Administration Guide Revision B McAfee One Time Password 3.5
Administration GuideRevision B
McAfee One Time Password 3.5
COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION
License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.
2 McAfee One Time Password 3.5 Administration Guide
Contents
1 Introduction 7Supported operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Supported user databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Supported protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9McAfee OTP Client Software Development Kit (SDK) . . . . . . . . . . . . . . . . . . . . 9Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Integration 15Integration modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15VPN/RADIUS access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Programming APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Installation 17Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Install McAfee OTP on a Windows-based computer . . . . . . . . . . . . . . . . . . . . 18
4 Configuring McAfee OTP 19Administration console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Select pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Mouse functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure the Server object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Mobile Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Onetime Password Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the RADIUS object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 24RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Additional Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configure the Logs object type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Other Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configure the Alerts object type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Alert Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configure the Licenses object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 27License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure the Databases object type . . . . . . . . . . . . . . . . . . . . . . . . . . 28Create a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Delete a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Duplicate a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Create an LDAP database . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Create an SQL database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Create a RADIUS Forward database . . . . . . . . . . . . . . . . . . . . . . . 39
McAfee One Time Password 3.5 Administration Guide 3
Create a database group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configure the Clients object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Create a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Delete a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Duplicate a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Create a RADIUS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Create a Native client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Create a Web services client . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure the Delivery Method object type . . . . . . . . . . . . . . . . . . . . . . . 47Enable a delivery method type . . . . . . . . . . . . . . . . . . . . . . . . . 48Configure the SMS Gateway delivery method . . . . . . . . . . . . . . . . . . . 48Configure the HTTP delivery method . . . . . . . . . . . . . . . . . . . . . . . 49Configure the Extended HTTP delivery method . . . . . . . . . . . . . . . . . . . 51Configure the SMTP delivery method . . . . . . . . . . . . . . . . . . . . . . . 53Configure the Netsize delivery method . . . . . . . . . . . . . . . . . . . . . . 54Configure the Concurrent Sender delivery method . . . . . . . . . . . . . . . . . 56Configure the Instant Messaging delivery method . . . . . . . . . . . . . . . . . . 56Configure the SMPP delivery method . . . . . . . . . . . . . . . . . . . . . . . 58Configure the CIMD2 delivery method . . . . . . . . . . . . . . . . . . . . . . 58Configure the UCP File delivery method . . . . . . . . . . . . . . . . . . . . . . 58Configure the Prefetch Detection delivery method . . . . . . . . . . . . . . . . . 59
Configure the Misc object type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Configure the Expired Password Notification settings . . . . . . . . . . . . . . . . 59Configure the OATH settings . . . . . . . . . . . . . . . . . . . . . . . . . . 60Configure the Prefetch OTP options . . . . . . . . . . . . . . . . . . . . . . . 62Configure the Unlock User Accounts options . . . . . . . . . . . . . . . . . . . . 62Configure the AES Encryption options . . . . . . . . . . . . . . . . . . . . . . 63Configure the Embedded HTTP Server Options . . . . . . . . . . . . . . . . . . . 65Configure the Pledge Enrollment options . . . . . . . . . . . . . . . . . . . . . 65Configure the Web Manager options . . . . . . . . . . . . . . . . . . . . . . . 66Web Manager - User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Self Service - Admin Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Self Service - User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Configure the Yubico options . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5 Maintenance and use 73McAfee OTP monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Start or stop McAfee OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
A Pledge 77About Pledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Pledge Profile Factory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Pledge Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Pledge Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Register for a Pledge Profile Factory account . . . . . . . . . . . . . . . . . . . . . . . 79Customize the Pledge Corporate Profile . . . . . . . . . . . . . . . . . . . . . . . . . 80Request a Pledge web service account . . . . . . . . . . . . . . . . . . . . . . . . . 81Configure the Pledge Enrollment database . . . . . . . . . . . . . . . . . . . . . . . . 81Configure the Pledge Enrollment client . . . . . . . . . . . . . . . . . . . . . . . . . 82Enable the Pledge Enrollment services . . . . . . . . . . . . . . . . . . . . . . . . . 82Pledge Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Self enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Administrator enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Contents
4 McAfee One Time Password 3.5 Administration Guide
B Microsoft Forefront Threat Management Gateway integration 85Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Install Microsoft TMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Microsoft TMG configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 87Configure advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configure McAfee OTP Server for Microsoft TMG . . . . . . . . . . . . . . . . . . . . . 88Configure the Microsoft TMG client . . . . . . . . . . . . . . . . . . . . . . . . 88Configure a new database . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
C Configuring a cluster 91Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91McAfee OTP redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Configure McAfee OTP redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Configure the VPN Gateway or application with multiple McAfee OTP servers . . . . . . . . . . 93Test the McAfee OTP cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93McAfee OTP cluster configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
D Web Service Client API (SOAP) 95Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95SOAP operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
getCommands Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 96getOTPObject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Required fields / xml elements . . . . . . . . . . . . . . . . . . . . . . . . . 101requestAuthAndOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101verifyOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102authenticateUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104getUserAttributeValue . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106storeData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108fetchData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Client code examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Index 115
Contents
McAfee One Time Password 3.5 Administration Guide 5
Contents
6 McAfee One Time Password 3.5 Administration Guide
1 Introduction
McAfee® One Time Password (McAfee OTP) adds a layer of security that is flexible and efficient toimplement and that protects applications and systems with strong, multi‑factor authentication. Forexample, combining user name and password authentication with one‑time password as the secondauthentication method on a mobile device protects the authentication process and the "key" to anorganization’s applications and systems.
After McAfee OTP verifies a user name and password against a defined user store, it sends the enduser a one‑time password. The end user enters the one‑time password and is authenticated to theapplication or system only after McAfee OTP verifies the entered password.
McAfee OTP generates and distributes one‑time passwords to end users by a variety of methods,including email, Short Message Service (SMS) to a mobile phone, and Instant Messaging (IM) servicessuch as Google Talk, Microsoft MSN Messenger, and Skype.
McAfee OTP supports hardware and software tokens that generate one‑time passwords using the HOTP(RFC 4226) and TOTP (RFC 6238) OATH standards. In addition, McAfee offers Pledge, that wheninstalled on a mobile device, generates one‑time passwords using the OATH standard.
You can integrate McAfee OTP with applications and systems that support RADIUS (RemoteAuthentication Dial In User System). Also, you can integrate McAfee OTP using one of the many nativeintegration modules that McAfee provides.
1
McAfee One Time Password 3.5 Administration Guide 7
Integration modules exist for Apache Reverse Proxy and Web Server, Citrix, Microsoft IIS, MicrosoftOutlook Web Access, Novell GroupWise WebAccess, VPN (including Cisco, Check Point, F5, Blue Coat,and Juniper), and more. Other applications can be integrated with McAfee OTP using APIs or webservices.
Figure 1-1 McAfee OTP architecture
Contents Supported operating systems Supported user databases Supported protocols McAfee OTP Client Software Development Kit (SDK) Features
Supported operating systemsMcAfee OTP supports any operating system that has support for Java Virtual Machine (JVM) version1.6 or later.
McAfee OTP supports 32‑bit and 64‑bit versions of these operating systems:
1 IntroductionSupported operating systems
8 McAfee One Time Password 3.5 Administration Guide
• Microsoft Windows Server 2003, 2008 R2 • IBM AIX
• Linux • Mac OS X
• Sun Solaris
Supported user databasesMcAfee OTP supports these user stores.
• LDAP, including:
• Sun Directory Server
• Microsoft Active Directory
• Novell eDirectory
• SQL through JDBC or ODBC, including:
• Oracle
• Miscrosoft SQL Server
• MySQL
Other user stores are supported through APIs.
Supported protocolsMcAfee OTP supports these protocols.
• LDAP
• HTTP/HTTPS
• SMPP
• SMTP
• Web Services/SOAP
• CIMD2
• Instant messaging, including:
• Google Talk
• Microsoft MSN Messenger
• Skype
McAfee OTP Client Software Development Kit (SDK)Use the Java Client API to integrate McAfee OTP with applications that do not include integrationmodules.
For information about downloading COM and .NET APIs, go to the McAfee Technical SupportServicePortal.
IntroductionSupported user databases 1
McAfee One Time Password 3.5 Administration Guide 9
For information about integrating Microsoft .NET applications using the Java Client API, go to theMcAfee KnowledgeBase.
FeaturesMcAfee OTP supports the following features.
Table 1-1 McAfee OTP features
Feature Definition
Configuration interface Manages and maintains McAfee OTP settings.
Expired passwordnotification
McAfee OTP detects when a password expires, and then notifies end users.
One‑time passwordSMS and emaildelivery
McAfee OTP delivers one‑time passwords using SMS and email, which allowseasy deployment of two‑factor authentication for end users.
Delivery methodconfiguration
Configure the McAfee OTP delivery method at the McAfee OTP client level.
This feature overrides the automatic delivery method selection.
One‑time passwordretries
After failing to enter the password correctly the first time, allows end usersto re‑enter the one‑time password.
Emergency one‑timepasswords
When a mobile device is lost or forgotten, allows end users to generateone‑time passwords.
McAfee Short MessageService Module(McAfee SMS Module)
The McAfee SMS Module is an on‑demand service that is hosted on McAfeeservers, so there is no need to install the product in your environment.Access the McAfee SMS service through the McAfee SMS Gateway plug‑in.The plug‑in is easy to set up, and provides status controls, usage statistics,and automatic failover for lapses in the SMS service.
TOTP anti‑replay check The McAfee OTP keeps track of the one‑time passwords used. For each TOTPdevice, the anti‑replay check feature restricts one–time password use toonce during a specified time interval.
Maximum steps tosync TOTP device
Configure the maximum number of steps end users are allowed to sync aTOTP device with the McAfee OTP during a specified time interval.
API to sync OATHHOTP/TOTP devices
Using a new API, sync OATH HOTP/TOTP devices by sending two one‑timepasswords in sequence. For more information, go to the McAfeeKnowledgeBase.
LDAP user stores Use any LDAP‑compliant directory service to look up users and userattributes.
SQL user stores Use any JDBC or ODBC‑compliant database to look up users and userattributes.
Multiple OATH keysupport for SQLdatabases
McAfee OTP provides multiple OATH key support for SQL databases.
Multiple user stores For each McAfee OTP client, there is no limit on the number of user storesthat can be added. For example, you can add multiple user stores forfailover. However, when one set of users is saved in two different userstores, configure SMS delivery for the users in one user store, and emaildelivery for users in the other user store.
Test Tool A stand‑alone application used to test the McAfee OTP. Use this tool to testwhether the user store is configured correctly, and the one‑time passworddistribution plug‑in is working as expected. The Test Tool supports the nativeAPI and RADIUS protocol.
1 IntroductionFeatures
10 McAfee One Time Password 3.5 Administration Guide
Table 1-1 McAfee OTP features (continued)
Feature Definition
Remote configuration Manage the McAfee OTP from a remote location. This feature is ideal forservers with limited access, and for servers without a graphical interface.
The remote configuration feature does not support any test functions.
External McAfee OTPcreation andverification
McAfee OTP supports any algorithm that creates and verifies one‑timepasswords through an API.
Pledge Pledge is a software token that you download and install on a mobile device.Pledge provides strong authentication by generating one‑time passwordsusing the OATH algorithm. Pledge supports multiple platforms, including:• iPhone
• Android
• Windows Mobile
• Any mobile phone that supports Java Platform, Micro Edition (Java ME).
Pledge enrollment A web application installed on the Tomcat server, that allows end users tofollow an easy, step‑by‑step Pledge Enrollment process that downloads aPledge Profile, which includes an HOTP key. Using a web services interfacethat is integrated with the Profile Factory, administrators can customize thePledge Profile.
OATH support McAfee OTP supports tokens based on the OATH HOTP/TOTP standard.
McAfee OTP Nativeclient names
McAfee OTP supports Native clients through an API. McAfee OTP nowsupports multiple Native clients at one IP address by allowing you to assigna name to each client’s integration module. In this way, each client can beseparately configured in McAfee OTP.
Web service support McAfee OTP supports a new client type through an API for any application orsystem using SOAP‑based web services.
