties View Source for full doctype gt lt properties version 1 0 gt lt entry key anyone gt 0 0 lt entry gt lt entry key localhost gt 127 0 0 1 255 255 255 255 lt entry gt lt properties gt The default configured ranges are named anyone and localhost and represent access from any IP address and localhost only respectively An address range is specified as an IP address followed optionally by a mask The mask can be a single integer representing the number of significant address bits that must match for access to be allowed or it can be an IP style dotted decimal Both styles are present in the default file but further examples are shown below Page 19 of 101 Version 3 5 PINsafe Manual IP Range Meaning 0 0 A 0 mask means that no bits need to 123 123 123 123 0 match in the address This allows access from all IP addresses 127 0 0 1 32 A 32 mask means all 32 bits must match 127 0 0 1 255 255 255 255 The equivalent dotted decimal is 127 0 0 1 255 255 255 255 Specifying no mask is the same as specifying a 32 mask 192 168 0 0 24 Access will be allowed from any address 192 168 0 0 255 255 255 0 on the 192 168 0 subnet The default entries allow access from all IP addresses Removing the entry for anyone will restrict access to localhost Further ranges can be added to ease administration All ranges should have a unique name
32. 3 1 4 1 18 October 2006 3 1 4 2 19 October 2006 RADIUS and IP table advice added 3 2 31 Jan 2007 Manual for PINsafe version 3 2 3 3 12 July 2007 Manual for PINsafe version 3 3 3 3 Update 1 19 Nov 2007 3 3 Update 1 3 4 28 April 2008 Manual for PINsafe Version 3 4 3 5 20 October 2009 Manual for Version 3 5 Page 101 of 101 Version 3 5
33. 3 5 PINsafe Manual Configuring the filter The filter configuration is controlled by two files found in the WEB INF folder filter properties Determines the way the filter behaves when access is denied or granted ranges xml List of IP ranges that can access the Admin Console These files are read as TOMCAT initializes the filter therefore changes to these files will only take affect after TOMCAT has been restarted Editing filter properties The default filter properties file is shown below Page 18 of 101 Version 3 5 PINsafe Manual The entries are as follows Entry ALLOWED DENIED ERROR FILTERING STATUS Meaning Message written to TOMCAT console with request IP address when the filter allows access Message written to TOMCAT console with request IP address when the filter denies access Message reported back to browser when access is denied If not set no response is sent and the browser will eventually time out Message written to TOMCAT console followed by address ranges as TOMCAT initializes the filter The http status code reported back when access is denied This should match the error message Editing ranges xml Default Commented out filter is silent Access Denied Page Not Found Commented out filter is silent 404 The ranges xml file holds the list of IP addresses that are allowed to access the admin console The default ranges xml file is shown below lt xml
34. 68 0 13 admin Exception occured during repository attribute query object attribute 20 ERROR efaultNamingContext exception javax naming AuthenticationException LDAP error code 49 December 80090308 LdapErr DSID 0C090334 comment AcceptSecurityContext error data 525 2006 ece Indicates the username or password were not valid 14 25 27 20 192 168 0 13 admin Exception occured during repository attribute query object attribute December ERROR defaultNamingContext exception javax naming CommunicationException 192 168 0 199 389 2006 Root exception is java net NoRouteToHostException No route to host Indicates the server could not be reached Once you have confirmed that you can connect to the LDAP server you need to set up the repository groups 4 Configure Groups Go to Repository gt Groups Assuming you have not added new groups there will be just the two groups defined PINsafeUsers and PINsafeAdministrators The definitions for the LDAP server will be blank Enter fully qualified domain names for the appropriate groups in the LDAP Directory which represent normal users and administrators Page 41 of 101 Version 3 5 PINsafe Manual Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP definition For XML repository please copy the group name into the definition Single Dual Swivlet Admin Helpdesk PINl
35. AS will use a secure RADIUS EAP protocol from the drop Page 57 of 101 Version 3 5 PINsafe Manual down list the options are LEAP and EAP MD5 RADIUS gt NAS Please enter the details for any RADIUS network access servers 4 server via the RADIUS interface Identifier INAS Hostname IP 192 168 0 11 Secret Pree EAP protocol None b Group ANY v Figure 26 NAS configuration screen For authentication requests to be processed by PINsafe they need to come from the IP address specified in the NAS configuration the shared secret needs to match that specified in the NAS configuration and be sent to the IP address specified in the PINsafe Server Configuration How to integrate a VPN with PINsafe using RADIUS In order to configure a VPN to use PINsafe for authentication the VPN needs to be configured to make authentication requests against the PINsafe server This method for doing this depends on the VPN concerned so you need to consult the relevant documentation for the specific VPN Swivel Secure will be able to provide you with specific instructions for a range of VPNs The basis of the configuration is basically to ensure that 1 The VPN server needs to send authentication requests to the IP address and port number on which the PINsafe Radius server is operating 2 The VPN server needs to have its shared secret and realm if specified set to match that on the NAS configuration screen This is
36. Alert Repository Group SC Users for a GSM Modem or SMS provider Destination attribute telephoneNumber Alert Repository Group DC Users To restrict website access to only those users that are in the WEB users group the agent associated with the website would include the following entry Group WEB Users Despite the variety of user types users can for the most part be added to PINsafe just by making them a member or the appropriate AD group The only exception is that users that need to be able to access via the website need to be added to the WEB Users group as well as either the Single Channel or Dual Channel group Page 96 of 101 Version 3 5 PINsafe Manual Appendix C PINsafe Installation details General Date of Install Installation company name Engineer s name Customer Contact inc email phone PINsafe Server Details Appliance Yes No Appliance serial number s High Availability Yes No License Installed Yes No PINsafe version OS IP Address Default gateway DNS Language English RADIUS Yes No Change PIN Yes No User self reset Yes No PINsafe Backup details Support Arrangements Hardware OS Software Customer Sign off The installation has been completed to my satisfaction in accordance with the details given above I understand the level of support I am entitled to as explained above Signature Date Name on Behalf of company Page 97 of 101 Version 3 5 PINsafe Manual Appendix D Se
37. In order to configure users to use this transport to receive their security strings users need to be members of the appropriate repository group If you are using the XML repository you can effect this by going to the User Administration screen selecting a user and selecting smsUser as their transport group Integrating via SMTP Integrating with e mail is a special case for integration This is because PINsafe requires integration with an e mail server to send e mail alarm messages Therefore the actual integration details such as mail server IP address are specified in the Server gt SMTP screen See SMTP email Loggin Page 48 of 101 Version 3 5 PINsafe Manual Integrating with Agents using Agent XML An agent is a piece of software residing outside the PINsafe platform but which communicates with the PINsafe platform to manage authentication There are a number of ready made agents available and new agents can generally be created very easily Agents communicate with PINsafe via the Agent XML interface This section covers how PINsafe can be integrated with agents to support using PINsafe with external applications such as websites Any external application that needs to use the Admin API new in Version 3 4 needs to be defined as an agent on PINsafe How to integrate PINsafe with an external agent The PINsafe server will only service authentication requests from trusted agents The configuration of PINsafe to work with an ext
38. PINsafe Manual wn e SWIVEL AUTHENTICATION YOU CAH IDENTIFY WITH PINsafe Manual Version 3 5 Last Revision October 2008 Page 1 of 101 Version 3 5 PINsafe Manual Contents Table of Contents asa Sila Mull old NN PINsafe 3 5 for users of earlier PlNsafe VersSl0NS sssseseceneneneneueueueneueneueneueueueeeeaneenanes ESSE MT UA AA A N OCP A A ere ere er cere er rere Mark as a e a aaa Improved User Admin SCIOOD cnconncnnconnsnnconnsnnrnnnsn rra rs n cansan rana a ii Easier Job Obdulio a A A A when ccm a a a hal sie Helpdesk AT ii ii DEFEAT Meee CeCe LL COC ere Cree eee Oe rece eC Ns Upgrading trom Pinsare version IES A cai nnaa cca ecu name a a aaa aa a PPE OT Dect sieia wie nie innana ai i a a aa a ma a a aa a a la a PINSGES natal lat Ofr A iaaa iaaa A aaa PINsafe Deploymnen Dicrania eee TET CETTE eee eee Te ee ee rere eer er Protecting the PINSafe Admin COnSOLSusscscscccnccscnesscnessceneeseneeseeeseseneeseneseeeesesansesenessunsse MA A wham och a thin tmtav btw eraen eh cynic wean m wv ohana lb atau wn atta ham ksh nts atm a ately afuate sista eta e Configuring the eee ee Lae eT Ee ee eee Tee eT eC TE Eee eee eT eC Eee eT ree Tee rere ere ALIADO Tre PLE ic PRIDE A ARSES LO a a w a etme a ani Pp i atm Spade O Ea a Getting Started with PINSA TS 3 Buin nee seancnesniae ane aeaeed ena eeene eeunaeeeie Setting the PiNsate Databases mace me seme niamiam
39. Page 27 of 101 Version 3 5 PINsafe Manual Integration The integration tasks for PINsafe depend on the specifics on the installation and the technology with which PINsafe is required to operate There are a number of potential integration points including User Repository PINsafe comes with its own user repository but it can also be configured to work with an external user repositories such as Active Directory Agents Agents are the integration points between PINsafe and what it is that PINsafe is being used to protect Agents use PINsafe s Agent XML API to integrate with PINsafe Radius PINsafe also can act as a RADIUS server so an alternative method of integration is to configure PINsafe to accept authentication requests from a RADIUS NAS client Third Party Authentication PINsafe is an open authentication platform in that it can be used in conjunction with other authentication technologies PINsafe has a third party API to support this interaction Transport PINsafe sends security strings to end users v a a transport layer implemented by a transport class Different classes allow for security strings to be sent via different methods e g SMTP SMS Transport classes can also be configured to send alert information to users e g to inform them that their PINsafe account has been created Logs PINsafe can be configured to send logs to external systems including syslog and SMTP These integration points are described
40. ach repository Standard functionality is defined by setting the checkboxes for the group e Single connect using single channel authentication e Dual connect using dual channel authentication e Swivlet use the Swivlet application e Admin administer the entire PINsafe configuration e Helpdesk administer PINsafe users e PINIess user has no PIN just a password For users of previous versions of PINsafe these represent 6 of the 8 standard groups previously defined There is no equivalent of the PINsafe users group as a member of any of the defined groups is by definition a PINsafe user The RADIUS group is also unnecessary as in order to be a RADIUS user a user must be a member of a NAS group To define additional functionality a group must be selected on the appropriate agent transport class third party authentication or NAS The groups on these forms are now drop down boxes showing all defined groups so you must add a group on the Repository gt Groups page to correspond to the required functionality For this reason it is possible to define a group but not tick any of the boxes To associate a repository group with a PINsafe group you must enter something in the definition field for each repository For the XML repository simply copy the group name into Page 84 of 101 Version 3 5 PINsafe Manual the definition field For Active Directory or LDAP you will need to enter the fully qualified domain name FQDN for t
41. all the configuration that is required for use with a VPN If TURing image is being used and you require the TURing image to be integrated into the VPN log on page the log on page needs modification How to use single channel with a VPN In order to use single channel authentication with a VPN the user needs to be able to obtain a TURing image perform the OTC extraction using their PIN and then enter these details onto he VPN authentication page One way of delivering a security string to the user is to modify the VPN log on page so that it incorporates a TURing image like the example below Some VPNs accommodate this form of Page 58 of 101 Version 3 5 PINsafe Manual integration others require some customization and others make this impossible PINsafe have a number of these customizations available off the shelf However there are a number of ways of delivering the security string in a TURing image that do not require the VPN log on page to be modified and thus are a very low touch integration User Portal One solution to delivering the security strings is to use a user portal web application to allow the user to obtain a TURing image via a web browser Swivel can supply a user portal is can be hosted on any servlet container including the server on which PINsafe is running It acts as an authentication agent for PINsafe and can be used to deliver security strings to the end user and also for functions such as allowing the user to
