Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
One Identity Authentication Manager for Linux Thin Clients 9.0.2
Installation and Configuration Guide
Copyright 2017 One Identity LLC.
ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC .The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document.If you have any questions regarding your potential use of this material, contact:One Identity LLC.Attn: LEGAL Dept4 Polaris WayAliso Viejo, CA 92656Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
PatentsOne Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.OneIdentity.com/legal/patents.aspx.
TrademarksOne Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.OneIdentity.com/legal. All other trademarks are the property of their respective owners.
Legend
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Authentication Manager for Linux Thin Clients Installation and Configuration GuideUpdated - December 2017Version - 9.0.2
Contents
Preface 6
Overview 1
rsUserAuth Usage 1
Architecture 1
RFID Badge Integration 2
Smart Card Integration 3
Installing rsUserAuth 5
Configuring EAM 6
Configuring the EAM console 6
Configuring the EAM controller 6
Roaming Secret 6
Token Selection 7
Configuring rsUserAuth 8
Parameters and Options 8
Mandatory Parameters 8
Optional Parameters and Options 9
Command line arguments 10
Example 11
The Configuration File 11
Description 11
Template 11
Enabling High Availability 13
Subject 13
Procedure 13
Logging on to a Roaming Session 14
Logging on with an RFID Badge 14
Subject 14
Description 14
Logging on with your Login and Password 15
Subject 15
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide 3
Description 15
Resetting your Password 15
Subject 15
Pre-requisite 16
Description 16
Customizing Messages 17
Subject 17
Procedure 17
rsUserAuth Log File 18
Use Case: Installing and Configuring rsUserAuth on IGEL Thin Clients 23
Subject 23
Description 23
Delivery and Customization 24
The rsUserAuth.tar.bz2 file 24
Content 24
Customization 24
The rsUserAuth.inf file 24
Upload to an FTP server 25
IGEL Configuration 25
Custom partition 25
Procedure 25
One Identity Authentication Manager Session 27
Procedure 27
Smart Card Settings 29
Procedure 30
Logging on to IGEL 30
Enrolling your RFID Badge with a PIN 31
Subject 31
Description 31
Procedure 32
Modifying the PIN of your RFID Badge 32
Subject 32
Description 32
Procedure 33
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide 4
Authentication Module Log File 33
About us 34
Contacting us 34
Technical support resources 34
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide 5
Preface
SubjectThis guide explains how to install, configure and use rsUserAuth (Authentication Manager roaming session) on Linux systems (32&64 bit and ARM).
Audience This guide is intended for system integrators.
Required Software
EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.
Typographical Conven-tions
Bold Indicates:
l Interface objects, such as menu names, buttons, icons and labels.
l File, folder and path names.
l Keywords to which particular attention must be paid. Italics - Indicates references to other guides.
Code - Indicates portions of program codes, command lines or messages displayed in command windows.
CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).
< > Identifies parameters to be supplied by the user.
Legend
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Documentation support
The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Preface
6
1
Overview
rsUserAuth Usage
rsUserAuth is the authentication module of the EAM (Enterprise Access Management) suite on Linux thin clients. It enables rapid implementation of connection procedures using authentication mechanisms with physical tokens (smart cards and RFID badges), in addition to the standard authentication method of login/password.
rsUserAuth is used to implement strong authentication in the following scenarios of use:
l Authentication with smart cards.
l Authentication with RFID badges.
NOTE:
l For RFID badges, only PCSC type badges are supported.
l The list of other supported authentication devices and software versions are provided in One Identity EAM Release Notes.
rsUserAuth requires EAM Web Services to retrieve the RFID badge or smart card owner credentials. These credentials are used by a specified start script which for example allows access to a Windows session through a Citrix client. A specified end script is then called at the end of the process.
Architecture
rsUserAuth can only be installed in Active Directory mode or in Active Directory/AD LDS mode.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Overview
1
NOTE:
l Credentials are checked on the controller each time a roaming session is started and retrieved.
l For users who are not allowed to use a roaming session, the Windows creden-tials are required. The validity of the credentials is then checked.
RFID Badge Integration
Depending on your EAM configuration, you may be using RFID badges with PIN. If it is the case, a PIN replacing the primary directory password is associated with each RFID badge.