Alerts Configure McAfee OTP to send error messages and alerts to one or moreadministrators using SMS or email.
Easy configuration Configure McAfee OTP, including user stores, delivery methods, andintegrations, in less than one day.
Java, COM, .NET, andPHP APIs
Use these APIs to create custom integration modules for your applications.
Plug‑in interface Used to add both McAfee and custom delivery methods.
Custom user storehandler
If the user stores have special requirements, advanced users can write acustom database handler that overrides the internal database handler.
PIN code protectionfor one‑timepasswords
Add a PIN code to the one‑time password for added protection. PIN codesare stored in an LDAP or SQL user store.
OTP protection andaccount lockoutmanagement
Configure how many times an end user is allowed to incorrectly logon beforetheir account is locked.
Hashed PIN codes McAfee OTP supports the following hash functions applied to a PIN code:• MD5
• SHS
• SSHA
PIN code management PIN codes are managed by an administrator, service desk, or self‑servicefunction in the McAfee OTP Web Manager.
IntroductionFeatures 1
McAfee One Time Password 3.5 Administration Guide 11
Table 1-1 McAfee OTP features (continued)
Feature Definition
Prefetch one‑timepasswords
Allows end users and administrators to store one‑time passwords when thereis no mobile coverage. For example, one‑time passwords can be stored astext in a mobile or email account, or printed on cards or paper. This featureis controlled by a web administration application.
Failover and clustering McAfee OTP supports failover and full active‑active clustering with sharedauthentication session data. You can configure multiple McAfee OTP databaseobjects for failover, or configure failover for a Database group.
RADIUS support McAfee OTP can act as a RADIUS server to support any RADIUS‑awareapplication. Most VPN solutions have RADIUS support, including:• Cisco
• Check Point
• AppGate
• Juniper
RADIUS attributedetection
Allows the implementation of different rights for different groups, such ascontractors, employees, and vendors. It also allows the implementation ofmultiple authentication methods and two‑factor authentication.
RADIUS Forward A new database object type that McAfee OTP uses to pass through andforward a RADIUS request to another RADIUS server. In addition tosupporting integration with other RADIUS servers, RADIUS Forward supportsRSA SecurID and SafeWord tokens, as well as the migration of legacytokens.
Multiple RADIUS UDPports
Configure the McAfee OTP RADIUS module to listen on multiple UDP ports,which allows the RADIUS module to assign each RADIUS McAfee OTP clientto its own port, and support multiple clients.
Custom RADIUS rejectmessages
Customize the messages returned when authentication fails, a system erroroccurs, or a one‑time password is incorrectly entered.
Integration modules McAfee OTP comes with these integration modules:• Apache Reverse Proxy Server • EPiServer
• CA Siteminder • Microsoft Forefront ThreatManagement Gateway
• Citrix Access Gateway • Microsoft Forefront UnifiedAccess Gateway
• Citrix Presentation Server • Microsoft Outlook Web Access
• Citrix Web Interface • Microsoft SharePoint
• Citrix XenApp Server
Platform independence McAfee OTP can be run on any Java‑compliant platform, including:• Windows • HP‑UX
• Linux • Mac OS X
• Solaris
Session data McAfee OTP can store both persistent and one‑time session data. Thisfeature supports active‑active clustering and failover among multiple McAfeeOTP servers without any user errors.
User attributes Using APIs, retrieve any available user attribute from the directory service.
1 IntroductionFeatures
12 McAfee One Time Password 3.5 Administration Guide
Table 1-1 McAfee OTP features (continued)
Feature Definition
Yubico YubiKey McAfee OTP supports the one‑time password that YubiKey generates inOATH‑HOTP mode using the standard RFC 4226 HOTP algorithm, andencrypts using the Advanced Encryption Standard (AES) algorithm. McAfeeOTP has added support for the Yubico validation server through web servicesand stores AES keys locally in a SQL database or LDAP directory. Keys areeasily imported and stored, supporting automatic enrollment.
Self‑service andservice desk functionsfor token management
Allows end users and administrators to reset passwords, manage secretquestion and answers, and generate PIN codes.
IntroductionFeatures 1
McAfee One Time Password 3.5 Administration Guide 13
1 IntroductionFeatures
14 McAfee One Time Password 3.5 Administration Guide
2 Integration
McAfee OTP can be integrated with applications and systems through integration modules andprotocols. For example, McAfee OTP can be integrated with most VPN services using the RADIUSprotocol. Since McAfee OTP can act as a RADIUS server, most VPN/RADIUS‑aware products can beintegrated without any installation. Configuring the McAfee OTP and the VPN/RADIUS productcompletes the integration.
Using Java, COM, .NET, and PHP Client APIs, you can write custom integration modules for yourapplications. By using the Client APIs, you can add strong authentication to your custom applications.
Contents Integration modules VPN/RADIUS access Programming APIs
Integration modulesMcAfee OTP supports these integration modules.
Apache Apache Reverse Proxy ServerApache Web Server 1.3/2.0
CA SiteMinder r6SiteMinder r12
Citrix Citrix Access Gateway 4.2Citrix Access Gateway 4.5
Citrix Access Gateway 5.X VPX
Citrix Access Gateway Enterprise Edition (NetScaler VPX)
Citrix Presentation Server 4.6
Citrix Web Interface 4.0/4.2
Citrix Web Interface 4.5
Citrix Web Interface 5.4
Citrix XenApp Server 5.1
Citrix XenApp Server 5.2/5.3
IBM Lotus Domino (Apache Proxy)
2
McAfee One Time Password 3.5 Administration Guide 15
Microsoft ISA Server 2006
TMG 2010
UAG 2010
IIS 6.0
IIS 7.x ‑ IIS Custom AD Membership Provider ‑ ASP.NET
Outlook Web Access 2003
Outlook Web Access 2007
SharePoint 2007 AD Membership Provider ‑ ASP.NET
SharePoint 2010 AD Membership Provider ‑ ASP.NET
IIS Custom AD Membership Provider ‑ ASP.NET
EPiServer AD Membership Provider ‑ ASP.NET
EPiServer SQL Membership Provider ‑ ASP.NET
Novell IChain 2.3
Novell Access Manager
GroupWise WebAccess 6
GroupWise WebAccess 7
For information about new and updated integration modules and configuration guides, go to the McAfeeTechnical Support ServicePortal.
VPN/RADIUS accessMcAfee OTP acts as a RADIUS server to support most VPNs and other RADIUS‑aware applications.
McAfee recommends that the VPN/RADIUS application support the RADIUS challenge‑responsestandard.
These vendors provide RADIUS servers that have been tested with McAfee OTP and approved:
• Cisco • Juniper
• Check Point • Palo Alto
• F5 • AppGate
With the RADIUS challenge‑response standard, you can use all McAfee OTP authentication methods.Without the standard, you can use the Pledge software token and all OATH tokens.
Programming APIsMcAfee OTP can be integrated with custom applications through its Java, COM, and .NET APIs.
2 IntegrationVPN/RADIUS access
16 McAfee One Time Password 3.5 Administration Guide
3 Installation
Review the requirements and instructions to download and install McAfee OTP on a Windows platform.
Contents Requirements Install McAfee OTP on a Windows-based computer
RequirementsTo install and operate McAfee OTP on a Windows platform, the system must meet the followingminimum requirements.
Hardware server or virtual machine (VM)
• McAfee OTP is software that you install on any server in your internal network or DMZ.
• Use any modern hardware server or a virtual machine running on top of a modern hardware serveras the installation platform.
• The hardware server must have a static IP address configured.
• If you configure McAfee OTP using DNS names, the server must be able to contact DNS servers.
Operating system
• You can install McAfee OTP on any operating system that supports Java Virtual Machine (Java VM )version 1.6 or later, including:
• Microsoft Windows 2003 R2 • Sun Solaris
• Microsoft Windows 2008 R2 • IBM AIX
• Linux • Mac OS X
• You can install McAfee OTP on both 32‑bit and 64‑bit operating systems.
Communication
• The McAfee OTP queries your LDAP or JDBC user store using default TCP ports 389 for LDAP, and636 for secure LDAP (LDAPS).
• Integration modules must send requests to McAfee OTP using TCP port 3100. RADIUS modulesmust send requests using UDP port 1645 or 1812.
• To use McAfee SMS Module, configure the McAfee OTP to send one‑time passwords to the SMSservice over HTTPS on TCP port 443.
These port numbers are the default values and can be customized.
3
McAfee One Time Password 3.5 Administration Guide 17
Software
When registering and downloading the software, select the version of the installer that correctlycorresponds to your operating system platform.
Install McAfee OTP on a Windows-based computerUse the installation process on a Windows‑based computer as a guide for how installation is done onother operating system platforms. For platforms other than Windows, you have the option of installingMcAfee OTP in GUI or console mode. For example, you can install in console mode on Linux byentering the following installation command on the command line: sh ./otp3install.bin ‑iconsole
Task1 Start the installation program: otp3install.exe
The Introduction opens.
2 Click Next.
The License Agreement step opens.
3 Read the license agreement, select the I accept the terms of the License Agreement option, and click Next.
The Select Install Set step opens.
4 Select an installation option, and click Next.
The Choose Install Folder step opens.
5 Specify an installation folder, or accept the default value, and click Next.
The Select License File step opens.
6 Specify the location of the license.dat file that you received from McAfee, and click Next.
The Install Windows Service step opens.
7 Select the Install Windows Service checkbox, and click Next.
The Choose Link Folder step opens.
8 Specify where to create shortcuts to the software, and click Next.
The shortcuts are identified by a product icon. You click the icon to manually start the McAfee OTP.
The Pre‑Installation Summary opens.
9 Review the Pre‑Installation Summary, and click Install.
The Install Complete step opens.
10 Click Next.
The Start the OTP Server step opens.
11 To start McAfee OTP, select Yes, and click Done.
The installer closes, and the McAfee OTP opens.
3 InstallationInstall McAfee OTP on a Windows-based computer
18 McAfee One Time Password 3.5 Administration Guide
4 Configuring McAfee OTP
Configure the settings to manage and maintain McAfee OTP.
Contents Administration console Configure the Server object type Configure the RADIUS object type Configure the Logs object type Configure the Alerts object type Configure the Licenses object type Configure the Databases object type Configure the Clients object type Configure the Delivery Method object type Configure the Misc object type
Administration consoleUse the administration console to perform all configuration tasks.
• Click the product icon created when McAfee OTP is installed.
• Start the McAfee OTP process, then click Configuration.
Option Definition
Menu bar Creates configuration objects, update functions, and access Help.
Select pane (left) Provides the option to select, create, configure, delete, or view an objecttype.
Configuration pane (right) Provides the option to view the configuration options of an object selectedin the select pane.
Save Config Saves the configuration to the otp.properties file in the installationdirectory.
Close Closes the administration console.
Select paneSelect the type of object to create, configure, delete, or view.
Option Definition
Server Select to configure the McAfee OTP.
RADIUS Select to configure McAfee OTP as a RADIUS server for McAfee OTP RADIUS clients.
Logs Select to configure logging and the log files.
4
McAfee One Time Password 3.5 Administration Guide 19
Option Definition
Alerts Select to configure error messages and alerts that can be sent to a list ofadministrators using SMS or email.
Licenses Select to manage McAfee OTP licenses.
Databases Select to configure connections to user stores.
Clients Select to configure McAfee OTP clients.
Delivery Methods Select to configure and enable one or more delivery methods for the McAfee OTP.Available methods include:• CIMD2 • NetSize
• Concurrent Sender • McAfee SMS
• Extended HTTP • SMPP
• HTTP • SMTP
• Instant Messaging • UCP File
Misc Select this object type to configure these functions:• Expired Password Notification • Embedded HTTP Server
• OATH Configuration • Pledge Enrollment
• Prefetch Proxy Config • Web Manager
• Unlock User Accounts • Yubico
• AES Encryption
Mouse functionsThe administration console supports the following mouse functions.
Option Definition
Tooltips Provides context‑sensitive help.
Mouse left‑click Allows you to view and select menu items on the menu bar, expand and selectobject types in the select pane, and open, close, minimize, and resize windows.