42. apply to both PIN and PINless users other are specific The general policies are set on the Policy gt General screen Page 76 of 101 Version 3 5 PINsafe Manual Policy gt General Y Please enter the policies to apply to authentication Security string type Numbers Auto set credentials on user creation Yes Y Maximum login tries 5 Inactive account expiry days Non Existent Users appear to be Audit Log length days 30 Figure 38 General Policy Screen Security String Type You can set the security string to be Numbers and or Letters You can have upper or lower case characters or a mixture of both Mixed case is not recommended for TURing images as it can be difficult to differentiate between characters such as lower case and number 1 even without the obfuscation You can even have a mixture of upper case letters and numbers In order to make this option usable letters that can easily be confused with numbers are not used Therefore if in doubt a character is a number If the SMS delivery of security strings is used then it is recommended that numbers are used for security strings 1250 8 6 Fe 2 9 ota PWT Figure 39 Alpha numeric security string first character is an 8 Maximum login tries This is the maximum number of consecutive failed login attempts that a user can have before their account is locked out See account unlocking accounts Page 77 of 101 V
43. as deleted accounts can be purged from the system Page 7 of 101 Version 3 5 PINsafe Manual Search Reset Purge Undelete Username Admin Helpdesk Single Dual Swivlet PINless Y Y laz ES adhelp BillyBob graham baal CCC Kg LERF ARR AAR AAR Figure 3 User list showing users marked as deleted This means in the event of the mistakenly deletion of accounts the mistake can be rectified without needing to issue new PINs to the affected users Page 8 of 101 Version 3 5 PINsafe Manual Improved User Admin Screen The User Admin screen has always had the ability to list users and apply a range of filters to that list 3 5 adds a filter for restricting a search to a specific group Max No Users Users per page Repository adtest vi State All v 500 5 users in this repository 100 r Username Contains Members of group two ANY special Reset Purge Undelete View PINsafeAdministrators PlNsafeUsers Username 1234 adhelp BillyBob graham v Figure 4 Setting the user list to only show members of a specific group Version 3 5 also adds options for listing different sets of user attributes For example you can list the transports that a user is assigned to use along with their destination attributes eg email address and telephone number View Security String Alerts Transport Destination T
44. ase Search Context The sub context on the LDAP server in which all users and groups exist Group ObjectClass Name The name of the LDAP object class representing a group For most servers this will be groupOfUniqueNames but groupOfNames is a possibility or you may have created a custom schema User ObjectClass Name The name of the LDAP object class representing a user inetOrgPerson is the standard schema but you may have created a custom schema Member attribute name The name of the attribute on a group object that contains the names of members If the group object class is groupOfUniqueNames this will be uniqueMember If groupOfNames then member The simple LDAP implementation assumes that group membership is represented by a multi valued attribute on the group If your directory server works differently you will not be able to use Simple LDAP and will need a custom repository class Member group attribute The name of the attribute on a group object that contains the names of name member groups This is only relevant in cases where individual members and group members are added with different attributes as in the case of the IBM Tivoli Directory Server If this is omitted it is assumed to be the same as the member attribute name Import disabled state Whether or not to import the PINsafe disabled state from the LDAP repository If this is set to Yes the following attribute is used to decide whether or not a user is disabled Use
45. be PINless These requirements can be met by creating a simple set of two groups Group name Example Active Directory definition PINsafeUsers CN PINSafeUsers OU pinsafe DC example DC com PINsafeAdminstrators CN PINsafeAdministrators OU pinsafe DC example DC com The PINsafeUsers group will be given the Single right allowing them to authenticate using single channel They will also be given the PINless right The PINsafeAdministrators group will be given the Admin right Since this also includes HelpDesk rights there is no need to tick both Authentication for the PINsafeAdministrators group can be handled in one of two ways either the PINsafeAdminstrators group is itself a member of the PINsafe users group within Active Directory in which case they automatically get the Single and PINless rights or else the group can be explicitly given these rights The Repository gt Groups screen will look as shown below this example assumes the administrators group is a sub group of the users group Single Dual Swivlet Admin Helpdesk PINless Name PINsafeUsers Iv 0 O O E Vv Definitions Delete ith000140 PINsafeUsers AD CN PINSafeUsers OU pinsafe DC example DC c Name PINsafeAdministrators O O Definitions Delete itho00140 PINsafeAdministrators AD CN PINsafeAdministrators OU pinsafe DC examp Figure 51 Simple repository groups example Page 92 of 101 Version 3 5 PINsafe Manual On the Transport
46. ccsccccceeucceuscceeseceuseceeusueussceesaues How to integrate PINsafe with an SMS service Providelimmmmsnnmasnnancnnnncnnanonanannnanonas Integrating via EMT A a Integrating with Agents using Agent XML s ss ssssssssssssss0s2s0220s0su0s2s0su0susunnnsnsnanusunnnnnnnnnn Using the User ChiangerIN Split ee ee ere eet rere ert Cree eee rere rere cre rece rrr errr er cr rer terre rr rt How to integrate PINsafe with an IIS WebSite cscoocononconnonosnoocononsosnrosnronnsnannnsnananas How to weite an ED Es A eee eee ee eer ee Cee ee eee cr ene Integrating using AUIS ain sn A ut niin wha A A niall whale lew areldle ra RADIUS GrOUpPS s ssssssss212222251002250022100B2550NNBSNNNNNNSANNNBBANENNBSNENNENBSANANEBANANNBESANNNBSANANEANENANENENNENERN How to integrate a VPN with PINsafe using RADIUS conononcnonconoocononsosnconncnansnanansnananas Integrating with 3rd Party Authentication SYSteMSerrecscccsccccceeucccccucceueccssceusseuuseeenaes Integrating with other PINSafe SerVelSisrrsancnnnsanconconncnnnsancnnronnrnnnsnrarsnrnasararsnenasananass Peering PINSATS Serye Bin a A a ewe Multiple PINsafe servers using a single Databaseuauesscnencnccscscuccsccecssenseseuecseusauenunas Operation amp MatntenaDSl rv iini hiini eniai idia iia TI a a A A mime name mmwLee Data MIGERE A a a Tee eee a ee ee ee eee le Uo Seer ee ee ere ee ec eee er cere errr SES tea WM o ls Peer a iza I ans aia anaes A Sinieinleiire wip nininiera einini oid etbiecn Page 3 of 101 Version
47. change their PIN numbers It is easily branded and customised The beauty of this solution is that it does not require and client to be installed on the user s laptop all they need is a standard browser Users can bookmark this page and even have it on their desktop as a bookmark Users can be sent the URL of the portal as part of the provisioning of PINsafe e Login e Settings PINsafe JSP Sample Login Username demouser Get Message Get Image Figure 27 User Portal screen shot To authenticate the user opens a browser at the portal s URL enter their username although this could be pre filled stored in a cookie They select get image and the image is presented to them The user performs the one time code extraction and enters the one time code into the VPN log on form Page 59 of 101 Version 3 5 PINsafe Manual SysTray Utility Another way to deliver the TURing image to the end user is to use the PINsafe SysTray utility This is a small client that resides in the users System Tray PINsafe Taskbar Settings Ed Figure 28 Screenshot of Systray Utility The application can be manually configured to retrieve TURing images from any PINsafe server for any user It can also be pre configured so that the user need only enter their username Once the application is configured users can obtain a security string merely by double clicking on the PINsafe icon in the system tray or by rig
48. coccccocnnoo 62 ACCOUNT eir aa iadaaa A A AT 87 Unless nica 87 Active DIE Vencida caca EXaIN PIGS axes O 91 O a eee A O 50 A 15 A taeda tester aniei SCH PEnio iiair kuii innii 68 A E 67 change PIN i ista cido 50 Clickatell isina ii aa 47 Configuration tatiana irene SAVIN Osista inania iaaa 67 custom attribute oooonccccnncconcnnoncnoncnnnnons 55 A donetndecdbensccgsans SHIPPING riiai ninian iais 22 disaster reCOVel Y coocccccccnoocoonannnnnonnnnnnnnns 69 aN oE A I D L E ecc 57 A a aa acia 20 filter properties cccoocccococorococarocnnrenanons 18 Global CataloQue ccccceseeseeeseeeeeeenaees 35 A E Configuring with PINSafe o 54 Installation id 16 Mer aan 28 PSAP TEM circa 52 MAIS aia 47 Page 99 of 101 o dakana adena aah 70 JRE misio niaii iiien 16 License REY A O O 27 E E E SM Pisani aa 73 A ee Alte eee Eds 24 SYNCNONISO sciooaiiicccanici ciaci n 25 PEEING A ee 63 Configura scarico dao 64 RADIUS enone s 55 A E E T 57 ranges A Teia aaen 19 REPOSO Visas A A deceana A S 25 O tias 69 SAMA A een eee ee 67 A 5 16 SysTray Utility wissen cian 60 UP Ad SW A ae A e ice an atone 14 User Repository miii ic Active Directo Void 32 33 a ocnaacevocu ns 45 SYNCHIONIZING ccociicinia nicas 41 User self reset ssssssssssserrereserseressrenne 81 A kadar aK ERE AS a 87 A E Inter ON incas 61 Version 3 5 PINsafe Manual Page 100 of 101 Version 3 5 PINsafe Manual Document Version
49. connection idle time in seconds after which re authentication will be required Page 52 of 101 Version 3 5 Username Header PINsafe Manual If the username needs to be included in the http header what attribute will it be given Channels What channels will be used this will determine what buttons are presented on the authentication page eg if you select Single Channel a get Image button will be included Display Password Field This will include a password field if a password is being used as well as Permit self reset Exclusions Addresses Paths Inclusions Inicuded Paths Misc Default Path Logout Path Virtual web path Page 53 of 101 the PIN based authentication This will allow users to perform a self reset via this agent Comma separated list of IP addresses that are exempt from the requirement to perform PINsafe authentication Partial addresses such as 192 168 may be entered Comma separated list of paths that are exempt from the requirement to perform PINsafe authentication Partial paths may be entered for example images would allow access to images logo png and images staff jpg Comma separated list of paths that require PINsafe authentication If any paths are entered then only those paths will be subject to PINsafe authentication and any path exemptions will be ignored Partial paths may be entered The default location to redirect a user to following login if no other destination is
50. d of the PINsafe configuration and can be useful for fault diagnosis How to perform automated backups The following guidelines are a suggested way of performing backups automatically in way that can be integrated with any existing enterprise back up processes and systems This approach uses a back up script to copy the required files to a SAMBA share that allows the back ups to be copied via the local network to remote server Creating a Samba Share This is a very quick guide to creating a public share using SAMBA no security policies have been added to the share It is being used as a form of access from your global backup server Firstly at the console log in as root Start the x display by typing startx Once the graphical interface has started select Applications System Settings Server Settings Samba Select Add Page 67 of 101 Version 3 5 PINsafe Manual In the Directory browse to and create a new folder called PINsafeBackup in the home swivel directory Then select the new folder as the samba share directory N B The backup script provided later presumes a home swivel PINsafeBackup folder exists if you change this folder here remember to change the backup script to match Select Read and Allow access to everyone In the Preferences Server Settings Security menu item set the Authentication Mode to Share In the Applications System Settings Server Settings Services menu item tick the smb s