1. The RFID badge serial number is read on the thin client by the rsUserAuth authentication module.
2. rsUserAuth sends a request to the EAM Web Services to retrieve the owner’s name and his credentials.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Overview
2
3. The EAM Security Service sends an LDAP request to the directory to retrieve the information.
4. The result is returned to rsUserAuth.
5. rsUserAuth processes the result as follows. If:
l The badge is associated with a user and a roaming session is active, the user credentials are returned to a specified script (start script) that can be executed. Example: a Citrix session is opened.
l The badge is associated with a user but there is no active roaming session, either the user’s Windows password or PIN is requested to start a roaming session. The user credentials are then returned to a specified script that can be executed.
l The badge is not associated with a user, then a self-enrollment procedure is proposed. In that case, the user credentials are required. A roaming session is then started and the specified script is executed.In an RFID+ PIN configuration, in addition to the user credentials, a PIN must be chosen. This PIN must respect the PIN policy defined in EAM.
l The user password needs to be changed, the current and the new password are required. A roaming session is then started and the specified script is executed.
l The PIN must be changed when the RFID+ PIN authentication method is used: the current PIN is required and a new PIN must be chosen.
l The badge is blacklisted or locked, an error message is returned.
Smart Card Integration
1. The smart card serial number and owner are read on the thin client by the rsUserAuth authentication module.
2. rsUserAuth sends a request to the EAM Web Services to check the owner and retrieve his credentials.
3. The EAM Security Service sends an LDAP request to the directory to retrieve the information.
4. The result is returned to rsUserAuth.
5. rsUserAuth processes the result as follows. If:
l The card is associated with the card user and a roaming session is active, the user credentials are returned to a specified script that can be executed. Example: a Citrix session is opened.
l The card is not associated with the right user, an error is returned.
l The card is associated with a user but there is no active roaming session, the card PIN is requested to retrieve the user credentials stored on the card and start a roaming session. The credentials are then returned to the specified script that is executed (for example opening a Citrix session).If this fails, the user’s Windows password is requested for starting a roaming
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Overview
3
session, the specified script is then started and the credentials on the card are updated.
l The user password needs to be changed, the PIN and new password are required (the current password is read on the token if available, otherwise it is requested). A roaming session is then started and the specified script is executed and the credentials on the card are updated.
l The card is blacklisted or locked, an error message is returned.
NOTE: PIN management is not supported: modifying and unblocking PINs must be done through the CardOS API tool.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Overview
4
2
Installing rsUserAuth
Depending on your thin client system type, you must copy the corresponding rsUserAuth binary with the execution right.
Then, you must copy the message catalog file rsUserAuth.cat in the same directory as the rsUserAuth binary, or in the directory that is specified by the message catalog parameter (in this case the name of the message catalog can be modified).
NOTE: You can customize these messages. For more information, see Customizing Messages.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Installing rsUserAuth
5
3
Configuring EAM
Configuring the EAM console
rsUserAuth supports the self-enrollment for RFID badges feature and allows the user to change his password if required.
To enable these features, you must provide the authorizations to the following modules in the EAM console:
l Password authentication method and Roaming session for users, in the User Security Profile.
l Enterprise SSO for the Web Service workstation, in the Access Point Profile.
You must also initialize and assign smart cards to users.
For more information, see One Identity EAM Console - Guide de l'administrateur.
Configuring the EAM controller
Roaming Secret
IMPORTANT: Security requirement: the data exchanged between the EAM Web Service and rsUserAuth is ciphered. Therefore, a shared secret is mandatory.
The shared secret is stored in the Windows register string value: ExternalRoamingSessionSecret.
This value is set under the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Framework\Authentication key.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring EAM
6
Token Selection
A roaming session can be retrieved for RFID badges and smart cards.
To limit the EAM research to RFID badges only (only supported at that time by rsUserAuth), you must set the following Windows register string value: ExternalRoamingSessionToken.
This value is set under the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Framework\Authentication key.
Two values are available:
l ExternalRoamingSessionToken = SmartCard means that only smart cards are searched.
l ExternalRoamingSessionToken = RFID means that only RFID badges are searched.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring EAM
7
4
Configuring rsUserAuth
rsUserAuth needs configuration parameters that can be provided with command lines and/or with a configuration file.