Mouse right‑click Provides a context menu for a selected object type in the select pane.
Configure the Server object typeUse the configuration pane to configure the Server object type settings.
Task1 In the select pane, select the Server object type.
Server configuration options open in the configuration pane.
2 In the configuration pane, configure the remaining settings.
4 Configuring McAfee OTPConfigure the Server object type
20 McAfee One Time Password 3.5 Administration Guide
Server SettingsThe following settings are located in the Server Settings area on the configuration pane.
Option Definition
Port number Specifies the port number that Native and remote McAfee OTP clients use whenconnecting to the McAfee OTP.Default: 3100
Bind to IP Address Specifies the IP address of the server on which the McAfee OTP is installed.
All Selecting this checkbox specifies that the McAfee OTP accepts connections fromMcAfee OTP Native clients on all IP addresses assigned to the host server’s system.
Port number Specifies the number of milliseconds that the connection between the McAfee OTPclient and the McAfee OTP can be idle before the session times out.
A zero value specifies that there is no timeout.
Mobile NumbersThe following settings are located in the Mobile Numbers area on the configuration pane.
Option Definition
Check Mobile Number Selecting this checkbox specifies checking the mobile number for non‑numericcharacters and removing them, including spaces.
This setting does not remove the “+” character from mobile numbers.
Default Country Prefix Specifies removing any leading zeros and then adding the default country prefixthat you provide.
This setting is only available when the Check Mobile Number checkbox is selected.
Onetime Password OptionsThe following settings are located in the Onetime Password Options area on the configuration pane.
Option Definition
OTP Length Specifies the length of the one‑time password in number of characters.
OTP Valid Time Specifies how long in minutes the one‑time password is valid.
A zero value specifies that one‑time password is valid indefinitely.
OTP Retries Specifies the number of times that the end user can automatically receive a newone‑time password after entering the previous password incorrectly. A zero valuedisables this function.
This setting is only available for McAfee OTP RADIUS clients.
Retry Message Specifies the message that the end user receives after entering an incorrectone‑time password.
This setting is only available when the OTP Retry function is enabled.
Configuring McAfee OTPConfigure the Server object type 4
McAfee One Time Password 3.5 Administration Guide 21
Option Definition
Regenerate Timeout Specifies the time in seconds required between McAfee OTP requests. This setting isdesigned to prevent end users from requesting multiple one‑time passwords in quicksuccession.
To disable this requirement, set the timeout value to zero.
Composition Select one of these options to specify the set of characters allowed in a one‑timepassword:• Digits (0–9)
• Letters & Digits (A–Z,a–z,0–9)
• Custom Characters — Specifies a custom set of letters and digits.
Letters are case‑sensitive.
Client SettingsThe following settings are located in the Client Settings area on the configuration pane.
Option Definition
All Clients Are Allowed Selecting this checkbox specifies that all McAfee OTP clients are allowed to useMcAfee OTP Server.
Allowed Clients Specifies a comma‑separated list of IP addresses corresponding to the McAfeeOTP clients that are allowed to use McAfee OTP.
This setting is only available when not all clients are allowed.
Allow remote configuration Selecting this checkbox allows remote configuration of McAfee OTP.
Remote Password Specifies the password that is required for remote configuration of McAfee OTP.
This setting is only available when remote configuration is allowed.
EncryptionThe following settings are located in the Encryption area on the configuration pane.
Option Definition
No encryption Selecting this option specifies that messages between the McAfee OTP client andMcAfee OTP are not encrypted.
Encryption if Client doesencryption
Selecting this option specifies that messages between the McAfee OTP client andMcAfee OTP are encrypted if the McAfee OTP client supports encryption.
Always encryption Selecting this option specifies that messages between the McAfee OTP client andMcAfee OTP are always encrypted.
McAfee OTP rejects messages from the McAfee OTP client that are not encrypted.
4 Configuring McAfee OTPConfigure the Server object type
22 McAfee One Time Password 3.5 Administration Guide
OptionsThe following settings are located in the Options area on the configuration pane.
Option Definition
Enable Monitor Select this checkbox to start the statistics monitor when the McAfee OTP starts.
Debug Select this checkbox to display the output of the Debug function on the console.
Use Secure Random Select this checkbox to use the FIPS‑compliant java.security.SecureRandomalgorithm when generating the one‑time password for the end user.
Global OptionsThe following settings are located in the Global Options area on the configuration pane.
Option Definition
Prevent SQLInjection Attacks
Selecting this checkbox specifies that all user names and passwords are checked forthe following patterns found in SQL statements: ', ", or, select, drop, ‑‑, insert.
If any of these patterns are found, user authentication is denied.
Use whitelist Selecting this checkbox specifies that McAfee OTP only accepts characters in usernames and passwords that are defined in a whitelist.
To define the whitelist for SQL databases, you can use a regular expression or a listof characters.
Is RegEx Selecting this checkbox allows you to define the whitelist for SQL databases using aregular expression.
This option is only available when the Use whitelist checkbox is selected.
Test Using this field, you can verify characters against the whitelist configured for SQLdatabases.
This field is only available when the Use whitelist checkbox is selected.
Prevent LDAPInjection Attacks
Selecting this checkbox specifies that all user names are checked for the followingcharacters: *, (, ), &.
If any of these characters are found, user authentication is denied.
LDAP followreferrals
Selecting this checkbox specifies that McAfee OTP automatically follows a referral toanother LDAP directory, which is provided when a directory tree is distributed overmultiple LDAP servers.
LDAP idlereconnect
Specifies the number of minutes that an LDAP connection can be idle before McAfeeOTP forces a reconnection.
A zero value disables forced reconnection.
Set System Charset Selecting this checkbox allows you to specify a system character set other thanUTF‑8, the default.
All McAfee OTP clients must be configured for the character set that you specify.
Configuring McAfee OTPConfigure the Server object type 4
McAfee One Time Password 3.5 Administration Guide 23
Configure the RADIUS object typeUse the configuration pane to configure the RADIUS object type settings.
Task1 In the select pane, select the RADIUS object type.
2 In the configuration pane, configure the remaining settings.
RADIUS Server SettingsThe following settings are located in the RADIUS Server Settings area on the configuration pane.
All settings apply to the McAfee OTP when configured as a RADIUS server.
Option Definition
Enable RADIUS Selecting this checkbox enables McAfee OTP as a RADIUS server.
Port number Specifies the port number that McAfee OTP Native clients use when connectingto McAfee OTP configured as a RADIUS server.Default: 1645
The RADIUS protocol uses UDP, the User Datagram Protocol, not TCP, theTransmission Control Protocol.
Bind to IP Address Specifies the IP address of the server on which McAfee OTP is installed andconfigured as a RADIUS server.
All Selecting this checkbox specifies that McAfee OTP configured as a RADIUSserver accepts connections from McAfee OTP Native clients on all IP addressesassigned to the host server’s system.
Timeout Specifies the number of milliseconds that the connection between the McAfeeOTP client and McAfee OTP can be idle before the RADIUS session times out.
A zero value specifies that there is no timeout.
Debug Packets Selecting this checkbox writes the output of the Debug function to the McAfeeOTP console and log file.
Restart RADIUS Serverafter reconfiguration
Selecting this checkbox restarts McAfee OTP each time that you update andsave the RADIUS server configuration.
Additional PortsThe following settings are located in the Additional Ports area on the configuration pane.
All settings apply to McAfee OTP Server when configured as a RADIUS server.
Option Definition
Enable Selecting this checkbox configures McAfee OTP to listen on more than one port.
Port number Specifies an additional port number on which McAfee OTP listens.
Used by Client Specifies the McAfee OTP client that is assigned to the specified port number.
4 Configuring McAfee OTPConfigure the RADIUS object type
24 McAfee One Time Password 3.5 Administration Guide
Configure the Logs object typeUsing the configuration pane, configure the Logs object type settings.
Task1 In the select pane, select the Logs object type.
Logs configuration options open in the configuration pane.
2 In the configuration pane, configure the remaining settings.
Log FilesThe following settings are located in the Log Files area on the configuration pane.
Option Definition
System Log File Specifies the name and location of the log file that stores all debugging information.
• To disable logging to a system file, leave this field blank.
• For information about extending the McAfee OTP logging API with morelogging destinations, go to the McAfee KnowledgeBase.
Accounting file Specifies the name of the log file that stores all successful user authenticationevents.
To disable logging to an accounting file, leave this field blank.
Roll AccountingFile Now
Clicking this button rolls the current log file, and opens a new log file.
Loglevel Specifies one of the following log levels:• Trace • Warn
• Debug • Error
• Info • Fatal
Default: Debug
Max logfile size Specifies the maximum size that a log file can reach before it is rolled, and a new logfile is opened.
When a log file is rolled, it is saved as a back‑up file.
Units: Kilobytes (KB)
Default: 5000
Max backup index Specifies the maximum number of back‑up log files that can be saved before McAfeeOTP removes the oldest file.Default: 100
Examples: Saving 100 logging files, each file 5000 KB in size, requires 500megabytes (MB) of disk space.
Configuring McAfee OTPConfigure the Logs object type 4
McAfee One Time Password 3.5 Administration Guide 25
Option Definition
Append sessionnumber
Selecting this checkbox adds session numbers to the log file.Default: Selected
External LogHandler
(Optional) Specifies a Java class name that implements the following interface:se.nordicedge.interface.OTPlogging
• To use an external log handler, specify a value for this setting.
• To use the default log handler, leave this field blank.
• For the new setting to take effect, restart McAfee OTP.
Other SettingsThe following settings are located in the Other Settings area on the configuration pane.
Option Definition
Check for config changesevery
Specifies a time interval in seconds for checking the McAfee OTPconfiguration file for changes.
To disable this function, set the time interval to zero.
Check classpath duringstartup
Selecting this checkbox specifies that McAfee OTP reads changes in the libdirectory during startup.
Configure the Alerts object typeUse the configuration pane to configure the Alerts object type settings.
Task1 In the select pane, select the Alerts object type.
Server configuration options open in the configuration pane.
2 Select the Enable Alerts checkbox.
3 In the configuration pane, configure the remaining settings.
Tasks• Alert Configuration on page 27
The following settings are located in the Alert Configuration area on the configuration pane.
4 Configuring McAfee OTPConfigure the Alerts object type
26 McAfee One Time Password 3.5 Administration Guide
Alert ConfigurationThe following settings are located in the Alert Configuration area on the configuration pane.Option Definition
Use Method Selects the McAfee OTP delivery method that triggers the first alert from the drop‑downlist.Default: All
The McAfee OTP delivery methods must be configured before they are available in thedrop‑down list.
Alert events Select one of these checkboxes to specify which errors trigger alerts:• RADIUS errors
• User database errors
• Sending OTP errors
• Other errors
Default: All
Message Prefix Specifies a prefix that is added to each alert message.
Recipients Specifies the email address or mobile phone number of each alert recipient.
Entered one email address or mobile phone number per line.
Test Click Test to output a test alert.
Configure the Licenses object typeUse the configuration pane to configure the License object type settings.The new license system supports multiple license files. For example, you can have in the licensesdirectory one license file that supports 50 users and another license file that supports 100 users,totaling registered licenses for 150 users.
• Since the license system for McAfee OTP V3 is new and not compatible with V2, you needto obtain new license files from McAfee to upgrade.
• For more information, go to the McAfee Technical Support ServicePortal.
Task1 Copy the new license file to the license directory.
The license file name must end with the file name extension .dat or .xml.
2 In the select pane, select the Licenses object type.
3 In the configuration pane, click Detect New.
4 In the Registered Licenses field, verify that the value is updated to include the number of licenses inthe new license file.
Tasks• License Information on page 28
Use the configuration pane to configure the settings in the License Information area.
Configuring McAfee OTPConfigure the Licenses object type 4
McAfee One Time Password 3.5 Administration Guide 27
License InformationUse the configuration pane to configure the settings in the License Information area.
Option Definition
Registered Licenses Displays the number of licenses specified in the license files.
Detect new Click this button to check for new licenses in the license directory and update thevalue in the Registered Licenses field.
Used Licenses Displays the number of registered licenses used by current users.
Reset Clicking this button resets the value in the Used Licenses field to zero.