51. d other VPN vendors use information passed back within a RADIUS Access Accept response to determine what access policy to apply to the user PINsafe can now support this form of operation It does this by setting the RADIUS Class attribute within the Access Accept packet to be the list of policy groups to which the user is a member For example OU PolicyGroup1 To implement this feature set the RADIUS Groups setting to yes With this set to yes the user s group membership information will be passed back The RADIUS group keyword is used to filter the group information that is sent back For example with the Keyword set to POLICY the RADIUS response will list the groups that the user is a member of but only groups that contain the word policy This prevents irrelevant group information being returned If this field is left blank then a list of all the groups of which the user is a member is returned More details on how Cisco uses this form information can be found on the Cisco website specifically the following document http www cisco com en US products sw secursw ps2086 products configuration exampl e09186200808cf897 shtml Once the Radius Server is configured and enabled it can be configured to accept requests from a NAS This is achieved by selecting the Radius gt NAS page and entering the details These settings are the same as those for an agent name IP address shared secret and group You can also specify that the N
52. e Manual Helpdesk users Version 3 4 introduced the concept of a delegated helpdesk user This meant that a helpdesk user could only manage the accounts that were in the same repository as their account 3 5 makes this an optional feature so that if required PINsafe can allow a helpdesk account to manage all the accounts on the system This is implemented by selecting Global Helpdesk Users to Yes on the Policy General screen Policy gt General Please enter the policies to apply to authentication Security string type Auto set credentials on user creation Maximum login tries Inactive account expiry days Non Existent Users appear to be Global Helpdesk Users Audit Log length days Numbers and Uppercase Letters v Yes Figure 8 Setting Global Helpdesk Policy Page 12 of 101 Version 3 5 PINsafe Manual Upgrading Upgrading from PINsafe version 3 2 3 3 3 4 Upgrading from version 3 2 3 3 should be transparent Both the user database and the configuration will be upgraded automatically To upgrade from an existing installation of PINsafe 3 2 3 3 and 3 4 follow the following procedure 1 Stop the Tomcat Server service tomcat5 stop 2 Itis highly recommended that you take a copy of the entire Tomcat x x webapps pinsafe WEB INF folder but specifically ensure steps 3 4 5 and 6 are completed 3 Back up the PINsafe configuration by taking a copy of
53. e Manual for example One consideration here is that the username must be unique over all repositories within the database It is not possible to have a user called for example admin in one repository and another also called admin in a different repository even if those repositories are synchronized on different servers Page 66 of 101 Version 3 5 PINsafe Manual Operation amp Maintenance This section refers to PINsafe running on a server rather than as an appliance For details of the operation and maintenance of appliances refer to the appliance How To guides Tasks How to Log on to the PINsafe server The PINsafe server is delivered with a default root password of lockbox It is recommended that this is changed and obviously recorded as part of the installation process How to perform back ups of the PINsafe server To back up the user and configuration data for the server the easiest approach is to back up the webapps folder under the Tomcat directory ust local apache tomcat x x xx webapps Where x x xx is the tomcat version number This will back up all the user and system data required by PINsafe To ensure against sever hardware failure and to facilitate quick restore it is recommended that this back up should be stored on a remote server Saving the configuration PINsafe has a save configuration feature that allows the current configuration to be saved to an xml file This provides a useful recor
54. e VPN but only a subset of users can authenticate to the websites All users can use single channel authentication some users can use dual channel SMS authentication Dual channel users will be sent alerts to their mobile phone single channel users via email PINsafe Administrators are dual channel users but Helpdesk users are single channel only Page 93 of 101 Version 3 5 PINsafe Manual This is a group structure that can support these requirements DC Users SC Users CN PINSafeDCU CN PINSafeSCUsers WEB Users Ca i e sers OU pinsafe CN PINSafeWebUsers Sets DC example OU pinsafe Sa e DC com DC example DC com com Admin Users Helpdesk Users CN AdminUsers CN HelpdeskUsers OU pinsafe OU pinsafe DC example DC example DC com DC com Figure 54 More complex repository groups example AD structure If you are familiar with earlier versions of PINsafe note that in 3 3 there is no need to define a group that encloses all of the groups above The single channel group SC Users is the group which contains users that can only authenticate via single channel In other words SC Users and DC Users are distinct no users are members of both of these groups but all users must be members of one of these two groups The Admin users group can be a member of the dual channel DC users group and the Helpdesk group can be a member of the SC Users group A separate group for those users that can authenticate t
55. e are certain requirements on the network infrastructure Page 21 of 101 Version 3 5 PINsafe Manual Getting Started with PINsafe 3 5 There are three fundamental settings that need to be completed to get a PINsafe server up and running 1 The PINsafe Database 2 The Database mode of operation 3 Any associated user repositories Setting the PINsafe Database PINsafe 3 4 needs a database to store PINsafe account information This can be an internal or an external database On install the PINsafe server comes with a shipping database this is a single user read only database that has the user account Username admin PIN 1234 Whilst this option is selected as the database it will only be possible to login to the admin console using these details The first stage in getting started with PINsafe is to configure the database that you wish to use to store PINsafe account details This can either be the internal database that comes with PINsafe or it can be a separate external database PINsafe supports a range of SQL JDBC databases consult with your reseller or with Swivel for more details In deciding what database to use you need to evaluate the relative merits of the two approaches Factor Internal Database External Database Simplicity Very simple single click Requires some database set up deployment and configuration Flexibility No Flexibility Flexible solution allowing multiple PINsafe and Multiple Database servers as
56. e name Import disabled state Ignore FQ name changes User disabled flag name User enabled flag name Use SSL Figure 17 Configuration for LDAP repository The values are explained in the table below Page 39 of 101 cn Admin ou test o lo Jecccee LDAPServer 389 m m m No y No y SSL Off Reset Version 3 5 PINsafe Manual Parameter Meaning Administrator The distinguished name of the LDAP user credentials to access the server This username needs to be a fully qualified username for a user within the LDAP server that has the required privileges Password the LDAP user s password sewer Th name or IP address of the server hosting the directory service Porto The port on which LDAP is running lpaseDN me base distinguished name of the LDAP server Synchronization Schedule How often the PINsafe repository is updated from the directory server see Appendix D Setting Schedules and CRON Strings for details on this Username attribute The name of the attribute on a user object to use as the PINsafe user name The default for this is uid This is the most appropriate attribute if users are implemented as inetOrgPerson objects or custom extensions to that object class Initial PIN attribute The name of the attribute on a user object to use as the initial PIN for a user Initial password attribute The name of the attribute on a user object to use as the initial password for a user B
57. e of authentication is also successful successfully authenticates the user Page 62 of 101 Version 3 5 PINsafe Manual Integrating with other PINsafe Servers There are two ways in which PINsafe servers can interact enabling users from one server to authenticate to another using peering or by sharing a database Peering PINsafe servers It is possible to deploy a number of PINsafe servers as a set of peers Every user has an account on one of the PINsafe peers however but they can authenticate to any one of the PINsafe servers For example if a business has a London office and a New York office running separate Active Directories and SSL VPNs a PINsafe server can be installed in each office Each PINsafe server can be configured as a peer to the other In this configuration a London based user can authenticate to the New York VPN the New York PINsafe detects that the user is served by the London server and proxies the authentication request to the London PINsafe server The London PINsafe server checks the user s credentials and returns the results to the New York server that as a result can allow or deny access User London SSL Active po eo Directory EA London Proxied request for London user From New York Pinsafe User London SSL Active Director gt New York New York Figure 30 Example of peering
58. e tables in the database You then need to create an admin account see Configuring the user repository Configuration for an external MySQL5 database nb PINsafe is shipped with the PINsafe software required to interface with many popular database but does not include any licences drivers for those databases It is up to the user to obtain any required database licences PINsafe supports opensource databases such as MySQL and PostGres This section describes the stages required to configure at PINsafe to work with an external database Most databases will require similar steps we use MySQL5 as an example The first stage is to create a database that PINsafe can use to create the tables it needs and store the data This database needs to support the UTF8 character set You then need to ensure that PINsafe can connect to that database eg that all firewalls have the required port open 3306 being the default Obtain the required database drivers for the database Copy these drivers onto the PINsafe server under the webapps pinsafe WEB INF lib directory Restart the PINsafe server Now go to the Database configuration screen and enter the details of the database and the drivers that you have configured See the example below Page 23 of 101 Version 3 5 PINsafe Manual Identifier MySQL 5 Class com swiveltechnologies user database MySQL5Dat Driver com mysql jdbc Driver URL jdbc mysql 192 168 0 156 3306 pinsafe
59. e two servers The use of session sharing is determined by an xml file within the PINsafe application Page 6 of 101 Version 3 5 PINsafe Manual Mark as Deleted The has been incidents in the past where AD administrators have made changes within the AD domain that have had adverse affects on the PINsafe installation For example moving groups renaming domains or containers These changes have resulted in PINsafe removing a number of accounts as these accounts are no longer members of the specified PINsafe groups To limit the impact of such changes it is now possible to configure PINsafe to mark accounts as deleted when they appear to have been removed from the PINsafe group An account that is marked as deleted is still retained on the system although it is disabled Please enter the details for accessing Active Directory Hostname IP 192 168 0 165 Username AdministratorQtest loc Password Coccccccccccccooces Allow self signed certificates No Username attribute cn PIN attribute Password attribute Import disabled state Ignore FQ name changes Mark missing users as deleted Figure 2 Setting the mark as deleted option This option is set on a per repository basis If in a subsequent sync job the account reappears the account is re enabled the user will still be able to use their existing PIN If the account really does need to be deleted then all Mark
60. ecurity string to authenticate If they attempt to authenticate with that security string after that time their authentication will fail The same setting also applies to security strings delivered by SMS messages when they have been explicitly requested by the user e g via a GET MESSAGE button SMS messages sent automatically after an authentication attempt do not expire in this way The following jobs can be set using cron notation this is described in Appendix D Setting Schedules and CRON Strings Page 70 of 101 Version 3 5 PINsafe Manual Peer Synchronization This is similar to the user repository synchronization only it refers to a server synchronizing its list of users with other peer servers within its peer network Every time this job is run the server will request an up to date user list from its peer servers Inactive User Check If there are policies in place on the server to lock accounts that have been inactive for more than a certain time then this job will detect those inactive accounts and lock them PIN expiry check If there are policies in place on the server that limit how long a PIN is valid for this job will go through the user list and check to see the last time the PIN was changed and then either do nothing send out a PIN expiry warning or lock out the account Audit Log tidy PINsafe maintains an log of user activity for the users for a pre determined period as set on the Policy General screen The audit l