IMPORTANT: Each command line overrides its corresponding configuration file parameter if it exists.
Parameters and Options
Mandatory Parameters
l EAM web service url.Example: https://129.182.77.100:9765/soapYou can define a list of several Web servers: when a Web server is not responding, the next server in this list is used. The URLs must be separated by a comma and only https must be used. Example:https://129.182.77.100:9765/soap,//129.182.77.200:9765/soap,//129.182.77.300:9765/soap
l Cacert file path or path of certification authority for https connections.If there is a list of EAM Web services, you must define the directory where the certificates are or a list of certificate files. If there is a list of certificate files, then the certificate file paths must be separated by a comma and the list must have the same number of items as the EAM Web service list.The list of certificate files and the EAM Web service list must be in the same order.
Example:If the EAM Web service list contains:https://129.182.77.100:9765/soap,//129.182.77.200:9765/soap,//129.182.77.300:9765/soapThe certificate files list must contain:/etc/rsUserAuth/ca1.crt,/etc/rsUserAuth/ca2.crt,/etc/rsUserAuth/ca3.crt
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring rsUserAuth
8
l ca1.crt is used with 129.182.77.100 web server.
l ca2.crt is used with 129.182.77.200 web server.
l ca3.crt is used with 129.182.77.300 web server.
l or a certificate directory can be used: /etc/rsUserAuth
l Shared secret or shared secret complete pathExample: My_Secret or /etc/rsUserAuth/secret
l Start script to execute when the badge is detected. This script can use 3 parameters:
l $1 = username
l $2 = password
l $3 = domain
l Example: /home/rsUserAuth/start.bash
l End script to execute when the badge is removedExample: /home/rsUserAuth/stop.bash
Optional Parameters and Options
l rsUserAuth configuration file: complete path and file name. By default, it is/etc/rsUserAuth:rsUserAuth.ini
l Verbose mode: the log messages are directed either to stderr or stderr and log file.
l Tapping mode: this feature is only available for RFID badges. By default, this mode is disabled.
l Message catalog path: complete path and file name. By default, it is./rsUserAuth.cat
l Level for trace: the level for trace can be chosen among these values:
l none.
l low.
l medium.
l high.
l details.
NOTE: For more information on the log file, see rsUserAuth Log File.
l Path of the logging directory: complete path of the logging directory. By default, the logging directory is /tmp.
l Version number: provides the version of the rsUserAuth binary.
l Help: provides the command line options.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring rsUserAuth
9
l Welcome Message: allows to display a customized message when the process is ready to accept a card on the reader.
l Authentication configuration file path: complete path and file name where the settings for smart cards are set.Example: pkcs#11 library path.Authentication configuration settings:smartcard_pkcs_library=/usr/local/lib/libcardos11.so.
l Process To Spy: name of the process for which the end activates the end script.This feature is only available with the RFID tapping mode.
l Password authentication: allows to authenticate with the password method and to reset the user primary password.
Command line arguments
l -h: help menu.
l -v: version information.
l -d: verbose (debug) mode with output on stderr.
l -D: verbose mode with output on stderr and log file.
l -u url: EAM web service url list.
l -s secret: shared secret.
l -S path: secret path and file.
l -e exe: start script.
l -x exe: end (stop) script.
l -c ca.cert: Cacert file list or path of the certification authority.
l -M path: message catalog path.
l -l level: level for trace.
l -L path: path of the logging directory.
l -t: tapping mode.
l -T delay: delay for dynamic tapping mode (in seconds).
l -w: welcome message will be displayed.
l -A path: authentication configuration file path.
l -y name: name of the process to spy (RFID tapping mode).
l -P: password authentication is supported.
l -n domain: default domain name for password authentication.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring rsUserAuth
10
Example
rsUserAuth -u https://192.168.45.120:9765/soap -S /etc/rsUserAuth/secret.txt -e start.bash -x stop.bash -l medium -A /etc/rsUserAuth/authConf.txt
The Configuration File
Description
The default configuration file name is rsUserAuth.ini, it is located in the /etc/rsUserAuth directory. The configuration file name and path can be customized, its full pathname must be provided with the argument -p of the rsUserAuth command line.