Unused Licenses Displays the number of registered licenses available to new users.
Counter started Displays the date and time that the license counter was started.
Refresh Clicking this button refreshes the information displayed in the License Information areaon the configuration pane.
Configure the Databases object typeThe Databases object type contains configuration details that allow McAfee OTP to connect to a userstore, read information from the user store, and authenticate users.
Contents Create a database Delete a database Duplicate a database Create an LDAP database Create an SQL database Create a RADIUS Forward database Create a database group
Create a databaseCreate and add a database for connections to user stores.
Task1 To create a database, choose from these options:
• In the select pane, right‑click the Databases object type, then select the New Database type from thecontext menu.
• In the select pane, select the Databases object type, then select the New Database type on theconfiguration pane.
2 In the Database Display Name field, specify a unique, meaningful name.
3 In the configuration pane, configure the remaining settings.
Delete a databaseDelete a database that is no longer needed.
You can also access the database actions through the File menu on the menu bar.
4 Configuring McAfee OTPConfigure the Databases object type
28 McAfee One Time Password 3.5 Administration Guide
Task1 In the select pane, navigate to the database.
2 Right‑click the database, and select Delete from the context menu.
Duplicate a databaseDuplicate an existing database.
You can also access the database actions through the File menu on the menu bar.
Task1 In the select pane, navigate to the database .
2 Right‑click the database, and select Duplicate Database from the context menu.
3 In the Database Display Name field, specify a unique, meaningful name.
4 In the configuration pane, configure the remaining settings.
Create an LDAP databaseCreate an LDAP database using the following steps.
Task1 To select the LDAP database type, use one of these options:
• In the select pane, right‑click the Databases object type, then select the New LDAP database typefrom the context menu.
• In the select pane, right‑click the Databases object type, then select the New LDAP database typeon the configuration pane.
2 To configure the new LDAP database for use with tokens based on the Open Authentication (OATH)HOTP or TOTP standard, select the Uses HOTP or TOTP (OATH) checkbox.
Selecting this checkbox modifies the available settings in the Account Settings, Onetime Password Prefetch,and PIN code areas on the configuration pane.
Select this checkbox when configuring the new LDAP database for use with Pledge, the McAfeesoftware token.
3 On the configuration pane, configure the remaining settings.
Configuring McAfee OTPConfigure the Databases object type 4
McAfee One Time Password 3.5 Administration Guide 29
Tasks• Host Settings on page 30
Use the configuration pane to configure the settings in the Host Settings area.
• Search Settings on page 31Use the configuration pane to configure the settings in the Search Settings area.
• Account Settings (HOTP/TOTP Disabled) on page 32Use the configuration pane to configure the settings in the Account Settings area when theUses HOTP or TOTP (OATH) checkbox is not selected.
• Account Settings (HOTP/TOTP Enabled) on page 32Use the configuration pane to configure the settings in the Account Settings area when theUses HOTP or TOTP (OATH) checkbox is selected.
• PIN Code on page 34Use PIN codes to add a layer of security to the OTP process.
• Advanced options on page 35Use the configuration pane to configure the settings in the Advanced options area.
Host SettingsUse the configuration pane to configure the settings in the Host Settings area.
Option Definition
Host Address Specify the IP address or DNS name of the LDAP server.
For multiple LDAP servers (replicas), separate the host addresses with a space character.
Port number Specify the port number of the LDAP server.Default: 389 (LDAP) or 636 (LDAPS).
SSL Select this checkbox to specify that the SSL protocol is used when communicating overa network.
SSL is an acronym for Secure Sockets Layer.
TLS Select this checkbox to specify that the TLS protocol is used when communicating overa network.
TLS is an acronym for Transport Layer Security.
Admin DN Specify the Distinguished Name (DN) of an administrative user that has read and writeaccess to the Account Disable attribute for all user accounts.
An Active Directory (AD) search using LDAP requires the DN and password of aprivileged user. If the DN is not specified, McAfee OTP connects to the LDAP server usingan anonymous bind.
Password Specify the password of an administrative user that has read and write access to theAccount Disable attribute for all user accounts.
Test Connection Test the connection to the LDAP server.
This feature cannot be used with the OTP Remote Configuration tool.
4 Configuring McAfee OTPConfigure the Databases object type
30 McAfee One Time Password 3.5 Administration Guide
Search SettingsUse the configuration pane to configure the settings in the Search Settings area.
Option Definition
Base DN Specifies the location in the directory tree from which McAfee OTP searches forusers.
Scope Specifies the scope of the directory search:• BASE — Search the Base DN only.
• ONE — Search the BASE DN and one level below.
• SUB — Search the Base DN and all levels below.
No of Connections Specifies the maximum number of connections that McAfee OTP can have to theLDAP server.
Filter Start Specifies the beginning of the search filter.
Filter End Specifies the end of the search filter.
Samples Click this button to allow the selection of a sample search that populates theFilter Start and Filter End fields with values.
Samples are available for Microsoft Active Directory, Novell eDirectory, and anLDAP directory.
Test LDAP Authentication Test the authentication for LDAP.
Search Filters—LDAP Examples
Configure search filters that return users based on specified user attributes, or membership inspecified user groups. For example, you can search for users whose mobile attribute is empty, andsend those users one‑time passwords by email instead of SMS.
Filter Start = “(&(cn=”
Filter End = “)(objectclass=user)(mobile=*))”
Filter = “(&(cn=<username>)(objectclass=user)(mobile=*))”
Or you can search for all users who are members of the SMS OTP delivery method group.
Filter Start = “(&(cn=”
Filter End = “)(objectclass=user)(memberOf=CN=OTP‑SMS‑users,DC=company,
DC=local))”
Filter = “(&(cn=<username>)(objectclass=user)(memberOf=CN=OTP‑SMS‑users,
DC=company,DC=local))”
Configuring McAfee OTPConfigure the Databases object type 4
McAfee One Time Password 3.5 Administration Guide 31
Account Settings (HOTP/TOTP Disabled)Use the configuration pane to configure the settings in the Account Settings area when the Uses HOTP orTOTP (OATH) checkbox is not selected.
Option Definition
OTP Attribute Specify the LDAP attribute that McAfee OTP uses to look up an email address, instantmessaging address, or mobile phone number.
To specify multiple attributes, separate them with commas.
Accept Pwdchange
Select this checkbox to allow Active Directory users to log in with the account optionuser must change password at next logon enabled.
Login Retries Specify the maximum number of incorrect passwords that users can provide beforethe user’s account is locked.
Specifying a value for this field enables the lock user function. If you do not specify avalue for this field, there is no limit to the number of incorrect passwords that users canprovide. Locked accounts are automatically unlocked after a specified time period thatyou configure.
Locked Attribute Specify the LDAP attribute that McAfee OTP reads to determine whether the useraccount is locked.
When the number of login retries exceeds the maximum, McAfee OTP sets the LockedAttribute to the Locked Value.
Locked Value Specify the value of the Locked Attribute when the user account is locked.
When the number of login retries exceeds the maximum, McAfee OTP sets the LockedAttribute to the Locked Value.
Disable OTPAttribute
Specify the LDAP attribute that McAfee OTP reads to determine whether the user canlog in without authenticating with a one‑time password.
Disable OTPValue
Specify the value of the Disable OTP Attribute when authentication with a one‑timepassword is not required.
Not Select this checkbox to specify that authentication with a one‑time password is notrequired when the Disable OTP Attribute is not set to the Disable OTP Value. Checkbox optionsinclude:• Deselected — The value of the Disable OTP Attribute is the same as the value that you
specify for the Disable OTP Value setting.
• Selected — The value of the Disable OTP Attribute is not the same as the value that youspecify for the Disable OTP Value setting.
See also Configure the Unlock User Accounts options on page 62
Account Settings (HOTP/TOTP Enabled)Use the configuration pane to configure the settings in the Account Settings area when the Uses HOTP orTOTP (OATH) checkbox is selected.
Option Definition
OATH Key Specifies the LDAP attribute that McAfee OTP uses to read and store the user’s OATHkey.
Accept Pwd change Select this checkbox to allow Active Directory users to log in with the account optionuser must change password at next logon enabled.
4 Configuring McAfee OTPConfigure the Databases object type
32 McAfee One Time Password 3.5 Administration Guide
Option Definition
Login Retries Specify the maximum number of incorrect passwords that users can provide beforethe user’s account is locked.
Specifying a value for this field enables the lock user function. If you do not specify avalue for this field, there is no limit to the number of incorrect passwords that userscan provide. Locked accounts are automatically unlocked after a time period that youconfigure.
Locked Attribute Specify the LDAP attribute that McAfee OTP reads to determine whether the useraccount is locked.
When the number of login retries exceeds the maximum, McAfee OTP sets the LockedAttribute to the Locked Value.
Locked Value Specify the value of the Locked Attribute when the user account is locked.
When the number of login retries exceeds the maximum, McAfee OTP sets the LockedAttribute to the Locked Value.
Time drift attribute(TOTP)
Specifies the LDAP attribute which stores a time drift value for TOTP tokens.Data Type: String
See also Configure the Unlock User Accounts options on page 62
Onetime Password PrefetchAllow users to obtain a configurable number of one‑time passwords in advance.
Onetime Password Prefetch is useful when mobile phone coverage is an issue, or to generateemergency one‑time passwords, using the McAfee OTP Web Manager, when end users lose or forget amobile device. McAfee OTP can also be configured to send a new set of prefetch one‑time passwordsto the user each time all of the passwords are used.
Users prefetch one‑time passwords through a web server that is configured with the McAfee OTPPrefetch web application. Users log on to the web application, request prefetch one‑time passwords,and are sent to a mobile phone number or email address.
Click Configure Prefetch OTP to configure the settings for Onetime Password Prefetch.
The Onetime Password Prefetch options are only available when the Enable OTP Prefetch checkbox is selected.
Option Definition
Prefetch OTP Attribute Select the attribute that contains the McAfee OTP prefetch string.
Enable LDAP Filter (Optional) Specify an LDAP filter to allow users to use prefetch one‑timepasswords.
Maximum No of PrefetchOTPs
Specify the maximum number of prefetch one‑time passwords that can besent to a user at one time.
Must be used in order Select this checkbox to specify that the prefetch one‑time passwords mustbe used in order.
This option is global and applies to all user databases.
OTP Length Specify the length of each prefetch one‑time password in characters.
Configuring McAfee OTPConfigure the Databases object type 4
McAfee One Time Password 3.5 Administration Guide 33
Option Definition
Automatically send newPrefetch OTPs when last OTPis used
Select this checkbox to specify that a new set of prefetch one‑timepasswords is automatically sent to users when the last password from theprevious set is used.
Message to user Specify the message sent to users that includes the prefetched one‑timepassword. McAfee OTP replaces the tag $$OTP$$ with the one‑timepassword. If you omit the tag from the message, McAfee OTP appends theone‑time password to the end of the message.
This option is global and applies to all user databases.
Message Delivery Specify whether to send a set of prefetch one‑time passwords in onemessage, or multiple messages.
Allow administration creationof Prefetch OTP
Select this checkbox to allow administrators to create prefetch one‑timepasswords for any end user.
Deselecting this checkbox limits requests for prefetch one‑time passwords toend users themselves.
Administrator Database Specify the McAfee OTP database to use when authenticating theadministrator or group of administrators that can create prefetch one‑timepasswords for end users.
Allowed IP Addresses Specify a comma‑separated list of client IP addresses from which anadministrator can create prefetch one‑time passwords.
PIN CodeUse PIN codes to add a layer of security to the OTP process.
When prompted for a one‑time password, users must first enter the PIN code, then the one‑timepassword without a space separating the two strings.
For example, if the PIN code is 1234, and the one‑time password is OTPOTP, the resulting string is1234OTPOTP.
End users and help desk personnel create PIN codes using the McAfee OTP Web Manager.
The PIN code configuration options include hashed PIN codes. McAfee OTP supports these hashalgorithms:
• SHA1
• Secure SHA256 (SSHA256)
SHA is an acronym for Secure Hash Algorithm. The Secure SHA256 algorithm is also known as theSalted SHA256 algorithm.