61. ed to operational managers These are system errors account lock outs and account creations and deletions The configuration screen for this feature is shown below To use SMTP logging you must have access to a suitable SMTP mail server The details for this server must be entered on to the Server gt SMTP screen Page 73 of 101 Version 3 5 PINsafe Manual Logging gt SMTP Y Please select which logging events are delivered as emails From PINsafe Send errors No y Errors address Errors subject Pinsafe Error Send account locks No y Account locks address AA Account locks subject PINsafe Account Locke Send User Account Create Delete No y Account audit address Account create subject Pinsafe Account Creat Account delete subject PINsafe Account Delete Anniv Reset Figure 36 SMTP Logging configuration screen Page 74 of 101 Version 3 5 PINsafe Manual Administrator s Guide This section concentrates on explaining how the PINsafe server is administered It covers all the common tasks that an administrator would normally undertake NB A full on line help admin reference guide is provided as part of the Swivel distribution Clicking the 2 icon will open a web browser with some help pages relating to that aspect of PINsafe This section assumes all the required integration tasks described earlier in this document have been completed Setting Policies There are a number of policies relating
62. eers Name New York Hostname IP pinsafe company com HTTP port 8080 SSL No Context pinsafe RADIUS authorisation port 1812 RADIUS accounting port 1813 Shared secret 0000000000 Figure 32 Example Peer configuration screen Page 64 of 101 Version 3 5 PINsafe Manual And then on the New York server would be entered Peers Name London Hostname IP pinsafe company co uk HTTP port SSL Context pinsafe RADIUS authorisation port 1812 RADIUS accounting port Shared secret coccccccce Figure 33 Example Peer configuration screen Peering can be used for RADIUS and agent XML authentication solutions An inbound RADIUS request will be proxied via RADIUS to a peer PINsafe server as required Similarly an Agent XML based authentication request will be proxied via the Agent XML interface Peering works by each peer keeping a record of the user names active on the other servers This list is updated periodically How frequently and when this synchronisation takes place is configured on the server gt jobs page see section on Jobs It is also possible to manual synchronise a peer from the user admin screen by pressing the Peer Sync button Multiple PINsafe servers using a single database From PINsafe 3 2 it is possible for multiple PINsafe servers to share a database This was possible in 3 2 but it would require that the reposit
63. en user accounts may be deleted To do this go to the Repository section and select the last sub entry this should be labelled with the PINsafe server computer name Delete the Synchronization Schedule entry and click Apply Page 14 of 101 Version 3 5 PINsafe Manual Architecture The PINsafe application runs within a JSP Servlet Container Apache Tomcat being the default that is recommended specifically version 5 5 23 PINsafe 3 3 has also had some testing under Tomcat 6 and Jetty 6 1 and no problems have been observed however these containers are not yet recommended for use with PINsafe and earlier versions of Tomcat prior to version 5 or Jetty are known not to be compatible PINsafe also requires a Java JRE Specifically Java JRE 1 5 is recommended and is the minimum requirement Known compatibility problems between earlier versions of PINsafe and JRE 1 6 under Windows have been resolved and we have not observed any problems running PINsafe 3 3 under this environment but 1 5 is still the recommended version In addition for certain configurations of the product the Java Communication API needs to be installed more details in the installation section PINsafe needs a database server to store user data and credentials An internal database server is provided but there is also the option to use an external database server The list of currently supported database servers can be found in the Database gt General section of the adm
64. er format that the SMS provider requires Swivel has produced classes to work with a number of SMS providers including iTagg www itagg com and Clickatell www AC1Ligkate lL com To configure PINsafe to use an SMS service provider 1 Obtain an account from an SMS provider for which there is a transport class available 2 Go to the Transport gt General tab 3 Ensure that the SMS provider class details are entered on the screen as shown below 4 Select a Repository group name for the class eg smsUser All members of this Repository Group will have their security strings sent to them via the SMS provider 5 Select an Alert Repository group name for the class eg smsUserAlert All members of this Repository Group will have system alerts sent to them via the SMS provider 6 Click Apply Identifier liTagg Class com swiveltechnologies pinsafe transport ITaggTransport Strings per message 1 Destination attribute phone Repository group smsuser Alert repository group smsAlert NONE PINsafeAdministrators PINsafeUsers Pinless ES f smsuser ismtp2 Figure 21 Configuring an SMS provider transport class 7 Once this entry has been made the transport identifier eg iTagg will appear in the left hand pane under the Transport heading You can then configure this interface as Page 47 of 101 Version 3 5 PINsafe Manual required from the Transport gt iTagg screen 8
65. er the details for the RADIUS server Server enabled Yes IP address Authentication port Accounting port Maximum no sessions Permit empty attributes Filter ID Additional RADIUS logging Enable debug Radius Groups Radius Group Keyword Figure 25 RADIUS server configuration Notes on RADIUS configuration 1 The IP address needs to be the internal IP address of the PINsafe server this is the address to which the RADIUS server will bind If you leave this setting blank the RADIUS server will process all inbound RADIUS requests received 2 If you use different ports other than the default of 1812 and 1813 you will need to open up these ports on the appliance see IPtables 3 If you set Filter ID to YES the users username will be returned in the RADIUS Filter ID field of the RADIUS authentication response Page 56 of 101 Version 3 5 PINsafe Manual 4 Additional RADIUS logging will add RADIUS log events to the PINsafe logs therefore if a user authenticates via RADIUS there will be a log event for the successful RADIUS authentication and then another log entry for the PINsafe authentication as the example shows below n INFO RADIUS lt 158 gt Access Accept 2 LEN 63 192 168 0 151 32859 Access Request y by greenford succeeded 2007 12 13 08 03 January INFO 192 168 0 151 Aventail Login successful for user greenford 2007 RADIUS Groups Cisco an
66. ernal agent therefore consists of adding the details of the agent to the PINsafe trusted agent list To do this go to the Agents screen by clicking on Agents in the left hand navigation bar Then enter a name for the agent the IP address of the agent and then a shared secret e The IP address can be a single IP address or a range of IP addresses A range of IP addresses is specified using Classless Inter Domain Routing CIDR notation whereby you define an IP address but then specify how many bits actually are significant in terms of the network address For example specifying 192 123 123 120 24 would allow authentication from any IP address in the range 192 123 123 xxx as only the first 24 bits of the IP address are required to match In order for authentication requests to be processed the source IP address of the request and the shared secret presented by the agent need to match the details entered on this screen Server gt Agents Y Please enter the details for any PINsafe agents below Agents are permitted to access the authentication services of the PINsafe server via the AgentXML interface Agents Name ispsample Hostname IP 192 168 0 0 24 Shared secret ZT Group ANY v PINsafeAdministrators PINsafeUsers Figure 22 Screen shot of Agent Configuration Screen Page 49 of 101 Version 3 5 PINsafe Manual It is possible to associate agents with groups within PINsafe When you configure an agent if you lea
67. ersion 3 5 PINsafe Manual Inactive account expiry If an account is not used for a specified period it will become locked This setting allows you to specify that period in days If this is set to O then the user account never expires due to inactivity Auto Credential setting If you set this parameter to YES then whenever a new account is created PINsafe will automatically create a PIN for them If a password is also required this will also be generated See Adding User Groups for more details Non Existent Users appear to be When a TURing image is requested for a user that does not exist PINsafe will still produce an image This is to prevent a user determining which username are valid accounts You can specify the type of image that is presented when a image for a non existent user is requested Therefore if all your users have PINs you should set this to PINned If all your users are PINless this should be set to PINless and if you have a mixture of user you should set this value to mixed Audit Log Length PINsafe maintains a audit log of user activity that can be extracted interrogated by the Admin API This setting dictates how long the activity records are maintained PIN and OTC Policies PIN and OTC policies are set on the Policy gt PIN and OTC screen PINs within the PINsafe product are the prime authentication credential and administrators may wish to replicate existing password management policies within PINsafe
68. ervice box and also select Start Service You should now be able to access the share via a client machine pointing to lt server ip gt PINsafeBackup where lt server_ip gt is the PINsafe server s IP address Writing a simple script to back up PINsafe Log on to the console as root Use an editor to create a file home swivel backup sh Enter the following code NB replace the tomcat x x xx version with the correct version number running on your server bin bash etc init d tomcat stop cd usr local apache tomcat x x xx webapps tar create file home swivel PINsafeBackup Backup tar label Backup verbose pinsafe etc init d tomcat start To make the script executable type chmod a x home swivel backup sh Running this script temporarily halts the PINsafe server and therefore prevents users authenticating via PINsafe during back ups Running the script To run the script manually do the following home swivel backup sh There should appear a new tar file called Backup tar in your SAMBA share How often should 1 perform back ups Page 68 of 101 Version 3 5 PINsafe Manual It is recommended that this script be run after the first user repository synchronization and then on a regular e g weekly basis How regularly it is run depends on how often users and PINs change The script can be run as a cron job The use of a SAMBA share means that this data can then be pulled from the machine and stored elsew
69. ess Name PINsafeUsers O E O Definitions ithoo0140 PiNsafeuses gt LDAP CN PINsafe DC test DC local Name PINsafeAdministrators Definitions itho00140 PINsafeAdministrators i LDAP CN PINsafeAdmins DC test DC local Name Definitions ith000140 LDAP Apply Reset Figure 19 Repository Group definitions for LDAP repository Administrators of PINsafe do not have to be members of the PINsafeUsers group as long as either the Single or Dual channel option is ticked for PINsafeAdministrators Go to User Administration and select L Syn lt Now This will then create PINsafe accounts associated with the active directory accounts including PINsafe accounts with admin rights for active directory accounts that belong to the relevant group These accounts will be listed on the User Admin screen It is no longer necessary to ensure that there is at least one user in the administrators group as long as there is at least one in one repository but if you have removed the admin user from the XML repository and this is the only other repository you must ensure that there is at least one user in the administrators group NB currently the group names are sensitive to both case and to spaces between LDAP names so if there are no ticks against any of the categories check the exact group names on your server and make sure that the entries in the Repository gt Groups table match Select the administrato
70. harden the installation Before you deploy and start PINsafe ensure you have the following software installed e Java runtime environment JRE Version 1 5 available from www sun java com e Tomcat v5 5 available from http tomcat apache ora Version 5 5 23 recommended e Java Communications API if you intend using a GSM MODEM follow the Java Comm APT installation instructions See appendix a for instructions This is available from ht tpi java sun com products javacomm downloads index html e The PINsafe distribution war file If you have an appliance the default Linux password is lockbox This applies for root and the user swivel These passwords should be changed using the linux passwd command Page 16 of 101 Version 3 5 PINsafe Manual PINsafe Deployment This section refers to a self install an Appliance comes with the software pre installed To deploy and start PINsafe perform the following steps 1 Place the war file in Tomcat s webapps folder 2 Start Tomcat 3 Browse to http PINsafe server IP address portnumber pinsafe http localhost 8080 pinsafe for example 4 The default administrator is admin with a PIN of 1234 so enter admin in the username click start session then enter the first 4 digits of the security string Click login Protecting the PINsafe Admin Console In order for users to retrieve TURing images from PINsafe the PINsafe server needs to be accessible via the internet