Template
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; rsUserAuth configuretion file
; default path of the .ini file is /etc/rsUserAuth/rsUserAuth.ini
; this file contains settings for rsUserAuth
; each setting has a specific label followed by "=" and its value,
; you must validate and uncomment the
; to validate settings, you must update and uncomment the right lines. [general]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; User Access web service url.
;url=https://192.168.45.120:9765/soap
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Cacert file path of certification authority
;caCrt_Path=/etc/rsUserAuth/ca.crt
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; shared secret
;secret=My_Secret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; shared secret path including the name of the file
;secret_Path=/etc/rsUserAuth/secret.txt
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring rsUserAuth
11
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; path of the message catalog including the name of the file
;messages_Path=/etc/rsUserAuth/messages.cat
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; start script which will be executed after retreiving
; roaming session
; parameters are:
; $1 is username
; $2 is password
; $3 is domain
;startExec=/home/rsUserAuth/start.bash
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; command which will be executed after card is removed
;endExec==/home/rsUserAuth/sop.bash
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; tapping mode may be "on" or "off", default value is "off"
;tapping=on
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; tapping delay for dynamic tapping. Delay is in seconds, default is 3
;tappingDelay=3
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;logging parameters
; logLevel may be "none", "low", "medium", "high", details"
; logDirectory : default value is /tmp. Be careful to have write
permissions for this directory
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;logLevel= none
;logDirectory= /tmp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; welcome message may be "on" or "off", default value is "off"
;welcomeMessage=on
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;authentication configuration file path
;authenticationConfigurationFile_Path=/etc/rsUserAuth/authConf.txt
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring rsUserAuth
12
; Name of the process to spy (RFID tapping mode only)
;processToSpy=My_process
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Password authentication is allowed
;passwordAuthenticationMethod=on
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Default domain name in case of password authentication
;defaultDomain=myDomain
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Enabling High Availability
Subject
Authentication Manager for Linux is highly available as it can support more than one server at a time. To enable high availability, execute the following procedure.
Procedure
Set the following configuration parameters:
l EAM Web service (-u parameter): enter a URL list of the Web servers, separated by a comma, such as:https://129.182.77.111:9765/soap, //129.182.77.222:9765/soap,//129.182.77.333:9765/soap, etc.
l Certificate file path (-c parameter): enter a list of certificate files separated by a comma, such as: /etc/rsUserAuth/ca111.crt,/etc/rsUserAuth/ca222.crt,/etc/rsUserAuth/ca333.crt, etc.
NOTE: The number of certificates must be the same as the number of Web servers in the list and must be ordered in the same way.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Configuring rsUserAuth
13
5
Logging on to a Roaming Session
Logging on with an RFID Badge
Subject
This section explains how to connect to a roaming session on a Linux thin client with your RFID badge.
Description
An RFID badge can either be:
l Placed on the device, i.e. active mode. The roaming session is:
l Started (retrieving roaming session and executing the start script which may open a Citrix session for example) when the badge is placed on the reader.
l Locked (the end script is executed) when the badge is withdrawn.
IMPORTANT: The badge must remain on the device as long as the roaming session is needed.
l Placed on the device for a specific length of time, i.e. dynamic tapping mode. The roaming session is:
l Started (retrieving roaming session and executing the start script which may open a Citrix session for example) when the badge is placed on the reader.
l set in:
l passive mode if the badge is withdrawn before the delay expires.
l active mode if the badge is not withdrawn before the delay expires.
l Quickly presented to the device, i.e. passive mode or tapping mode. The roaming session is:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Logging on to a Roaming Session
14
l Started (retrieving roaming session and executing the start script which may open a Citrix session for example) when the badge is placed on the reader and withdrawn.
l Locked (the end script is executed) when the badge is presented again and withdrawn.
NOTE:
l In tapping mode, a specified process can be spied..
l If a process is started at start script execution and ended although the badge is not presented for the second time, the end script is executed and the badge state is reset. A configuration parameter must be used for this feature.