To configure the PIN code settings, click Configure PIN Code.
The PIN code configuration options are only available when the Enable PIN Code checkbox is selected.
4 Configuring McAfee OTPConfigure the Databases object type
34 McAfee One Time Password 3.5 Administration Guide
Option Definition
Select LDAP attribute forthe PIN code
Select the attribute where the PIN code is stored.
The PIN code must be stored in the same attribute in the LDAP database as inthe McAfee OTP database. If you leave the attribute setting empty, McAfee OTPaccepts the one‑time password without the PIN code.
Show advanced hashedPIN code options (Global)
Select this checkbox to enable hashed PIN codes.
All hashed PIN code options are global and apply to all user databases.
Digest Charset Specify the character set used by the user store where the hashed PIN codesare saved.Default: ISO–8859–1
This setting is only available when configuring hashed PIN codes.
Hashed value format Choose one of these formats to use when reading hashed PIN codes:• Base64
• Hexadecimal
This setting is only available when configuring hashed PIN codes.
Advanced optionsUse the configuration pane to configure the settings in the Advanced options area.
Option Definition
ExternalDatabasehandler
Select this checkbox to allow the extension of the database handler with yourown Java class.In the field that opens, specify a Java class name that extendsse.nordicedge.radius.DBHandler.
Create an SQL databaseCreate an SQL database using the following steps.
Task1 To select the SQL database type, use one of these options:
• In the select pane, right‑click the Databases object type, then select the New SQL database typefrom the context menu.
• In the select pane, right‑click the Databases object type, then select the New SQL database type onthe configuration pane.
2 In the Database Display Name field, specify a unique, meaningful name.
Configuring McAfee OTPConfigure the Databases object type 4
McAfee One Time Password 3.5 Administration Guide 35
3 To configure the new SQL database for use with tokens based on the Open Authentication (OATH)HOTP or TOTP standard, select the Uses HOTP or TOTP (OATH) checkbox.
Select this checkbox to modify the available settings in the SQL Queries area on the configurationpane.
Select this checkbox when configuring the new SQL database for use with Pledge, the McAfeesoftware token installed on a mobile device.
4 On the configuration pane, configure the remaining settings.
Tasks• JDBC/ODBC Settings on page 36
Use the configuration pane to configure the settings in the JDBC/ODBC Settings area.
• SQL Queries (HOTP/TOTP Disabled) on page 37Use the configuration pane to configure the settings in the SQL Queries area when the UsesHOTP or TOTP (OATH) checkbox is not selected.
• SQL Queries (HOTP/TOTP Enabled) on page 38Use the configuration pane to configure the settings in the SQL Queries area when the UsesHOTP or TOTP (OATH) checkbox is selected.
• Onetime Password Prefetch on page 38The SQL database Onetime Password Prefetch settings are the same as the LDAP database.
• PIN code on page 38The SQL database PIN code settings are the same as the LDAP database.
• Advanced options on page 39The SQL database Advanced options settings are the same as the LDAP database.
JDBC/ODBC SettingsUse the configuration pane to configure the settings in the JDBC/ODBC Settings area.
Option Definition
Driver Manager Specify the Driver Manager using JDBC syntax.ODBC example: sun.jdbc.odbc.JdbcOdbcDriverMySQL example: com.mysql.jdbc.Driver
Database URL Specify the Database URL of the JDBC/ODBC database.ODBC example: jdbc:odbc:DatabasenameMySQL example: jdbc:mysql://Ipaddress:portnr:/dbname
Samples Provides sample settings for the Driver Manager and Database URL fields.
Username Specify the user name for the JDBC/ODBC database.
Password Specify the password for the JDBC/ODBC database.
No of conns Specify the number of concurrent database connections in the connection poolavailable to McAfee OTP.
Test Connection Test the database connection.
4 Configuring McAfee OTPConfigure the Databases object type
36 McAfee One Time Password 3.5 Administration Guide
SQL Queries (HOTP/TOTP Disabled)Use the configuration pane to configure the settings in the SQL Queries area when the Uses HOTP or TOTP(OATH) checkbox is not selected.
Option Definition
Authenticate Specify the SQL query used for authentication, which must return the user name.Example: SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ ANDPASSWORD='$$PASSWORD$$'
OTP Field Specify the SQL query that retrieves the mobile phone number or email addressfrom the user’s account.
In the query, use the $$NAME$$ tag for the user name.
Login Retries Specify the maximum number of incorrect passwords that users can providebefore the user’s account is locked.
Specify a value for this field to enable the lock user function. If a value for thisfield is not specified, there is no limit to the number of incorrect passwords thatusers can provide. Locked accounts are automatically unlocked after a time periodthat you configure.
Get Locked (GetDisabled)
Specify the SQL query that reads whether the user account is locked.
Use the $$NAME$$ tag for the user name in the SQL query.
Example: SELECT disabled FROM users WHERE name='$$NAME$$' ANDdisabled='TRUE'
Set Locked (SetDisabled)
Specify the SQL query to execute when the maximum number of Login Retries isexceeded.
Use the $$NAME$$ tag for the user name in the SQL query.
Example: UPDATE users SET disabled='TRUE' WHERE name='$$NAME$$'
Get Disable OTP Specify the SQL query that determines whether the user can log in without aone‑time password.Example: SELECT skipotpflag UserTable WHERE name='$$NAME$$'
If you do not specify a value for this field, authentication with a one‑time passwordis always required.
Test Authentication Test the authentication.
See also Configure the Unlock User Accounts options on page 62
Configuring McAfee OTPConfigure the Databases object type 4
McAfee One Time Password 3.5 Administration Guide 37
SQL Queries (HOTP/TOTP Enabled)Use the configuration pane to configure the settings in the SQL Queries area when the Uses HOTP or TOTP(OATH) checkbox is selected.
Option Definition
Authenticate Specify the SQL query used for authentication, which must return the user name.Example: SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ ANDPASSWORD='$$PASSWORD$$'
Get OATHKey Specify the SQL query that retrieves the OATH key from the user’s account.Example: SELECT OATHKey FROM UserDB WHERE NAME='$$NAME$$'
Set OATHKey Specify the SQL query that sets the OATH key in the user’s account.Example: UPDATE users SET OATHKey ='$$KEY$$' WHERE name='$$NAME$$'
Login Retries Specify the maximum number of incorrect passwords that users can providebefore the user’s account is locked.
Specify a value for this field to enable the lock user function. If a value for thisfield is not specified, there is no limit to the number of incorrect passwords thatusers can provide. Locked accounts are automatically unlocked after a time periodthat you configure.
Get Locked (GetDisabled)
Specify the SQL query that reads whether the user account is locked.
Use the $$NAME$$ tag for the user name in the SQL query.
Example: SELECT disabled FROM users WHERE name='$$NAME$$' ANDdisabled='TRUE'
Set Locked (SetDisabled)
Specify the SQL query to execute when the maximum number of login retries isexceeded.
Use the $$NAME$$ tag for the user name in the SQL query.
Example: UPDATE users SET disabled='TRUE' WHERE name='$$NAME$$'
Test Authentication Test the authentication.
See also Configure the Unlock User Accounts options on page 62
Onetime Password PrefetchThe SQL database Onetime Password Prefetch settings are the same as the LDAP database.
See also Onetime Password Prefetch on page 33
PIN codeThe SQL database PIN code settings are the same as the LDAP database.
See also PIN Code on page 34
4 Configuring McAfee OTPConfigure the Databases object type
38 McAfee One Time Password 3.5 Administration Guide
Advanced optionsThe SQL database Advanced options settings are the same as the LDAP database.
See also Advanced options on page 35
Create a RADIUS Forward databaseUse a RADIUS Forward database to allow McAfee OTP to pass through and forward RADIUS requeststo a third‑party RADIUS Server, which supports RSA SecurID and SafeWord tokens.
Task1 To select the RADIUS Forward database type, use one of these options:
• In the select pane, right‑click the Databases object type, then select the New RADIUS Forwarddatabase type from the context menu.
• In the select pane, right‑click the Databases object type, then select the New RADIUS Forwarddatabase type in the configuration pane.
2 In the Database Display Name field, specify a unique, meaningful name.
3 Click Add RADIUS Server, and specify the IP address and port number of the RADIUS server.
McAfee OTP uses this information when forwarding requests to the server.
4 (Optional) To remove a RADIUS server, select it, and click Remove RADIUS Server.
5 On the configuration pane, configure the remaining options.
Option Definition
Shared Secret Specify the secret shared by the McAfee OTP server and the RADIUSserver.
Forward additional RADIUSattributes
Specify whether the McAfee OTP server forwards additional RADIUSattributes to the other RADIUS server.
Test RADIUS request Test authentication to the selected RADIUS server.
Create a database groupConfigure multiple McAfee OTP databases as a group.Database groups can include LDAP, JDBC, and RADIUS Forward databases, or a combination.
When databases are configured as a group, McAfee OTP searches them in the order that they arelisted on the configuration pane. When a matching user name and password are found in a specifieddatabase for a specified user, McAfee OTP uses that database for that user.
LDAP and JDBC databases must be configured before they can be added to a database group.
Task1 To select the Database group database type, use one of these options:
• In the select pane, right‑click the Databases object type, then select the Database Group databasetype from the context menu.
• In the select pane, right‑click the Databases object type, then select the Database Group databasetype in the configuration pane.
2 In the Database Display Name field, specify a unique, meaningful name.
3 In the Database Group Settings area, click Add Database, then select one or more databases.
Configuring McAfee OTPConfigure the Databases object type 4
McAfee One Time Password 3.5 Administration Guide 39
4 Click Up and Down to position the selected databases in the list.
5 (Optional) To remove a database from the database group, click Remove Database.
Configure the Clients object typeMcAfee OTP uses McAfee OTP client objects to manage connections to McAfee OTP clients.
These McAfee OTP clients are supported:
• RADIUS — Use the RADIUS challenge‑response protocol to communicate with McAfee OTP.
Examples: Firewall and VPN (BlueCoat, Cisco, Citrix, F5, and Juniper)
• Native — Communicate with McAfee OTP using the API that it provides.
Examples: CA SiteMinder, Microsoft Outlook Web Access, Microsoft SharePoint, and NovellGroupWise Web Access.
• Web services — Use SOAP‑based web services implemented through an API to communicate withMcAfee OTP.
See also Web Service Client API (SOAP) on page 5
Contents Create a client Delete a client Duplicate a client Create a RADIUS client Create a Native client Create a Web services client
Create a clientCreate a McAfee OTP client object to manage connections to McAfee OTP clients.
Task1 To create a client, choose from these options:
• In the select pane, right‑click the Clients object type, then select the New Client type from thecontext menu.
• In the select pane, select the Clients object type, then select the New Client type in theconfiguration pane.
2 In the Client Display Name field, specify a unique, meaningful name.
3 In the configuration pane, configure the remaining settings.
Delete a clientDelete a client that is no longer needed.
Task1 In the select pane, navigate to the client.
2 Right‑click the client, and select Delete from the context menu.
4 Configuring McAfee OTPConfigure the Clients object type
40 McAfee One Time Password 3.5 Administration Guide
Duplicate a clientDuplicate an existing client.
Task1 In the select pane, navigate to the client.
2 Right‑click the client, and select Duplicate Client from the context menu.
3 In the Client Display Name field, specify a unique, meaningful name.
4 In the configuration pane, configure the remaining settings.
Create a RADIUS clientCreate a RADIUS client using the following steps.
Task1 To select the RADIUS client type, use one of these options:
• In the select pane, right‑click the Clients object type, then select the New RADIUS client type fromthe context menu.
• In the select pane, right‑click the Clients object type, then select the New RADIUS client type in theconfiguration pane.
2 In the Client Display Name field, specify a unique, meaningful name.
3 In the Client IP Address field, specify the IP address of the RADIUS client.
• Do not specify a DNS name.
• You can specify multiple IP addresses by using a wildcard character, such as “*”.
4 In the configuration pane, configure the remaining settings.
AdvancedClick Advanced to configure the RADIUS client settings.