71. has been configured It should be the first initially the only repository in the list and should appear in the menu below the Groups heading E Repository o Servers o Types o Groups o ith000140 A RANTIIC Figure 10 Repository menu Go to Repository gt Groups to configure the repository groups Initially two groups are defined PINsafeUsers and PINsafeAdministrators Make sure that each group definition for this repository is the same as the group name as shown below Page 25 of 101 Version 3 5 PINsafe Manual Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP definition For XML repository please copy the group name into the definition Single Dual Swivlet Admin Helpdesk PINless Name PINsafeUsers Iv Vv Vv C O E Definitions PINsafe1 PINsafeUsers Name PINsafeAdministrators Iv Vv Iv E Definitions Delete PINsafel PINsafeAdministrators Name O C Definitions PINsafe1 Apply Reset Figure 11 Repository Groups Definition a User Sync Go to user administration screen and select _User Sync_ The XML repository is shipped with an existing user of admin with a PIN of 1234 so you will see this account appear on the list of users It is recommended that you open a new browser window navigate to the admin console and log on using this new account before you exit the existi
72. hat is the one you want the filter to apply to right click on it and select Properties Select the ISAPI filters tab and click Add Enter the name PINsafe IIS filter you can call it what you like Click the Browse button and navigate to the installation folder noted earlier Select PINsafelISFilter dll and click OK Back in the main IIS management console right click again on the web site select New then Virtual Directory When prompted for an alias enter pinsafe On the next screen when prompted for a directory click Browse and navigate to the Web directory underneath the filter installation directory On the next screen ensure that Read and Run scripts are enabled Once the virtual directory has been created right click on it and select Properties On the Virtual Directory tab click the Remove button next to Application name then click OK Once the filter has been applied to the website when a user attempts to access part of the Page 54 of 101 Version 3 5 PINsafe Manual website protected by PINsafe PINsafe will prompt them to authenticate IIS may need to be restarted for filter settings to take affect How to write an Agent The Change PIN application and the IIS filter are two examples of PINsafe agents that use the PINsafe Agent XML API The Agent XML API is a simple XML based API that enables integrators to develop their own agents This can provide for a very flexible authentication solution
73. he PINsafe server Each group can be assigned any combination of these rights Admin Members of groups with this right can configure PINsafe Helpdesk Members of groups with this right can manage users e g reset PINs passwords etc Users with the Admin right automatically also have this right Single Members of groups with this right can authenticate via the single channel TURing image interface Dual Members of groups with this right can authenticate using dual channel authentication e g using SMS messages Swivlet Members of groups with this right can authenticate using the PINsafe mobile client PINless Members of groups with this right will be PINless They Page 91 of 101 Version 3 5 PINsafe Manual will use one time passcodes rather than security strings and one time codes In addition groups will need to be defined for the transports that users are going to use the agents via which the users will be allowed to authenticate which RADIUS NAS can be used to authenticate and the use of third party authentication methods Simple AD Group and Attribute example A simple PINsafe installation may be where TURing image authentication is being used to authenticate a VPN All users will be single channel users All users will be sent alerts via e mail All users will authenticate via the same NAS The same group of users will configure and operate PINsafe so there is no requirement for separate helpdesk admin roles All users will
74. he repository group Leaving a definition field blank means that no users of that particular repository will be members of the appropriate group There is no requirement to enter a definition for every repository in every group although for the group to be useful there must be a definition for at least one repository Conversely it is not necessary to define a separate group for each repository if the functionality is the same for groups within different repositories they can be defined as the same group within PINsafe The Repository gt Groups admin page will look something like the following Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP definition For XML repository please copy the group name into the definition Single Dual Swivlet Admin Helpdesk PINless Name PINsafeUsers Vv Vv Vv O O T Definitions ith000140 PINsafeUsers LDAP icn PINsafeUsers dc test dc local Name PINsafeAdministrators O Definitions Delete ith000140 PINsafeAdministrators LDAP icn PINsafeAdmins dc test dc local Name PINlessUsers Vv Definitions Delete ith000140 PINlessUsers LDAP icn PINlessUsers dc test dc local Name Definitions ith000140 LDAP Apply Reset Figure 46 Repository Groups page Adding Users To add users to PINsafe you need to add them to an appropriate group with
75. here to conform to any back up routines infrastructure that may already be in place These instructions are only a guideline and we would recommend you further your investigations into backup Restoring from Backup If you should need to restore your server from a backup carry out the following Log into the server as root and stop Tomcat etc init d tomcat stop Delete the pinsafe folder from within the tomcat webapps directory cd usr local apache tomcat x x xx webapps rm rf pinsafe Copy and extract the backup file cp home swivel PINsafeBackup Backup tar usr local jakarta tomcat x x xx webapps tar xvf usr local jakarta tomcat x x xx webapps Backup tar Restart Tomcat and check PINsafe is running and your settings are correct etc init d tomcat start In a browser point to the admin console http server ip 8080 pinsafe How to perform disaster recovery In the event of a hardware failure or other scenario that requires a new server to be installed and brought up to the last recorded configuration of the live server 1 Install PINsafe and associated software from the disks supplied as part of the install 2 Restore the latest back up copy of the webapps folder to webapps 3 Restart the tomcat server Page 69 of 101 Version 3 5 PINsafe Manual Data Migration The data migration feature allows you to move data from one database to another For example of you want to change from using the internal database to a
76. ht clicking and selecting get image The application is small and easy to distribute it can be provided with its own windows installer The user of the systray application gives a true soft token like experience These two options are not mutually exclusive a single PINsafe server can accommodate both alternatives Page 60 of 101 Version 3 5 PINsafe Manual How to incorporate a TURing image into a VPN log on page Figure 29 Example VPN screenshot If you wish to integrate a TURing image with a VPN log on gt page then the VPN configuration needs modification The implementation of these modifications again depend il on the VPN itself some VPNs allow you to easily customize Secured by Swivel PINsafe the log on page for others it is more involved semame ca Enter your OTC The log on page needs to 1 Have a Start Session or TURing button 2 The user enters their username and then selects this button 3 This then fetches the Turing Image this will be in the format http PINsafe IP Address 8080 pinsafe SCImage username demouser It is recommended that the request for the image is proxied via the VPN or via other means so that port 8080 on the PINsafe server does not need to be opened up to the internet 4 The user can then enter their OTC and select Sign In this will then allow the VPN to use the username and extracted OTC to authenticate against the PINsafe server
77. iguring Synchronized Mode To use this mode go to the Mode gt General screen and select Synchronized and then click apply Users of versions of PINsafe earlier than 3 3 should note that the synchronisation schedule is now set for each repository in the repository section Page 24 of 101 Version 3 5 PINsafe Manual The next stage is to configure the repository Configuring the user repositories PINsafe 3 3 supports multiple user repositories The initial repository is the internal XML repository which can be edited within the PINsafe Administration Console Additional repositories can be defined using Active Directory or LDAP directory servers If you are using a user repository it is important that you create an Administrator user to prevent you being locked out of the admin console If you are unfamiliar with PINsafe it is recommended that you use the internal XML repository initially Using the XML Repository To use the XML repository you need to go to the Repository gt Servers screen and add it You need to give the XML repository a name Repository names need to be unique within a PINsafe installation therefore if you have two PINsafe servers connected to the same database they cannot both have an XML repository called LOCAL The XML repository is also a special case because you can add edit users for this repository from the PINsafe user administration screen Go to Repository gt Servers to confirm that this repository
78. in more details below Page 28 of 101 Version 3 5 PINsafe Manual Integrating with user repositories PINsafe comes with an XML repository that can be used to store user accounts However enterprises may already have a user repository e g Active Directory for user accounts and this can be integrated with PINsafe The integration means that PINsafe will synchronise with the external user repository to ensure that the user accounts on PINsafe match those within the external user repository To ensure that the two data stores remain synchronized PINsafe can be configured to synchronize with the external repository at regular intervals e g once an hour or synchronisations can be instigated manually Using Groups with User Repositories Since PINsafe 3 3 there is a new model for specifying user rights and user groups This makes it easier to administer user rights across multiple user repositories To configure groups go to the Repository gt Groups screen which should look something like the following Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP definition For XML repository please copy the group name into the definition Single Dual Swivlet Admin Helpdesk PINless Name PINsafeUsers v F m E m Definitions PINsafe1 PINSafeUsers Name PINsafeAdministrators Vv Vv Definitions PINsafe1
79. in the repository and synchronise PINsafe with that repository If you have set Auto Create credentials to Yes the user will be automatically sent a message with their account details in it If Auto Create is not set you will need to manually reset or send out their PIN When adding users to the PINsafe server you need to consider the following e What rights will they have e g will they be able to use single channel dual channel or both e How will security strings be delivered to them e How will their PIN and Password be created and delivered to them The implementation of these will be achieved by ensuring that the user is a member of an appropriate user group See the previous section for details Page 85 of 101 Version 3 5 PINsafe Manual Allocating users to authentication methods If the user accounts are being synchronized with Active Directory the user must be a member of the correct group s within Active Directory to be able to use the associated authentication methods within PINsafe The Repository gt Groups screen will show of which Active Directory groups the user must be a member Different authentication options may be associated with different groups within Active Directory or as in the example below all users will have access to all authentication types Repository gt Groups Y Please enter the repository group information to be used by the PINsafe server This includes group privileges and Active Directory LDAP
80. inistration console Note that in order to use any of these databases you will need the appropriate JDBC driver These are not provided with PINsafe because of licensing regulations but can usually be obtained free of charge from the database manufacturer PINsafe can use its own repository for sourcing user accounts or can be configured to work with an existing Active Directory or other LDAP based user repository see How to guides in the Appendix Page 15 of 101 Version 3 5 PINsafe Manual PINsafe Installation An important part of this document is the record of the installation covered in Appendix C PINsafe Installation details It is recommended that this section is completed at the time of installation and kept with the server or elsewhere where it can be found easily if required A copy of the installation record needs to be sent to Swivel Secure for their records this can be sent to e mail support swivelsecure com fax 44 1423 858172 PINsafe can be purchased as an Appliance or software only If an Appliance is shipped with PINsafe all software will come pre loaded there is an Appliance User guide that covers the appliance specific configuration issues such as changing IP addresses etc Please note that the installation should only be attempted by someone comfortable with this kind of installation Also if you install PINsafe on your own hardware platform and OS that you should take all the necessary steps to security