Logging on with your Login and Password
Subject
This section explains how to connect to a roaming session on a Linux thin client with your login and password.
Description
To log on, the user needs to provide his login, password and domain.
Once the credentials are successfully checked by EAM, the start script is executed.
When a new authentication is requested, the end script is executed.
NOTE: No roaming session is started, only the scripts are started/ended.
Resetting your Password
Subject
You can reset your password by answering a series of personal questions.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Logging on to a Roaming Session
15
Pre-requisite
You must have defined a series of personal questions & answers with Authentication Manager.
Description
You must answer your personal questions to be able to reset your password.
Once the questions are successfully checked by EAM, you must define a new password.
NOTE: A PFCP (Password Format Control Policy) may be displayed to help you define your new password.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Logging on to a Roaming Session
16
6
Customizing Messages
Subject
The default message catalog file provided is rsUserAuth.cat. The text of the messages can be customized and located, therefore a new message catalog must be generated. When:
l No message catalog path is set as rsUserAuth argument (through a command line or the configuration file), this new message catalog must be named rsUserAuth.cat and installed in the same directory as the rsUserAuth binary.
l A message catalog path is set, you must install and name the message catalog according to the configuration parameter.
Procedure
1. Edit the provided rsUserAuth.msg file.
2. You can change the text for each message, but you must respect the format for each of them. Example:2 Internal error.\nPlease contact your administrator.
Can be changed into2 Please contact the helpdesk.
3. When you have finished with your modifications, save your updates in a new file (for example: my_rsUserAuth.msg) and then generate the message catalog (for example my_rsUserAuth.cat) as follows:gencat my_rsUserAuth.cat my_rsUserAuth.msg
NOTE: rsUserAuth cannot start if the message catalog is unavailable.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Customizing Messages
17
7
rsUserAuth Log File
Each time rsUserAuth starts, a log file named rsUserAuth_pid.log is created.
Depending on your needs, different levels of trace can be selected: none, low, medium, high, details.
Each log information is preceded by the date and time.
IMPORTANT: No cleaning mechanism or control of space directory are implemented..
Here are the first lines of the rsUserAuth log file:16/09/22 10:51:07.443 :START :0000 ***
16/09/22 10:51:07.444 :START :0000 *** Trace File for rsUserAuth
16/09/22 10:51:07.444 :START :0000 *** Trace Level=4
16/09/22 10:51:07.444 :START :0000 *** rsUserAuth version 1.4.6110
16/09/22 10:51:07.444 :START :0000 *** rsUserAuth pid 16747
16/09/22 10:51:07.444 :START :0000 ***
16/09/22 10:51:07.444 :START :0000 *** system name Linux
16/09/22 10:51:07.444 :START :0000 *** release 3.2.0-4-686-pae
16/09/22 10:51:07.444 :START :0000 *** version #1 SMP Debian 3.2.51-1
16/09/22 10:51:07.444 :START :0000 *** machine i686
16/09/22 10:51:07.444 :START :0000 ***