Contents RADIUS Client Attribute Detection Listen on RADIUS Ports Encoding RADIUS Reject Error Messages
RADIUS Client Attribute DetectionSpecify a different client configuration and database for each user group at the same IP address,differentiate between user groups, such as employees, partners, and customers, and enable differentauthentication methods for each user group at the same IP address.
Option Definition
Enable Attribute Detection Specifies whether the RADIUS attribute detection feature is enabled.
RADIUS attribute number Specifies a RADIUS attribute by number.
RADIUS attribute value Specifies a value for the selected RADIUS attribute.
Configuring McAfee OTPConfigure the Clients object type 4
McAfee One Time Password 3.5 Administration Guide 41
Option Definition
Match type Specifies whether the match must be exact.
Match case Specifies whether the match is case‑sensitive.
Listen on RADIUS PortsSpecify the RADIUS port numbers on which McAfee OTP listens.
The Listen on RADIUS Ports settings are only available when McAfee OTP is configured as a RADIUS server,and Additional Ports are enabled in the configuration pane.
Option Definition
Listen on ALL available portnumbers
Specify whether McAfee OTP listens on all RADIUS port numbers.
Selected ports Specify one or more RADIUS port numbers on which McAfee OTP listens.
This option is only available when the previous option is disabled.
EncodingUse the configuration pane to configure the settings in the Encoding Settings area.
Option Definition
Charset encoding Specifies a system character set.
The RADIUS standard uses UTF‑8 encoding to transform packet data to strings.
RADIUS Reject Error MessagesConfigure end user error messages that are sent when authentication fails.
Option Definition
Failed Auth/Error Specify the message that is sent when the user fails to authenticate or a system erroroccurs.
• This message is sent by RADIUS attribute 18.
• To disable this message, leave this field blank.
Failed OTP Specifies a message that is sent when the user’s one‑time password fails.
• This message is sent by RADIUS attribute 18.
• To disable this message, leave this field blank.
4 Configuring McAfee OTPConfigure the Clients object type
42 McAfee One Time Password 3.5 Administration Guide
RADIUS OptionsUse the configuration pane to configure the settings in the RADIUS Options area.
Option Definition
Shared Secret Specify the RADIUS client’s shared secret.
The RADIUS client and the RADIUS client application must have the sameshared secret.
Supports RADIUSAccess‑Challenge
Select this checkbox to specify that the RADIUS client supports the RADIUSchallenge‑response protocol.
Response Message Specify the message that is sent to the RADIUS client for prompting the userto enter a one‑time password.
This field is only available when the RADIUS client supports thechallenge‑response protocol.
Allow multiple user requests Select this checkbox to allow an end user to request one‑time passwordsfrom multiple RADIUS endpoints.This setting is useful when single users are requesting one‑time passwordsfrom redundant VPN servers.
This field is only available when the RADIUS client does not support thechallenge‑response protocol.
Auth. Server IP Address Specify the IP address of the RADIUS client, VPN, or firewall.
This field is only available when the RADIUS client does not support thechallenge‑response protocol.
Prefetch OTP OptionsUse the Prefetch OTP Options for RADIUS clients that do not support the challenge‑response protocol.
The Prefetch OTP Options are only available when the RADIUS client is configured to use only prefetchone‑time passwords.
Option Definition
Use ONLY OATH OTP orPrefetch OTPs
Select this checkbox to specify using only OATH tokens or prefetch one‑timepasswords.
This checkbox is only available when the RADIUS client does not support thechallenge‑response protocol.
Require Password ANDPrefetch OTP
Specify that users must enter a string which is the concatenation of thedatabase password and the one‑time password.
This setting is only available when prefetch one‑time passwords are enabled.
Example: dbpassword012345
Generate Prefetch OTP ifnone exists
When end users log on with user name and password, specify the ability togenerate prefetch one‑time passwords if none exist.
This setting is only available when prefetch one‑time passwords are enabled.
Configuring McAfee OTPConfigure the Clients object type 4
McAfee One Time Password 3.5 Administration Guide 43
User DatabaseFrom the User Database drop‑down list, select one of the configured databases for the RADIUS client touse.
See also Configure the Databases object type on page 28
Other optionsUse the configuration pane to configure the settings in the Other options area.
Option Definition
Uses externalOTP API
Select this checkbox to specify that the external code using the API generates andverifies the one‑time password instead of McAfee OTP. Type the Java class name thatimplements the interface in the field that opens:se.nordicedge.interfaces.OTPVerificationHandler
Uses externalOTP API
Click Radius Attributes to specify attributes that are sent following successfulauthentication. In the interface that opens, add each attribute and attribute number tothe attribute list. Attribute values include:• Static Value • Login Name
• UserDN • external code
• User Attribute
Force OTPDeliveryMethod
Select an McAfee OTP delivery method from the drop‑down list.
This setting overrides the McAfee OTP default, which uses the delivery methods in theorder they are configured by the administrator.
Create a Native clientCreate a Native OTP client using the following steps.
Task1 To select the Native client type, use one of these options:
• In the select pane, right‑click the Clients object type, then select the New Native client type fromthe context menu.
• In the select pane, right‑click the Clients object type, then select the New Native client type in theconfiguration pane.
2 In the Client Display Name field, specify a unique, meaningful name.
Example: CA SiteMinder.
3 In the Client IP Address field, specify the IP address of the Native client.
• Do not specify a DNS name.
• You can specify multiple IP addresses by using a wildcard character, such as “*”.
4 In the configuration pane, configure the remaining settings.
4 Configuring McAfee OTPConfigure the Clients object type
44 McAfee One Time Password 3.5 Administration Guide
Tasks• Advanced — Native Client Name Detection on page 45
McAfee OTP uses the name of the integration module to differentiate between user groupsat the same IP address, and applies a different client configuration and database to eachone.
• Options on page 45Use the configuration pane to configure the settings in the Options area.
• User Database on page 45From the User Database drop‑down list, select one of the configured databases for the Nativeclient to use.
• Other options on page 46Use the configuration pane to configure the settings in the Other options area.
Advanced — Native Client Name DetectionMcAfee OTP uses the name of the integration module to differentiate between user groups at the sameIP address, and applies a different client configuration and database to each one.
Option Definition
Enable Name Detection Select this checkbox to enable the Native Client Name Detection feature, and enabledifferent authentication methods for each user group at the same IP address.
Client Name Specify the client name used by the integration module.
OptionsUse the configuration pane to configure the settings in the Options area.
Option Definition
Accept User Lookuponly
Select this checkbox to allow McAfee OTP to look up users based on user nameonly, issue one‑time passwords, and enable authentication with a one‑timepassword instead of user name and password.
The password field can be empty.
Client Name Specify the client name used by the integration module.
This field is available when Accept User Lookup only is selected.
User DatabaseFrom the User Database drop‑down list, select one of the configured databases for the Native client touse.
See also Configure the Databases object type on page 28
Configuring McAfee OTPConfigure the Clients object type 4
McAfee One Time Password 3.5 Administration Guide 45
Other optionsUse the configuration pane to configure the settings in the Other options area.
Option Definition
Uses externalOTP API
Select this checkbox to specify that the external code using the API generates andverifies the one‑time password instead of McAfee OTP Server. Type the Java class namethat implements the interface in the field that opens:se.nordicedge.interfaces.OTPVerificationHandler
Force OTPDelivery Method
Select an McAfee OTP delivery method from the drop‑down list.
This setting overrides the McAfee OTP default, which uses the delivery methods in theorder they are configured by the administrator.
Create a Web services clientCreate a Web services client using the following steps.
Task1 To select the Web services client type, use one of these options:
• In the select pane, right‑click the Clients object type, then select the New Web services client typefrom the context menu.
• In the select pane, right‑click the Clients object type, then select the New Web services client type inthe configuration pane.
2 In the WS Client Name field, specify a unique, meaningful name.
The name must correspond to the client name in the client’s web services requests.
3 In the WS Client Password field, specify a password for the Web services client.
4 In the configuration pane, configure the remaining settings.
Tasks• Options on page 46
Use the configuration pane to configure the settings in the Options area.
• User Database on page 47From the User Database drop‑down list, select one of the configured databases for the Webservices client to use.
• Other Options on page 47Use the configuration pane to configure the settings in the Other Options area.
OptionsUse the configuration pane to configure the settings in the Options area.
Option Definition
Accept User Lookuponly
Select this checkbox to allow McAfee OTP to look up users based on user nameonly and issue one‑time passwords, and enable authentication with a one‑timepassword instead of user name and password.
The password field can be empty.
4 Configuring McAfee OTPConfigure the Clients object type
46 McAfee One Time Password 3.5 Administration Guide
User DatabaseFrom the User Database drop‑down list, select one of the configured databases for the Web services clientto use.
See also Configure the Databases object type on page 28
Other OptionsUse the configuration pane to configure the settings in the Other Options area.
Option Definition
Uses externalOTP API
Selecting this checkbox specifies that the external code using the API generates andverifies the one‑time password instead of McAfee OTP. Type the Java class name thatimplements the interface in the field that opens:se.nordicedge.interfaces.OTPVerificationHandler
Force OTPDeliveryMethod
Selects an McAfee OTP delivery method from the drop‑down list of configured methodsfor McAfee OTP to use.
This setting overrides the McAfee OTP default, which uses the delivery methods in theorder they are configured by the administrator.
Configure the Delivery Method object typeConfigure one or more methods for McAfee OTP to use to deliver one‑time passwords.
These options are available:
• Show all — Displays all delivery method types.
• Show enabled — Displays enabled delivery method types only.
• Show disabled — Displays disabled delivery method types only.
Contents Enable a delivery method type Configure the SMS Gateway delivery method Configure the HTTP delivery method Configure the Extended HTTP delivery method Configure the SMTP delivery method Configure the Netsize delivery method Configure the Concurrent Sender delivery method Configure the Instant Messaging delivery method Configure the SMPP delivery method Configure the CIMD2 delivery method Configure the UCP File delivery method Configure the Prefetch Detection delivery method
Configuring McAfee OTPConfigure the Delivery Method object type 4
McAfee One Time Password 3.5 Administration Guide 47
Enable a delivery method typeEnable a delivery method type for McAfee OTP to use to deliver one‑time passwords.
Task1 In the select pane, right‑click the Delivery Method object type, then select the Delivery object type.
2 In the configuration pane, enable the Delivery object type.
3 To change the order the delivery method types are used, right‑click the Delivery method type, thenselect Move up or Move down.
Configure the SMS Gateway delivery methodMcAfee SMS module is a plug‑in that delivers one‑time passwords to end users using the McAfee SMSGateway. The module provides status controls, usage statistics, and automatic failover for lapses inSMS service.
Task1 In the select pane, expand the Delivery Methods object type, then select McAfee SMS.
2 In the configuration pane, select the Enable McAfee SMS Gateway checkbox.
3 Configure the remaining settings.
Tasks• General Settings and Proxy areas on page 48
Use the configuration pane to configure the settings in the General Settings and Proxy areas.
• Location on page 49Select the geographic area that corresponds to your location.
• Configuration and Status on page 49To configure the settings in the Configuration and Status area, click Request a demo account .
• Advanced on page 49Click Advanced to open the following settings.
General Settings and Proxy areasUse the configuration pane to configure the settings in the General Settings and Proxy areas.
Option Definition
Username Specify the user name for the McAfee SMS service.
Password Specify the password for the McAfee SMS service.
Flash SMS Select this checkbox to allow McAfee SMS service to send Flash SMS messages toa mobile phone.
Message Specify the one‑time password message sent to mobile phones.
In the message, the one‑time password replaces the $$OTP$$ tag. If the tag isomitted, the one‑time password appends to the end of the message.
Enable HTTP proxyserver
Select this checkbox to enable support for an HTTP proxy server.
This setting is required when McAfee OTP is installed on a server that cannotaccess the Internet without going through an HTTP proxy.
4 Configuring McAfee OTPConfigure the Delivery Method object type
48 McAfee One Time Password 3.5 Administration Guide
Option Definition
Server Specify the DNS name or IP address of the HTTP proxy server.
This field is only available when the HTTP proxy server is enabled.
Port Specify the port number of the HTTP proxy server.
This field is only available when the HTTP proxy server is enabled.