81. ith the server or elsewhere where it can be found easily if required A copy of the installation record needs to be sent to Swivel Secure for their records this can be sent to e mail support swivelsecure com fax 44 1423 858172 Page 5 of 101 Version 3 5 PINsafe Manual PINsafe 3 5 for users of earlier PINsafe versions Session Sharing For Active Active HA pairs when using single channel or on demand dual channel it has been a requirement that the user authenticate to the same server from which the retrieved the security string This has prevented PINsafe servers from being deployed in a truly load balance way Version 3 5 of the PINsafe software now removes this requirement Now when a session is started on one PINsafe server that server is shared with the other PINsafe server so that either server can accept the subsequent authentication request Figure 1 Session sharing means if PINsafe server 1 supplied the TURing image the VPN can still authenticate the user via PINsafe 2 The mechanism for this is that the sessions that are in progress ie where a user has requested an image or message but not yet authenticated are stored in a cache that is shared between the two servers In a similar way to the way that the databases are shared The session sharing can but need not be used with an Active Active pair Clearly to support the use of this feature there must be sufficient bandwidth with low enough latency between th
82. manage PINsafe users You can create a set of groups in such a way that different user groups have a range of different user experiences and rights within PINsafe or if you have a very simple PINsafe installation you can use just two or three different groups to very simply manage your PINsafe users Note that although this section refers consistently to Active Directory all comments apply also to repositories configured as Simple LDAP Note also that the groups defined within PINsafe as of version 3 3 can refer to a single group within each of the defined repositories or can refer to a single repository only The considerations that should be taken into account when planning integration with Active Directory are What authentication modes are to be used and whether all users are going to be able to use all methods e Dual Channel e Single Channel e A mixture of the two What delivery method is to be used for alerts e g account creation and dual channel authentication and are all users going to use the same method How is the user PIN to be created Have all the Active Directory accounts been fully populated with information e g Mobile phone numbers without e g 4412345678 Email addresses Plan your Active Directory Groups Ideally by using a hierarchy of groups users should be able to be assigned a member to one group to give all the requirements for PINsafe User rights The following standard rights are defined on t
83. mm API 1 unzip the file javacomm20 win32 zip into the root of C This will produce a hierarchy with a top level directory commapi This example assumes that you have installed the J2SE version 5 and has been installed into C Program Files Java jdk1 5 0_02 2 Copy win32com dll to your Java jdk jre bin directory C gt copy c commapi win32com dll to C Program Files Java jdk1 5 0_02 jre bin 3 Copy comm jar to your Java jdk jre lib ext directory C gt copy c commapi comm jar to C Program Files Java jdk1 5 0_02 jre lib ext 4 Copy javax comm properties to your Java jdk jre lib directory C gt copy c commapi javax comm properties to C Program Files Java jdk1 5 0_02 jre lib 5 Go to Environment Variable and add the Java jdk bin to path C Program Files Java jdk1 5 0_02 bin TESTING The Comm API also comes with a number of samples that can be used to confirm the Comm API has been installed correctly One of these samples is called BlackBox To use Blackbox add BlackBox jar to the CLASSPATH in Environment Variables C commapi samples BlackBox BlackBox jar To run BlackBox open a command prompt and go to C commapi samples BlackBox Then enter java BlackBox C commapi samples BlackBox gt java BlackBox Page 90 of 101 Version 3 5 PINsafe Manual Appendix B Active Directory LDAP Groups and Attributes Using Active Directory groups to specify how users are managed is a quick and flexible way to
84. n external database you can 1 Prepare the new database 2 Add the details of the database to the Database General screen 3 Choose the Migrate option and select the new target database 4 Enter Migrate and click apply The data will be moved to the new database so you can use the new database without needing to re provision users Job There are a number of processes or jobs that the server needs to run on a regular basis These handle such things as synchronizing to the user repository and checking for any accounts that should be locked due to inactivity For the most part these settings can be left to their default values but there maybe reasons why an administrator would want to change these settings When choosing these settings the administrator needs to balance the requirement to synchronize data regularly and the resultant loading on the server Where possible these tasks should be scheduled to run during the server s quiet period Session Clean Up The session clean up job is used to invalidate after a given time any security strings that have been requested by the user For example a session is deemed to have started when a TURing image is requested The security string presented within that security string is only valid for as long as the session is valid The length of time for which the session is valid is set by the session clean up time if it is set to 120 seconds the user will have 2 minutes in which to use the s
85. ng admin console session You can create new Admin level accounts by selecting Add user on the User Administration screen and creating a new user that is a member of the PINsafe Administrators group You can then synchronise PINsafe with the repository to create the PINsafe account Remember to reset the PIN of the new Admin user that you have created NOTE Unlike previous versions of PINsafe this repository is always available even when you add another repository Therefore you need to ensure that you change the PIN for the admin user or else delete or disable this user Otherwise this provides a backdoor entry into the system Page 26 of 101 Version 3 5 PINsafe Manual License Key PINsafe comes with a 5 user evaluation license To operate a live PINsafe server you need a valid licence key obtained from your reseller or from Swivel Secure Once you have this license key enter this key on the Server gt License screen The licence will be for a fixed number of users i e accounts on the PINsafe server If you need additional users and therefore additional licences you can purchase a new licence key for the new total of licences required The new license key is a replacement for the existing one and therefore you simply need to overwrite the license key With the repository and database configured and the license installed you are now have a working PINsafe server that you can start to integrate with your IT infrastructure
86. o the website also needs to be created This may contain members of both DC Users and SC Users With this group structure in place the PINsafe server would use these groups in the following ways On the repository gt groups page there would be the following settings Page 94 of 101 Version 3 5 PINsafe Manual Single Dual Swivlet Admin Helpdesk PINless Name pc Users O O F E Definitions ithoo0140 DC Users gt AD CN PINSafeDCUsers OU pinsafe DC example DC Name admin Users D Definitions Delete ithooo140 admin Users Name SC Users Definitions th000140 SC Users AD CN PINSafeSCUsers OU pinsafe DC example DC Name HelpDesk Users Definitions ithooo140 HelpDesk Users AD CN HelpdeskUsers OU pinsafe DC example DC Name WEB Users Definitions 1th000140 WEB Users AD CN PINSafeWebUsers OU pinsafe DC example Figure 55 More complex repository groups example group definitions Note that the WEB Users group does not have any rights defined on this page It must be defined here though so that it can be used on other pages So that single channel users will have alerts including on account creation e mailed to them and dual channel users will have alerts sent to them via SMS the Transport gt General screen would include the following entries Page 95 of 101 Version 3 5 PINsafe Manual for SMTP Destination attribute Mail Repository Group NONE
87. og tidy job deletes audit log entries that are now longer required to maintain this log Page 71 of 101 Version 3 5 PINsafe Manual Logs and Alarms PINsafe generates a range of log events and alarms they consist of the following options e XML Log files written to the local PINsafe server e Log files written to Syslog e Alarm events sent as emails to a specified email address XML Logging XML logs are generated for a number of system events They have varying levels of severity FATAL ERROR WARNING and INFO You can set the level of logging setting the level to INFO will mean all events of severity INFO and above will be recorded Logging gt XML Please specify how the server logs events to local XML files These may be viewed or downloaded using the log viewer Level Info v Filesize KB File count 110 Debug enabled No v Figure 34 Screen for configuring XML Logging The log events are written to files on the PINsafe server at lt tomcat gt webapps pinsafe WEB INF logs If you are running a backup script like the one described earlier in this manual then these log files can be included in that back up to provide a longer term log of system activity A log file is written to as pinsafe log until it reaches the file size specified on the Logging gt XML screen This file is then renamed to pinsafe log 1 a new pinsafe log is created and writing resumes to that file This process repeats creating
88. olicy Administrators may wish to use this feature for admin accounts Single Channel The Servers gt Single Channel screen allows the Administrator to specify how single channel security strings are presented to the user From this screen you can specify whether the security string image will be displayed as a TURing PATTern or BUTTon image and whether the characters will be rotated within the image In this screen you can also determine whether to allow session creation via username This means allowing a user to request a TURing image from any URL for example by pasting http lt pinsafe url gt pinsafe SCImage username lt username gt into a web browser This provides flexibility in terms on security string delivery but does require that port 8080 is opened up on the PINsafe server See Protecting the PINsafe Admin Console Dual Channel The Server gt Dual Channel screen determines how dual channel security strings are delivered The default model for dual channel security strings is that a new security string is sent whenever a user attempts to authenticate thus ensuring that the user always has a valid security string to use An alternative is to only send a security string to the user when they explicitly request one this is the on demand mode that can be enabled from this screen If this mode is used the security string sent to the user is only valid for as long as the session time out clean up period specified on the server g
89. ory on each server was configured identically With the introduction of multiple repositories it is now possible for different PINsafe servers to synchronise with different repositories but for all servers to authenticate all users on all repositories In order to accomplish this it is necessary to select an external database the internal database is always local to the PINsafe server so cannot be shared between multiple instances All that is required therefore is that the database URL is the same on all PINsafe servers When repositories are synchronized into a shared database the users can be authenticated by any PINsafe server using that database even if the user belongs to a repository that is not defined on that server All repositories will be displayed in the User Administration screen whether or not the repositories are defined on a particular PINsafe server The only difference is that users cannot be synced if the repository is not defined When connecting repositories to PINsafe servers sharing a database the repository name must be unique If the same name is used for repositories on two different PINsafe servers it is assumed that they actually refer to the same repository If this is not the case it could cause users to be deleted every time the user sync runs This is why the XML repository on each PINsafe server is named from the server name rather than simply being called XML Page 65 of 101 Version 3 5 PINsaf
90. pin Session started for user test1 How to integrate PINsafe with an IIS Website In this instance the Agent is implemented using an ISAPI Filter This filter needs to be installed on the web server hosting the site to be protected For information about filtering within IIS go to the Microsoft web site http msdn microsoft com library default asp url library en us iissdk html 22e3fbfb 1c31 41d7 9dc4 efa83f813521 asp To install the PINsafe ISAPI filter you need to run the install PINsafelISFilter exe on the IIS server Make a note of the location the application is installed in default is C Program Files PINsafe IIS Filter The configuration of the filter is achieved by running the configuration application accessible from Start All Programs PINsafe IIS Filter Filter Configuration The configurable Items are summarised below PINsafe Server Hostname IP The IP address or hostname of the PINsafe server which must be visible to IIS server Port The port that the PINsafe server services requests on default 8080 Context The web application context in which the PINsafe server is installed usually pinsafe Secret The shared secret between this agent and the PINsafe server Needs to match value entered as part of PINsafe config SSL Enable Selected if SSL is being used between the agent and PINsafe otherwise false Permit Self Signed Select if self signed certificates are allowed Authentication Idle Time The