16/09/22 10:51:07.444 :RoamingEngine.cpp :0336 message catalog opening...(null)
16/09/22 10:51:07.444 :RoamingDisplay.cpp :0010 RoamingDisplay (null)
16/09/22 10:51:07.444 :RoamingDisplay.cpp :0034 the catalog of messages is open
16/09/22 10:51:07.444 :RoamingEngine.cpp 0339 message catalog ret 1
16/09/22 10:51:07.444 :RoamingEngine.cpp :0477
configuration parameters
url: https://129.182.77.106:9765/soap
startExec: /etc/rsUserAuth/start.bash
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
rsUserAuth Log File
18
endExec: /etc/rsUserAuth/stop.bash
tapping mode: off
tappingDelay: 5
welcome: on
secret_Path:
messages_Path:
Cacert_Path: /etc/rsUserAuth
smartcard_pkcs_library:
PasswordAuthenticationMethod: on
16/09/22 10:51:07.444 :RoamingEngine.cpp :0592 list of web servers :
16/09/22 10:51:07.444 :RoamingEngine.cpp :0596 https://129.182.77.106:9765/soap
16/09/22 10:51:07.444 :RoamingEngine.cpp :0690 arg_caCrt is a directory
16/09/22 10:51:07.444 :RoamingSession.cpp :1175 selected protocol: https
16/09/22 10:51:07.444 :RoamingSession.cpp :1183 web service : https://129.182.77.106:9765/soap
16/09/22 10:51:07.444 :RoamingSession.cpp :1186 certificate: /etc/rsUserAuth
16/09/22 10:51:07.453 :RoamingSession.cpp :1249 soap_call___wgws__GetVersion (https://129.182.77.106:9765/soap) version = 9.1.0
16/09/22 10:51:07.453 :RoamingSession.cpp :0096 init_for_soap successful
16/09/22 10:51:07.453 :RoamingEngine.cpp :0775 InitSoap successful
16/09/22 10:51:07.456 :RoamingEngine.cpp :0791 InitSessionKey successful
16/09/22 10:51:07.460 :Cpkcsmon.cpp :0062 Pkcs is not configured
16/09/22 10:51:07.460 :Cpcscmon.cpp :0039 !m_Pkcs->IsInit
16/09/22 10:51:07.460 :Cpcscmon.cpp :0043 Pkcs is unavailable
16/09/22 10:51:07.460 :Cpcscmon.cpp :0051 Put Card on Reader
16/09/22 10:51:07.461 :Cpcscmon.cpp :0168 2 PC/SC readers found
16/09/22 10:51:07.461 :Cpcscmon.cpp :0272 Reader 0: OMNIKEY CardMan (076B:5321) 5321 00 00
16/09/22 10:51:07.461 :Cpcscmon.cpp :0275 Card state:
16/09/22 10:51:07.461 :Cpcscmon.cpp :0288 No card in the reader
16/09/22 10:51:07.461 :Cpcscmon.cpp :0272 Reader 1: OMNIKEY CardMan (076B:5321) 5321 00 01
16/09/22 10:51:07.461 :Cpcscmon.cpp :0275 Card state:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
rsUserAuth Log File
19
16/09/22 10:51:07.461 :Cpcscmon.cpp :0288 No card in the reader
16/09/22 10:51:09.436 :Cpcscmon.cpp :0272 Reader 1: OMNIKEY CardMan (076B:5321) 5321 00 01
16/09/22 10:51:09.436 :Cpcscmon.cpp :0275 Card state:
16/09/22 10:51:09.436 :Cpcscmon.cpp :0299 Card present
16/09/22 10:51:09.436 :Cpcscmon.cpp :0327 Card ATR:
16/09/22 10:51:09.436 :Cpcscmon.cpp :0334 3b8f8001804f0ca000000306030001000000006a
16/09/22 10:51:09.436 :Cpcscmon.cpp :0432 has_UID...
16/09/22 10:51:09.443 :RoamingEngine.cpp :1315 onCardInsert 9AF989A2
16/09/22 10:51:09.443 :RoamingEngine.cpp :1366 Badge inserted at 1474534269.
16/09/22 10:51:09.443 :RoamingEngine.cpp :1374 onCardInsert tapping mode false , badge no previous
16/09/22 10:51:09.443 :RoamingEngine.cpp :1082 getSession
16/09/22 10:51:09.443 :RoamingSession.cpp :0629 RetrieveRoamingSession ...
16/09/22 10:51:09.443 :RoamingSession.cpp :0649 RetrieveRoamingSession for badge started
16/09/22 10:51:09.443 :RoamingSession.cpp :0359 SetRetrieveRoamingSessionDataIN ret: 0x0
16/09/22 10:51:09.443 :RoamingSession.cpp :0662 soap_call___wgws__RetrieveRoamingSession...