Disable PF SMSStatus
Select this checkbox to send a message to the McAfee SMS Gateway disablingSMS status control for users that have prefetch one‑time passwords stored in theuser database, reducing the waiting time for these passwords.
Username inaccounting file
Select this checkbox to include the user name in the McAfee OTP log accountingfile.
If you are not using the accounting file, you can ignore this setting.
Validate SSLCertificates
Select this checkbox to enable SSL certificate validation.
LocationSelect the geographic area that corresponds to your location.
Configuration and StatusTo configure the settings in the Configuration and Status area, click Request a demo account .
Option Definition
Test Send a test SMS message to a mobile phone through McAfee SMS Gateway.
Update Config Manually update the configuration for the McAfee SMS Gateway service.
Debug Write SMS debug information to the log files.
AdvancedClick Advanced to open the following settings.
Option Definition
Enable max Limit Set thresholds for SMS delivery.
Max SMS per user per day Maximum number of SMS messages that each user can send in one day.
Max SMS total per day Total number of SMS messages that all users can send in one day.
Configure the HTTP delivery methodSend one‑time passwords using the HTTP or HTTPS protocol to an SMS provider.
Task1 In the select pane, expand the Delivery Methods object type, then select HTTP.
2 In the configuration pane, select the Enable HTTP checkbox.
3 Configure the remaining settings.
For more information, contact your SMS provider.
Configuring McAfee OTPConfigure the Delivery Method object type 4
McAfee One Time Password 3.5 Administration Guide 49
Tasks• Headers or Template file on page 50
Use the configuration pane to configure the settings in the Headers or Template file area.
• Authentication on page 50Use the configuration pane to configure the settings in the Authentication area.
• Proxy on page 50Use the configuration pane to configure the settings in the Proxy area.
• Other Settings on page 51Use the configuration pane to configure the settings in the Other Settings area.
Headers or Template fileUse the configuration pane to configure the settings in the Headers or Template file area.
Option Definition
User Header The name of the HTTP header corresponding to the user’s mobile phone numberor email address.
OTP Header The name of the HTTP header corresponding to the one‑time password.
Headers in Query String Include HTTP headers in the query string as GET parameters.Example: ?USER=070112233&CHALLENGE=123456
Template file Name of the template file that replaces HTTP headers.
• The template file must contain the following two tags: $$IDENTITY$$and $$CHALLENGE$$.
• To use headers only, leave this field blank.
Auto‑Accept SSLCertificates
Allows McAfee OTP to automatically trust SSL certificates received over HTTPS.
Debug Enables logging of HTTP messages.
AuthenticationUse the configuration pane to configure the settings in the Authentication area.
Option Definition
Enable HTTP Authentication Enables HTTP authentication.
Username User name required for HTTP authentication.
Password Password required for HTTP authentication.
ProxyUse the configuration pane to configure the settings in the Proxy area.
Option Definition
Enable Proxy Server Enable HTTP requests and responses through a proxy server.
Proxy Server DNS name of the proxy server.
Proxy Port Port number of the proxy server.
4 Configuring McAfee OTPConfigure the Delivery Method object type
50 McAfee One Time Password 3.5 Administration Guide
Other SettingsUse the configuration pane to configure the settings in the Other Settings area.
Option Definition
Content Type Content type of HTTP email messages using the MIME standard.Default: application/x‑www‑form‑urlencoded
HTTP(/S) URL URL where the one‑time password is posted.
Success String The string that the HTTP server sends to McAfee OTP when the one‑time password isposted successfully.
Without this string, McAfee OTP continues processing as though the post failed.
Configure the Extended HTTP delivery methodThe Extended HTTP delivery method offers more configuration options than the HTTP delivery method.
Task
1 In the select pane, expand the Delivery Methods object type, then select Extended HTTP.
2 In the configuration pane, select the Enable Extended HTTP Sender checkbox.
3 Configure the remaining settings.
Tasks
• Headers or Template file on page 51Use the configuration pane to configure the settings in the Headers or Template file area.
• Authentication and Proxy on page 52Use the configuration pane to configure the settings in the Authentication and Proxy area.
• Other Settings on page 52Use the configuration pane to configure the settings in the Other Settings area.
Headers or Template fileUse the configuration pane to configure the settings in the Headers or Template file area.
Option Definition
User Header The name of the HTTP header corresponding to the user’s mobile phonenumber or email address.
OTP Header The name of the HTTP header corresponding to the one‑time password.
Remove leading + Removes the leading “+” character from mobile phone numbers.
Replace + with 00 Removes the leading “+” character from mobile phone numbers, andreplaces it with two zeros.
Template File The name of the template file that replaces HTTP headers. The template filemust contain the following two tags: $$IDENTITY$$ and $$CHALLENGE$$.
To use headers only, leave this field blank.
Edit Allows you to edit the template file.
Auto‑Accept SSL Certificates Allows McAfee OTP to automatically trust SSL certificates received overHTTPS.
Debug Enables logging of HTTP messages.
Use GET Specifies GET as the HTTP method in place of POST.
Configuring McAfee OTPConfigure the Delivery Method object type 4
McAfee One Time Password 3.5 Administration Guide 51
Authentication and ProxyUse the configuration pane to configure the settings in the Authentication and Proxy area.
Option Definition
Proxy Server Enables HTTP requests and responses through a proxy server.• Proxy Server — The DNS name of the proxy server.
This field opens when the proxy server is enabled.
• Proxy Port — The port number of the proxy server.
This field opens when the proxy server is enabled.
HTTP Auth Enables HTTP authentication.• Username — The user name required for authentication.
This field opens when HTTP authentication is enabled.
• Password — The password required for authentication.
This field opens when HTTP authentication is enabled.
Client Cert Enables certificate authentication.• PKCS12 file — The full path name to the certificate file.
This field opens when certificate authentication is enabled.
• Password — The password required to decrypt the certificate file.
This field opens when certificate authentication is enabled.
Certificate authentication requires HTTPS.
Other SettingsUse the configuration pane to configure the settings in the Other Settings area.
McAfee OTP uses the URLs in the order that you specify them. If one URL fails, McAfee OTP failsover tothe last working URL.
Option Definition
Content Type The content type of HTTP email messages using the MIME standard.Default: application/x‑www‑form‑urlencoded
HTTP(/S) URL 1 The first of three URLs where McAfee OTP can post the one‑time password.
HTTP(/S) URL 2 The second of three URLs where McAfee OTP can post the one‑time password.
HTTP(/S) URL 3 The third of three URLs where McAfee OTP can post the one‑time password.
Success String The string that the HTTP server sends to McAfee OTP when the one‑timepassword is posted successfully. Without this string, McAfee OTP continuesprocessing as though the post failed.Default: application/x‑www‑form‑urlencoded
Set SOAP Action requestheader
Adds a SOAP Action header field to the HTTP request.
4 Configuring McAfee OTPConfigure the Delivery Method object type
52 McAfee One Time Password 3.5 Administration Guide
Configure the SMTP delivery methodSend one‑time passwords using the SMTP protocol.
• SMTP is an acronym for Simple Message Transfer Protocol.
• McAfee OTP sends all messages containing the “@” character to users by SMTP.
Task1 In the select pane, expand the Delivery Methods object type, and select SMTP.
2 In the configuration pane, select the Enable SMTP checkbox.
3 Configure the remaining settings.
Tasks• SMTP Host on page 53
Use the configuration pane to configure the settings in the SMTP Host area.
• Authentication on page 53Use the configuration pane to configure the settings in the Authentication area.
• SMTP Options on page 54Use the configuration pane to configure the settings in the SMTP Options area.
SMTP HostUse the configuration pane to configure the settings in the SMTP Host area.
Option Definition
SMTP Host The IP address or DNS name of the SMTP host.
Mime Encoding The MIME encoding for messages delivered by the SMTP method.Default: ISO‑8859‑1
Port The port number of the SMTP host.Default: 25
SSL/TLS Use the SSL or TLS protocol.
Force TLS Use TLS, not SSL.
This checkbox is only available when SSL/TLS is enabled.
AuthenticationUse the configuration pane to configure the settings in the Authentication area.
Option Definition
Enable SMTP Authentication Enables SMTP authentication.
Username The user name required for SMTP authentication.
Password The password required for SMTP authentication.
Configuring McAfee OTPConfigure the Delivery Method object type 4
McAfee One Time Password 3.5 Administration Guide 53
SMTP OptionsUse the configuration pane to configure the settings in the SMTP Options area.
Option Definition
Mail sender address The address of the email sender.
Mail To Address The address of the email recipient.
This setting is only available when the Mail address checkbox is not selected.
Mail address Use the user’s email address as the recipient’s address, and disable the Mail ToAddress field.
Subject The subject line of the email message.
This setting is only available when the User ID checkbox is not selected.
User ID Using the user’s mobile phone number or email address as the subject of the email,and disables the Subject field.
Body Text The body of the SMTP message, including the $$OTP$$ tag which is replaced by theone‑time password.
• If the $$OTP$$ tag is omitted, the one‑time password is appended to theend of the text.
• Clicking the browse button opens the body text editor.
Is filename Save the body text in a template file.
• Enter the full path name to the template file in the Body Text field.
• The template file can contain the $$IDENTITY$$ and $$OTP$$ tags.
Debug Write SMTP debug information to the log files.
Look up mailaddress in database
Specify an attribute that stores a complete email address. Use this function whenusing email as a back‑up delivery method.
McAfee OTP can look up the specified attribute when it encounters an email addressthat does not contain the “@” character.
Test Send a test email message.
Configure the Netsize delivery methodSend one‑time passwords using the Netsize SMS Gateway.
A Netsize account is required.
Task1 In the select pane, expand the Delivery Methods object type, and select Netsize.
2 In the configuration pane, select the Enable Netsize checkbox.
3 Configure the remaining settings.
4 Configuring McAfee OTPConfigure the Delivery Method object type
54 McAfee One Time Password 3.5 Administration Guide
Tasks• Communication on page 55
Use the configuration pane to configure the settings in the Communication area.
• Authentication on page 55Use the configuration pane to configure the settings in the Authentication area.
• Message on page 55Use the configuration pane to configure the settings in the Message area.
• Endpoint Settings on page 55Use the configuration pane to configure the settings in the Endpoint Settings area.
• Options on page 56Use the configuration pane to configure the settings in the Options area.
CommunicationUse the configuration pane to configure the settings in the Communication area.
Option Definition
SMS Gateway Specifies the IP address or DNS name of the Netsize SMS Gateway.
Port nr Specifies the port number of the Netsize SMS Gateway.
AuthenticationUse the configuration pane to configure the settings in the Authentication area.
Option Definition
Login Specifies the user name required for authentication.
Password Specifies the password required for authentication.
MessageUse the configuration pane to configure the settings in the Message area.
Option Definition
Message Specifies the message to send to the mobile phone that includes the one‑time password.McAfee OTP replaces the $$OTP$$ tag in the message with the one‑time password. If the tagis omitted from the message, McAfee OTP appends the one‑time password to the end of themessage.
Clicking the Browse button opens the editor.
Endpoint SettingsUse the configuration pane to configure the settings in the Endpoint Settings area.
Use these available settings:
• Sending (MT)
• Receive (MO)
• Notification (SR)
Please consult your Netsize customer service representative for more information.
Configuring McAfee OTPConfigure the Delivery Method object type 4
McAfee One Time Password 3.5 Administration Guide 55
OptionsUse the configuration pane to configure the settings in the Options area.
Option Definition
Debug Selecting this checkbox enables debugging of Netsize packets in the console or log files.
Encryption Selecting this checkbox enables encryption.This function requires coordination between McAfee OTP and the Netsize SMS Gateway.
Consult your Netsize customer service representative for more information.
Message Type Specifies the presentation of the message on the mobile phone. Select one of thefollowing options:• Immediate Display (Flash)
• Stored on Mobile phone
• Stored on SIM‑card
Configure the Concurrent Sender delivery methodSimultaneously send one‑time passwords using two or more delivery methods.
Task1 In the select pane, expand the Delivery Methods object type, and select Concurrent Sender.
2 In the configuration pane, select the Enable Concurrent Sender checkbox.
3 From the Add Method drop‑down list, select the delivery method, then click Add.
The method is added to the Sending methods list.