91. pinsafe log 2 pinsafe log 3 etc The number of log files used is determined by the File Count entry Once this count is reached the oldest log file on the server is overwritten If debug is enabled debug logs are created that give much more detailed information about the processes running within the server This setting creates large log files and has and impact on the performance on the server and therefore should only be used for fault Page 72 of 101 Version 3 5 PINsafe Manual diagnosis Debug logs are written to a separate file lt tomcat gt webapps pinsafe WEB INF logs debug log The contents of the XML log files can be viewed via the PINsafe Administration interface Log Viewer screen and can be downloaded from the PINsafe server to a local machine Syslog As an alternative or addition to writing XML log files locally PINsafe can also write log files remotely by using the Syslog logging feature Logging gt Syslog Y Please enter the details of an external syslog server to which PINsafe logging events should be delivered Syslogs Host host1 swivel test Level Fatal v Facility kern J Host Level Off Y Facility local0 vw Figure 35 Syslog configuration screen The logging level is set in the same was as for XML logging The additional information required for Syslog is the host s to which the logs will be written and the syslog facility to be used SMTP email Logging Certain events can be email
92. presenting the user group within the repository This group must exist within the repository defining groups and group membership of Active Directory and LDAP repositories depends on the repository you are using and is outside the scope of this document see the appropriate documentation for your directory server For the XML repository the group definition is just a label for the user edit screen and within the XML file You would normally just copy the group name as the XML repository group definition It is not necessary to give a definition for every group for every repository If a definition is left blank then no users from the respective repository will be members of the respective group This goes for the XML repository as well as other repositories Refer to Appendix B to see example Active Directory LDAP and XML repository groups and attributes Importing Disabled State If as is the case with Active Directory the repository supports the principle of disabled accounts PINsafe can take account of this when synchronising with the repository If Import disabled state is set to Yes then if the account is disabled in the repository it will be disabled within PINsafe If Import disabled state is set to No then a user account can be manually disabled from the User Administration screen by clicking on the user account selecting policy and then selecting Disabled If Import Disabled state is set to Yes it is not possible to manuall
93. r account that you have created Select RESET PIN for the account and enter a new PIN Make a note of this PIN It is recommended that you open a new browser window navigate to the admin console and log on using this new account before you exit the existing admin console session Other repository types Currently PINsafe can pull user information from LDAP based user repositories However the PINsafe architecture allows for new repository types eg SQL based to be easily developed Therefore if you have a requirement to pull information from a repository not covered by this manual contact support swivelsecure com Page 42 of 101 Version 3 5 PINsafe Manual Deleting a Repository A repository can be deleted by going to the Repository gt Servers screen and clicking on the Delete button next to the appropriate repository However by default this only removes the repository definition from the current PINsafe server and not from the PINsafe database Neither does it remove users in that repository To change this on the Repository gt Servers page change the flag labelled Delete users with server to Yes The reason for including this option is to allow for the possibility of repositories being configured on more than one PINsafe server If you unintentionally delete a repository with Delete users with server set to No you can add the repository back in again i e use the same name change the flag and delete it again
94. r disabled enabled flag The name of the attribute on a user that indicates that the user is disabled or enabled The inetOrgPerson schema does not allow for such an attribute so to implement disabling users you would need a custom schema The use of two properties allows disabling to be handled in one of two ways either a disabled flag is set to indicate that the user is disabled or an enabled flag is set to indicate that the user is enabled Page 40 of 101 Version 3 5 PINsafe Manual Oo no such flag exists the user is assumed to be active Ignore FQ name changes Whether or not to treat an LDAP user object as the same user if the fully qualified name changes but the PINsafe username remains the same Set the flags to import disabled state and ignore FQ name changes as PIANO described earlier FQDN Use SSL Whether or not the server uses SSL for authentication Figure 18 LDAP Values The server is now configured to pull in user information from the LDAP repository There are two ways of instigating the pull of this data Click then go to the User Admin screen and click L Syn lt Now At this stage we have not defined what groups within the repository we are interested in so no users will be synched across Go to the log viewer if you have connected successfully you will see a message saying synch started and synch completed If this was not successful you will see an error in the log for example 14 22 23 192 1
95. ransport Destination Username al adhelp BillyBob Figure 5 User list showing the transports associated with each user You can also list the groups of which they are a member These features a particularly useful when diagnosing issues related to repository integration Page 9 of 101 Version 3 5 PINsafe Manual Search Reset Purge Undelete username wwo special pimsotendministrators prmsoteusers v Groups 1234 v v v al adhelp BillyBob graham v v v Figure 6 User list showing group membership Page 10 of 101 Version 3 5 PINsafe Manual Easier Job Scheduling Previously the setting of job schedules for repository synchronisation etc were specified using a cron string format eg 0 0 meant run the job on the hour every hour Version 3 5 adds a tool to help with the setting of these jobs so that you can easily specify commonly used schedules custom Import disabled state No Y 45 minutes 30 minutes Ignore FQ name changes Yes 12 hours 3 hours 6 hours 12 hours Mark missing users as deleted Yes Y Port 389 De day v week Synchronization schedule Every hour at 17 minutes past the hour Figure 7 Setting the Job Schedule It is also possible to specify the schedule using the existing cron format by selecting custom so no flexibility has been lost Page 11 of 101 Version 3 5 PINsaf
96. rectory user repository To set up PINsafe to integrate with Active Directory 1 Set up the required groups within Active Directory and add users to those groups See Appendix B Active Directory LDAP Groups and Attributes 2 Add the Active Directory server as a repository on PINsafe 3 Configure the interface between PINsafe and AD 4 Configure the group definitions for the repository 5 Synchronise the users into PINsafe Note that the repository name and type cannot be changed once you have added the server you must delete the server and add a new one to rename it 1 Set up Groups Groups need to be created in AD that represent different user roles within PINsafe eg users helpdesk user admin users etc refer to Appendix B Active Directory LDAP Groups and Attributes 2 Add Repository Page 33 of 101 Version 3 5 PINsafe Manual Go the Repository gt Servers screen Add a new server by entering an appropriate name in the blank entry at the bottom of the list From the drop down options select Active Directory and then click Apply 3 Configure Interface The next stage is configure the connection to the AD server In order to do this you must have an AD domain user account and password and the PINsafe server must be able to access the server via the selected port Repository gt adtest Y Please enter the details for accessing Active Directory Hostname IP 192 168 0 165 Username Administrator test loc
97. roduction This document provides a general overview of PINsafe version 3 5 its key features and a quick start guide to the Administration console It also covers what you should know about your installation of PINsafe and how to support and maintain your installation of PINsafe The key new features are 1 Session Sharing the ability for security sessions TURing images to be shared across an HA pair 2 Users mark as deleted so that accounts mistakenly deleted can be recovered without need to re issue a new PIN 3 Improved user admin screen to provide more listing and searching options 4 Easier setting of job schedules 5 Ability to specify whether Helpdesk users are global or restricted to their own repository This release also addresses the following issues e All passwords that are part of the configuration are now stored in an encrypted form in the config xml file e Under certain circumstances PINsafe would misleading report an Array Index out of bounds exception during RADIUS authentication e Stack traces when the occur are now written to the log files 1 It is now possible to instigate a user sync job via an Agent XML API call 2 The restriction of only allowing one Syslog server to be defined has been removed An important part of this document is the record of the installation covered in Appendix C PINsafe Installation details It is recommended that this section is completed at the time of installation and kept w
98. roups are considered to be PINsafe users Also there is no longer a RADIUS group as this duplicates the functionality defined in the RADIUS NAS group When planning what groups are required in addition to the above functions the following need to be taken into account e Server Agents e Transport classes e RADIUS NAS e RADIUS Groups e Third Party authentication In previous versions of PINsafe the user groups for these functions were entered as text Now the groups are represented as drop down lists so once they are defined on the Repository Groups screen in order to be used they can be selected from a drop down list as required When planning the groups there is no need to define a different group for each function If for example all dual channel users use the same transport class then the same group can be used for both functions Also users can be members of multiple groups The exception to this is that a user cannot have more than one transport class Each group must have a unique name Group names are just labels within the configuration and should be descriptive of the group s purpose Page 30 of 101 Version 3 5 PINsafe Manual Having determined what groups are required the next step is to define the mapping to the repositories This is slightly different for the XML repository than for Active Directory or LDAP For Active Directory and LDAP repositories the definition is the full qualified domain name FQDN re
99. rt The Administrator may wish to use different transports for alerts from security string delivery Allocating Users to Agents It is possible to configure PINsafe so that only certain users can authenticate via certain agents When an agent is added to PINsafe it may have had a group associated with it If this is the case then the user must be placed in that group in order for that user to be able to authenticate via that agent If no group is specified any user can authenticate using that agent Creating the account Once the user has been made a member of the relevant groups the repository can be synchronised with PINsafe this can either be done manually via the User Admin screen or automatically be setting up a job to perform this Server Jobs see Operation amp Maintenance PINsafe will create a new account if auto credentials create is enabled PINsafe will also create a username and password if required and send them to the user via their allocated Alert transport Unlocking Accounts Accounts can be locked or disabled If a user s account is locked or disabled they will not be able to authenticate via PINsafe You can configure PINsafe to send an email to an administrator to inform them when an account has become locked See Logs and Alarms The main status screen on PINsafe immediately indicates if there are locked or disabled accounts on the PINsafe server Page 87 of 101 Version 3 5 PINsafe Manual PINsafe Status Y