16/09/22 10:51:09.523 :RoamingSession.cpp :0665 soap_call___wgws__RetrieveRoamingSession
16/09/22 10:51:09.523 :RoamingSession.cpp :0462 GetRetrieveRoamingSessionDataOUT ret: 0x0
16/09/22 10:51:09.523 :RoamingSession.cpp :0718 RetrieveRoamingSession ret: 0x0
16/09/22 10:51:09.523 :RoamingSession.cpp :1327 RetrieveRoamingSession 0x0
16/09/22 10:51:09.523 :RoamingSession.cpp :1328 Version : 2
16/09/22 10:51:09.523 :RoamingSession.cpp :1329 UserDomain : dev.ua.dom
16/09/22 10:51:09.523 :RoamingSession.cpp :1330 UserLogin : Alix
16/09/22 10:51:09.523 :RoamingSession.cpp :1331 UserPassword :
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
rsUserAuth Log File
20
16/09/22 10:51:09.523 :RoamingSession.cpp :1332 UserPrincipalName : [email protected]
16/09/22 10:51:09.523 :RoamingSession.cpp :1333 UserGUID : 05f5bbe53a62cd4e9b2a70529ebe6c77
16/09/22 10:51:09.523 :RoamingSession.cpp :1334 PINRequired : true
16/09/22 10:51:09.523 :RoamingSession.cpp :1335 PINNotInitialized : false
16/09/22 10:51:09.523 :RoamingSession.cpp :1336 RetrieveRoamingSession 0x0
16/09/22 10:51:09.523 :RoamingSession.cpp :1356 roaming session does not exist
16/09/22 10:51:09.523 :RoamingSession.cpp :1398 getRoamingSession result 0x0
16/09/22 10:51:09.523 :RoamingEngine.cpp :1112 getSession result : 0x0
16/09/22 10:51:09.523 :RoamingEngine.cpp :1172 getSession : password is empty
16/09/22 10:51:09.523 :RoamingEngine.cpp :1179 getSession : PIN is required
16/09/22 10:51:10.772 :Cpcscmon.cpp :0272 Reader 1: OMNIKEY CardMan (076B:5321) 5321 00 01
16/09/22 10:51:10.772 :Cpcscmon.cpp :0275 Card state:
16/09/22 10:51:10.772 :Cpcscmon.cpp :0288 No card in the reader
16/09/22 10:51:10.772 :RoamingEngine.cpp :1424 Badge withdrawn 1 s after detection.
16/09/22 10:51:10.772 :RoamingEngine.cpp :1435 onCardRemove bTapping true
16/09/22 10:51:10.772 :RoamingEngine.cpp :1468 onCardRemove (tapping mode) no previous
16/09/22 10:51:13.397 :RoamingEngine.cpp :3179 onRFIDPinCode
16/09/22 10:51:13.397 :RoamingEngine.cpp :2995 StartAndCheckSession : startNewSession ...
16/09/22 10:51:13.397 :RoamingSession.cpp :0728 InitiateRoamingSession ...
16/09/22 10:51:13.397 :RoamingSession.cpp :0749 InitiateRoamingSession for user '05f5bbe53a62cd4e9b2a70529ebe6c77' started
16/09/22 10:51:13.397 :RoamingSession.cpp :0527 SetInitRoamingSessionDataIN ret: 0x0
16/09/22 10:51:13.765 :RoamingSession.cpp :0597 GetInitRoamingSessionDataOUT ret: 0x0
16/09/22 10:51:13.765 :RoamingSession.cpp :0816 InitiateRoamingSession ret: 0x0
16/09/22 10:51:13.765 :RoamingSession.cpp :1595 InitiateRoamingSession 0x0
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
rsUserAuth Log File
21
16/09/22 10:51:13.765 :RoamingSession.cpp :1615 roaming session does not exist
16/09/22 10:51:13.765 :RoamingSession.cpp :1676 startNewSession returns 0x0
16/09/22 10:51:13.765 :RoamingEngine.cpp :2999 startNewSession ret = 0
16/09/22 10:51:13.765 :RoamingEngine.cpp :3008 StartAndCheckSession : startNewSession successful
16/09/22 10:51:13.766 :RoamingEngine.cpp :3029 Roaming Session is valid -> Starting /etc/rsUserAuth/start.bash with its arguments
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
rsUserAuth Log File
22
8
Use Case: Installing and Configuring rsUserAuth on IGEL Thin Clients
Subject
This section explains how to configure the One Identity authentication module rsUserAuth on IGEL thin clients.
NOTE:
l The list of supported authentication devices and software versions are provided in One Identity EAM Release Notes.
l There is no specific installation required for RFID badges, only the config-uration described in One Identity Authentication Manager Session is required.