100. secret lt entry gt lt entry key redirect gt http www google com lt entry gt lt properties gt lt entry key ssl gt false lt entry gt This sets whether to use ssl to connect to the PINsafe server or not default is not to use ssl lt entry key server gt localhost lt entry gt This tells the changepin application the server name or IP address of the PINsafe server The default setting is localhost this appropriate for installations where the Change PIN application is installed on the same server as PINsafe lt entry key port gt 8080 lt entry gt This is the port number being used by the PINsafe server The default is 8080 this will need to be changed if the PINsafe server is using any other port e g if it is using ssl for which the default port number is 8443 lt entry key context gt pinsafe lt entry gt Page 50 of 101 Version 3 5 PINsafe Manual This sets the context that pinsafe servers are available on The default is PINsafe generally the only time this would need to be changed is where there are multiple PINsafe instances sharing the same Apache TOMCAT servlet container lt entry key secret gt secret lt entry gt This is the shared secret that needs to match the setting on the PINSafe server for the change PIN agent This should be changed to a suitably random setting lt entry key redirect gt http www google com lt entry gt The redirect value is a url to where the user will be
101. t logs screen The request to send a dual channel security string can be via an agent configured on the PINsafe server alternatively PINsafe can be configured to allow the request for a security string to be instigated from any IP address in a similar way to requesting TURing images This is enabled by setting Allow message request by username to Yes Page 82 of 101 Version 3 5 PINsafe Manual You can also configure PINsafe to return a confirmation image when a security is requested by setting Confirmation image on message request to Yes This will return an image to indicate to the user whether the message request has been received successfully by PINsafe TUNEREM Figure 44 Message Request Confirmation Image This allows for a dual channel image to be requested in the same way as a TURing image from within JavaScript as well as providing useful feedback to the end user Note that the confirmation image confirms that PINsafe has received the request not that the image has been sent Alerting Users The Transport gt Alerts screen can be used to determine for which events users receive alerts Alerts will be sent to the user based on which Alert Transport group to which they belong Transport gt User Alerts Y Please select which alerts are delivered to users PIN expiry warning Yes PIN change required Yes Y PIN changed Yes Y Account locked Yes w Device key allocated Yes Ss Figure 45 Alert Config
102. this requires the opening up of port 8080 by default As the PINsafe admin console is also on port 8080 measures need to be taken to protect the admin pages from unauthorised access Frequently a customer will have a proxy that they can configure to proxy the inbound image requests Where this is not available and even where it is the Admin Console filter can ensure that access to the PINsafe Admin Console is only available from a predefined set of IP addresses The PINsafe Admin Console Filter is an implementation of a 32zE Servlet Filter that is deployed against the Admin Login servlet The filter is bundled with version 3 2 and later versions and it can be retro fitted to previous versions of PINsafe Installation For post 3 2 versions all the required files will be installed on the server as part of the standard PINsafe installation for retro fitting the filter is distributed as a zip file To install the filter first copy the zip file to the webapps pinsafe directory beneath the Apache Tomcat install directory then unzip the folder This will copy the files into their correct locations within the files system For example gt cd usr local apache tomcat 5 5 15 webapps pinsafe gt cp media cdrom filter zip Uli ii liter zip You can confirm the installation by checking the contents of the WEB INF conf directory the filter properties and ranges xml files are new are required by the filter Page 17 of 101 Version
103. tting Schedules and CRON Strings With the exception of the session clean up setting tasks can scheduled using a cron syntax Most schedules can be set up by using the drop down menu items on the synchronisation setting screen Synchronization schedule Every hour at 130 minutes past the hour custom 115 minutes 30 minutes 2 hours 3 hours 6 hours 112 hours day week Figure 56 Selecting Schedules If you select the custom option you can explicit set the schedule using the cron syntax The use of the cron like syntax gives a great deal of flexibility in scheduling these tasks The settings require the following fields Field Name Allowed Values Allowed Special Characters Seconds 0 59 y Minutes 0 59 Hours 0 23 y Day of month 1 31 7 LWC Month 1 12 or JAN DEC Day of Week 1 7 SUN SAT LC Year Optional empty 1970 2099 These fields determine when the job is to be run An asterisk in any field is a wildcard and means that the task will be run for all values of that field A question mark means that the setting is not specified this setting is applied to either the day of month and day of week as you cannot specify both of these parameters Therefore to schedule a job to run every hour on the hour the settings would be Whereas to run a job 3 AM every Sunday would be 003 1 Page 98 of 101 Version 3 5 PINsafe Manual INDEX 3rd Party Authenticati0n oocc
104. umber of reset tries a user is allowed User Policies Along with the server wide policies the Administrator can set policies for individual users To access this feature the Administrator can go to the User Administration screen and select a user and then select the Policy button This will bring up the following screen for that user Page 81 of 101 Username fred Created 16 07 13 20 April 2006 Last login 16 08 51 20 April 2006 Last PIN change N A Last self reset N A Disabled O Change PIN at first login PIN never expires O Figure 43 User Policy Screen Version 3 5 PINsafe Manual This screen shows the status of the user when they were created on the system and when they last logged in etc The Administrator can also from this screen implement the following policies Disabled If an account is disabled a user cannot authenticate Accounts can only be enabled again from this screen Administrators may wish to disable accounts when a user no longer requires access but they wish to retain the information associated with that account This feature is not available if the import disabled state on the repository gt general screen has been set to Yes Change PIN The Administrator can ensure that the a user has to change their PIN at their next login i e their PIN will only be valid for one authentication Never Expires The PIN for this account will never expire this takes precedence over any server wide PIN p
105. uration Screen Page 83 of 101 Version 3 5 PINsafe Manual Managing Users This section covers the management of users within the PINsafe server including the addition and removal of users changing PINs and Passwords and unlocking accounts Adding User Groups The model for handling functionality within groups has been changed for PINsafe 3 3 to accommodate the multiple repository facility In earlier versions of PINsafe there were eight fixed groups on the Repository gt Groups page plus a group for each agent transport class third party authentication and RADIUS NAS The group name was typed in and the syntax had to be specific to the repository type In the new model groups are all defined on the Repository gt Groups page Rather than being associated with a single function each group can have as many functions as desired Also groups can be defined across multiple repositories As many groups as are necessary can be defined A new installation will have just two groups normal users and administrators However as many groups can be defined as are necessary to give the desired access control To define a new group all that is necessary is to enter a unique group name in the Name field in the blank section at the bottom of the Repository gt Groups page However for that group to be useful two additional pieces of information are required e What functionality the group is to have e How the group maps to a group within e
106. users into PINsafe Note that the repository name and type cannot be changed once you have added the server you must delete the server and add a new one to rename it 1 Set up Groups Groups need to be created in LDAP that represent different user roles within PINsafe eg users helpdesk user admin users etc refer to Appendix B Active Directory LDAP Groups and Attributes 2 Add Repository Go the Repository gt Servers screen Add a new server by entering an appropriate name in the blank entry at the bottom of the list From the drop down options select Simple LDAP and then click Apply 3 Configure Interface The next stage is to ensure that you can connect to the directory server In order to do this you must have a valid user account and password for the directory server and the PINsafe server must be able to access the server via LDAP by default port 389 but most servers allow this to be changed on installation Enter the details of the directory server and the account you are using Note that the username may need to be fully qualified Page 38 of 101 Version 3 5 PINsafe Manual Repository gt LDAP Y Please enter the LDAP configuration details Administrator Password Server Port Base DN Synchronization schedule Username attribute Initial PIN attribute Initial password attribute Base Search Context Group ObjectClass Name User ObjectClass Name Member attribute name Member group attribut
107. ve the group selection as ANY then any PINsafe user will be able to authenticate via this agent If a group is specified then the user must be a member of that group in order to authenticate via this agent The agent groups are similar to other groups in PINsafe For more details on groups see section Using the User ChangePIN application One of the most common agents deployed with PINsafe is the Change PIN application This is an application that allows user to reset their own PINs This application will come pre configured as part of an appliance purchase This application can be deployed on the same server as the PINsafe server or on a different server but in either case it must be configured as an agent on the PINsafe server The change pin application is usually supplied as a war file To install the application copy the changepin war file to the webapps folder underneath the Apache Tomcat directory and then restart tomcat The settings for the Change PIN application are created by editing the settings xml file under the webapps changepin WEB INF directory lt xml version 1 0 encoding UTF 8 gt lt DOCTYPE properties SYSTEM http java sun com dtd properties dtd gt lt properties gt lt entry key ssl gt false lt entry gt lt entry key server gt localhost lt entry gt lt entry key port gt 8080 lt entry gt lt entry key context gt pinsafe lt entry gt lt entry key secret gt
108. y mo ce 77S clo 15 Restart the server After upgrading you will see that any repository you had will exist on the new installation and it will be named after the associated hostname or hostname followed by context in the Page 13 of 101 Version 3 5 PINsafe Manual case of the XML repository Therefore if you had an AD repository in 3 2 you will have an XML repository in 3 3 named after the AD server s hostname or IP address If you had an AD repository on your 3 2 installation you will now have the option to add an XML repository It is recommended that you do this as this gives you the ability to create admin accounts whilst you are working on the installation Upgrading from PINsafe version 3 1 To upgrade from PINsafe version 3 1 follow the same procedure as above except that you should NOT restore config xml in step 11 Configurations from versions earlier than 3 2 cannot be upgraded automatically Instead you should follow the following steps after completing step 15 above 1 Log into the administration console using the username admin and the PIN 1234 2 You will now have the new version running under pinsafe running alongside the existing version now running under pinsafeold You can then cut and paste configuration settings from one to the other NB You may want to delete the user sync job whilst performing the configuration as if the repository synchronizes prior to the repository groups being configured th
109. y disable accounts Ignoring Fully Qualified FQ name changes Repositories such as Active Directory have a concept of fully qualified names and account names The fully qualified name uniquely identifies the object within the repository and the account name is an attribute such as sAMAccountName that the use then uses as a username For example the fully qualified name may be CN test CN User OU IT DC swivel DC com But the PINsafe account name will be created using the sAMAccountName test If the account is moved within the repository the fully qualified name changes e g CN test CN User OU Admin DC swivel DC com If you set Ignore FQ name changes to Yes if the fully qualified account name changes but the account name remains the same PINsafe will ignore this change and the associated PINsafe account will not be modified If Ignore FQ name change is set to No then the existing PINsafe account will be deleted and a new PINsafe account will be created for that user Page 31 of 101 Version 3 5 PINsafe Manual Marking missing users as deleted PINsafe users group membership within the user repository to determine the users rights within PINsafe If a user is removed from a group it is assumed that the user should be removed from PINsafe However it is recognized that the user or even the whole group may have been removed in error If this has happened the accounts will be lost and the only way to get them back would be to
Download Pdf Manuals
Related Search