Description
The One Identity Authentication Manager session can be configured with available parameters and specific register keys, the configuration file is not mandatory.
As CardOS libraries are not integrated in IGEL, a custom partition must be used. This partition is built from an FTP server. Two files must be uploaded to this server: rsUserAuth.inf and rsUserAuth.tar.bz2.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
23
Delivery and Customization
The rsUserAuth.tar.bz2 file
Content
The following elements are delivered:
l CardOS_API_Version_Number_x86_Linux.tar.gz: CardOS libraries.
l IGELProvisionningScript.sh: script to be executed at installation.
l start.bash: example of script to execute when the smart card is inserted (not used in case of Citrix session).
l stop.bash: example of script to execute when the smart card is removed (not used in case of Citrix session).
l ca.cert: certificate for the secured connection (must be replaced with the customer's certificate).
l authConf.txt: smart card settings (PKCS library path).
Customization
You must unzip the rsUserAuth.tar.bz2 file to include the correct certificate file with the following command line: tar -xvjf rsUserAuth.tar.bz2
The ca.cert file must be replaced with a customer certificate. A sample certificate can be generated from the EAM controller: in the Administration Tools window > Controller configuration, click Configure Directory and Audit login/password, then Select the Web Service Security tab in the Controller Configuration window.
You must rebuild the compressed file with the following command line:tar -jcvf rsUserAuth.tar.bz2.
The rsUserAuth.inf file
The content of this custom partition file is as follows:[PART]
file="rsUserAuth.tar.bz2"
version="2"
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
24
The version parameter has been increased to replace the files that the thin client will load the next time it is started.
Upload to an FTP server
Both files: rsUserAuth.tar.bz2 and rsUserAuth.inf must be uploaded to an FTP server.
IGEL Configuration
Custom partition
On the IGEL thin client, a custom partition must be enabled.
Procedure
1. In IGEL, click on System > Setup > System > Firmware Customization.
2. Enable the customer partition as follows:
IMPORTANT: Do not change the name of the /One Identity partition as it is used in the installation scripts.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
25
3. Click Apply.
4. Click Download and define the download source as follows:
5. Click OK.
The rsUserAuth.tar.bz2 file is downloaded and unzipped.
The content of the One Identity partition file is as follows:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
26
One Identity Authentication Manager Session
On the IGEL thin client, the One Identity Authentication Manager Session must be enabled.
Procedure
1. In IGEL, click on System > Setup > System > One Identity AuthMgr Sessions.
2. Add a session and configure it as follows:
a. Desktop integration menu:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
27
b. Connection menu:
c. Options menu:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
28
d. Click Apply.
Smart Card Settings
Two new register keys are available for smart card settings:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
29
Procedure
1. In IGEL, click on System > Registry > Sessions > rsuserauth0 > Parameters.
2. Click the authconf folder and select the Use Smartcard Authentication configuration file check box.
3. Click Apply.
4. Click the authconf_path folder and enter the following path:/etc/rsUserAuth/authConf.txt
5. Click Apply.
Logging on to IGEL
Once the IGEL thin client is configured, the authentication module is activated.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
30
To authenticate, the user just has to present his authentication device and enter his password or PIN (depending on the presented device).
Enrolling your RFID Badge with a PIN
Subject
Depending on the EAM configuration (see RFID Badge Integration), you can be asked to enroll your RFID badge and associate it with a PIN.
Description
The following window appears:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
31
Procedure
1. Enter the following information in the corresponding fields:
l User name.
l PIN.
l User password.
2. Click OK.
Your RFID badge is enrolled with the associated PIN.
Modifying the PIN of your RFID Badge
Subject
Depending on the EAM configuration (see RFID Badge Integration), you can be asked to modify the PIN of your RFID badge.
Description
The following window appears:
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
32
Procedure
1. Enter your current PIN in the corresponding field.
2. Enter your new PIN in the corresponding field and confirm it.
3. Click OK.
Your PIN has been modified.
Authentication Module Log File
A log file is available here: /var/log/rsuserauth[Session Number].debug.
NOTE: This log file path is specific to IGEL. For more information on the log file itself, see rsUserAuth Log File.
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients
33
About us
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to-videos
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product
Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide
About us
34