4 (Optional) To remove a delivery method from the Sending methods list, select the delivery method,then click Delete.
Configure the Instant Messaging delivery methodSend one‑time passwords using these instant messaging methods.
• Skype
• Microsoft Live (MSN)
• Jabber (Google Talk)
Task1 In the select pane, expand the Delivery Methods object type, then select Instant Messaging.
2 In the configuration pane, select the Enable Instant Messaging checkbox.
3 In the OTP Message field, enter the message to be sent to the user's mobile phone using the $$OTP$$tag as a placeholder for the one‑time password.
4 Select the tab that corresponds to the instant messaging delivery method.
5 Configure the settings on the selected tab.
4 Configuring McAfee OTPConfigure the Delivery Method object type
56 McAfee One Time Password 3.5 Administration Guide
User PrefixAll three Instant Messaging delivery methods support the User Prefix feature, which the user ID has a prefixthat specifies the instant messaging service in use. Using the prefix, McAfee OTP can route theincoming instant message to the specified service.
Configure the prefix by typing a value in the User Prefix field on the tab corresponding to each InstantMessaging service on the configuration pane.
Google example:
User Prefix: GOOGLETALK
User ID: GOOGLETALK;[email protected]
SkypeBefore you test the Skype Instant Messaging delivery method, verify that these minimum requirements aremet.
• The Skype client is installed and running on McAfee OTP and logged on to the Skype network.
• McAfee OTP is running Java 1.5.
• To allow McAfee OTP to pass messages to the Skype client, select Yes when prompted by the Skypeclient.
When you test the Skype Instant Messaging delivery method, do not provide a user prefix.
Microsoft Live (MSN)Before you test the MSN Instant Messaging delivery method, verify that these minimum requirements aremet.
• You have a valid MSN account.
• Configure the MSN login id and MSN Password fields.
• The Debug checkbox is selected to write MSN debug information to the log files.
When you test the MSN Instant Messaging delivery method, do not provide a user prefix.
Jabber (Google Talk)Before you test the Jabber Instant Messaging delivery method with McAfee OTP, verify that you have a validJabber account, and configure the settings in the configuration pane.
Option Definition
Server Specifies the host name or IP address of the Jabber server.
Port nr Specifies the port number of the Jabber server.
Use SSL Selecting this checkbox specifies using the SSL protocol.
Jabber ID Specifies your Jabber user name.
Password Specifies your Jabber password.
When you test the Jabber Instant Messaging delivery method, do not provide a user prefix.
Configuring McAfee OTPConfigure the Delivery Method object type 4
McAfee One Time Password 3.5 Administration Guide 57
Configure the SMPP delivery methodSend one‑time passwords using the SMPP protocol.
SMPP is an acronym for Short Message Peer‑to‑ Peer.
Task
1 In the select pane, expand the Delivery Methods object type, and select SMPP.
2 In the configuration pane, select the Enable SMPP checkbox.
3 Configure the remaining settings.
Configure the CIMD2 delivery methodSend one‑time passwords using the proprietary Nokia CIMD2 protocol.
Task
1 In the select pane, expand the Delivery Methods object type, then select CIMD2.
2 In the configuration pane, select the Enable CIMD2 checkbox.
3 Configure the remaining settings.
Configure the UCP File delivery methodCreate one UCP file for each one‑time password. Use this method when one‑time passwords areprocessed by modem software, and then sent by SMS to end users.
UCP is an acronym for Uniformity Correction Parameters.
Task
1 In the select pane, expand the Delivery Methods object type, then select UCP File.
2 In the configuration pane, select the Enable UCP File checkbox.
3 Configure the remaining settings.
Tasks
• UCP File Options on page 58Use the configuration pane to configure the settings in the UCP File Options area.
UCP File OptionsUse the configuration pane to configure the settings in the UCP File Options area.
Option Definition
File Directory to drop file Specifies the directory where one‑time passwords are stored, eachpassword in a separate UCP file.
Filename starts with Specifies a string that occurs at the beginning of each file name.Example: ucp
Filename ends with Specifies a string that occurs at the end of each file name.Example: .txt
Template File Specifies the name of the template file that provides the text contained inevery UCP file. The text includes a variable which is replaced by theone‑time password.
4 Configuring McAfee OTPConfigure the Delivery Method object type
58 McAfee One Time Password 3.5 Administration Guide
Option Definition
Control+New Line (0D0A)
Selecting this checkbox adds line breaks to the UCP file.
File character set Specifies the character encoding for the UCP file.Example: ISO–8859–1
Configure the Prefetch Detection delivery methodDetect if users are using only prefetch one‑time passwords. This delivery method is useful when some,but not all, users are using only prefetch one‑time passwords. When the Prefetch Detection deliverymethod is configured and selected, McAfee OTP checks the McAfee OTP attribute. If the attribute is setto a value that you configure, only prefetch one‑time passwords are used. In this case, McAfee OTPdoes not send a one‑time password by any delivery method.
Task1 In the select pane, expand the Delivery Methods object type, then select Prefetch Detection.
2 In the configuration pane, select the Enable Prefetch Detection checkbox.
3 In the OTP Attribute detection field, type the value of the OTP attribute when prefetch one‑time passwords onlyis true.
Example: PF‑ONLY
Configure the Misc object typeThe Misc object type includes the following miscellaneous configuration types.
Contents Configure the Expired Password Notification settings Configure the OATH settings Configure the Prefetch OTP options Configure the Unlock User Accounts options Configure the AES Encryption options Configure the Embedded HTTP Server Options Configure the Pledge Enrollment options Configure the Web Manager options Web Manager - User Guide Self Service - Admin Guide Self Service - User Guide Configure the Yubico options
Configure the Expired Password Notification settingsUse the configuration pane to configure the settings in the Expired Password Notification area.
Task1 In the select pane, expand the Misc object type, then select Expired Password Notification.
2 In the configuration pane, select the Enable Expired Password Notification checkbox.
3 Configure the remaining settings.
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 59
Tasks• Expired Password Notification on page 60
Use the configuration pane to configure the settings in the Expired Password Notification area.
Expired Password NotificationUse the configuration pane to configure the settings in the Expired Password Notification area.
Option Definition
User attributes to send messageto
Specifies a comma‑separated list of attributes, each one storing an emailaddress or mobile phone number where the expired password notificationcan be sent.Example: mail,mobile
Message to the user Specifies the message that is sent to the end user when the user’spassword has expired.
Method to send notification with Selects the delivery method to use when sending the expired passwordnotification to end users.
Configure the OATH settingsMcAfee OTP supports the OATH HOTP and TOTP hardware tokens used by Pledge and other OATHsoftware tokens.
Task
1 In the select pane, expand the Misc object type, then select OATH Configuration.
2 Configure the remaining settings.
Tasks• HOTP on page 60
Use the Oath Configuration pane to configure the settings in the HOTP area.
• TOTP on page 61Use the configuration pane to configure the settings on the TOTP area.
• General OATH Settings on page 61The following settings can be configured for both HOTP and TOTP tokens.
• Automatic OATH Enrollment on page 61The Automatic Oath Enrollment settings are only available when the Accept OATH Token Identifier andEnable Automatic Enrollment checkboxes are selected.
HOTPUse the Oath Configuration pane to configure the settings in the HOTP area.
Option Definition
Encrypt Key and counter Selecting this checkbox specifies whether the HOTP key and counter areencrypted in the database.
Validation LookAhead Value Specifies the number of unused one‑time passwords the user can generatewith the OATH device before the device is out‑of‑sync and needs to beresynchronized.
OTP Length Selects the length of the one‑time password.
Truncation value Specifies an offset value for OATH devices.
A value of –1 specifies variable truncation. Do not modify this value.
4 Configuring McAfee OTPConfigure the Misc object type
60 McAfee One Time Password 3.5 Administration Guide
TOTPUse the configuration pane to configure the settings on the TOTP area.
Option Definition
Accept time drift Selecting this checkbox allows McAfee OTP to accept the preceding, current, orsucceeding one‑time password instead of only the current one‑time passwordto compensate for time drift.
Anti‑replay check Selecting this checkbox specifies that each one‑time password is only validonce in a specified time frame set by the software token, usually 30 or 60seconds.
Encrypt Key value Selecting this checkbox specifies that the TOTP key is encrypted in thedatabase.
Max Out of Synch TimeSteps
Specifies the maximum number of time steps that an OATH device can beout‑of sync with McAfee OTP. The time step is set by the OATH device, forexample, 30 seconds.
General OATH SettingsThe following settings can be configured for both HOTP and TOTP tokens.
Option Definition
Pin code placement Selects whether the end user enters the PIN code before or after theHOTP/TOTP token when a PIN code is used.
Accept OATH Token Identifier Selecting this checkbox adds support for software tokens that send atoken identifier in addition to a one‑time password.
Enable Automatic Enrollment(Class A ‑ OATH TokenIdentifier)
Selecting this checkbox specifies whether the automatic enrollmentprocess retrieves the OATH key and counter from the keyfile and uses theOATH token identifier to store them in the user database.
Automatic OATH EnrollmentThe Automatic Oath Enrollment settings are only available when the Accept OATH Token Identifier and EnableAutomatic Enrollment checkboxes are selected.
Option Definition
Key storage database Selects the database containing the keys and token identifier.
Check SQL Database Tests whether the TOKENDB database and tokens table exist in the selected SQLdatabase. If they do not exist, click Yes to create them.
The Check SQL Database button is only visible when the selected database is a SQLdatabase.
Object DN Selects an LDAP object in which to store the keys.
This field is only visible when the selected database is an LDAP database.
Attribute Selects an LDAP attribute in which to store the keys.
This field is only visible when the selected database is an LDAP database.
Upload keyfile todatabase
Clicking this button uploads the keys from the keyfile to the selected database.The keyfile must be a PSKC (RFC 6030) file or contain comma‑separated orsemicolon separated keys.
PSKC is an acronym for Portable Symmetric Key Container.
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 61
Option Definition
Allow multiple tokenassignments
Selecting this checkbox accepts a user that has one OATH token and wants toenroll for a second token.
Encrypt keys inkeystorage database
Selecting this checkbox specifies that the keys in the keystore are encrypted.
If AES is configured, the keys are encrypted using AES encryption. However, youmust configure AES encryption before you import the keyfile.
Advanced automatic OATH enrollmentSome LDAP databases limit the number of keys per object to 1,000. To overcome this limitation, youcan configure multiple LDAP objects and attributes for storing OATH keys on the Advanced Configurationdialog box. To open the dialog box, click Advanced in the Automatic OATH Enrollment area in configurationpane.
Configure the Prefetch OTP optionsConfigure how prefetch one‑time passwords are delivered to the end user. McAfee OTP can sendprefetch one‑time passwords by any configured McAfee OTP delivery method or by forwarding them toanother McAfee OTP server.
Task1 In the select pane, expand the Misc object type, then select Prefetch Proxy Config.
2 To send all prefetch one‑time passwords to another McAfee OTP server, select the Proxy Sending ofPrefetch OTPs checkbox in the configuration pane.
3 Type the IP address and port number of the proxy server (separated by a colon).
To specify multiple proxy servers, use a comma to separate each IP address‑port number pair.
4 From the Force Sending Prefetch OTP with Method drop‑down list, select the McAfee OTP delivery method touse when sending prefetch one‑time passwords.
Only configured McAfee OTP delivery methods are available.
Configure the Unlock User Accounts optionsConfigure how many minutes user accounts are locked before the server automatically unlocks them,and specify different values for the first and second lockout. The Unlock function is used together withthe OTP Databases object settings — Login Retries, Locked Attribute, and Locked Value — to manage access toMcAfee OTP user accounts.
Task1 In the select pane, expand the Misc object type, then select Unlock User Accounts.
2 In the configuration pane, configure the remaining settings.
Option Definition
Unlock Accounts afterFirst Lockout
Specifies in minutes how long user accounts are locked when they arelocked for the first time.
Unlock Accounts afterSecond Lockout
Specifies in minutes how long user accounts are locked when they arelocked for the second time.
Reset Value Specifies the value to write to the Locked Attribute in the McAfee OTPdatabase when the user account is unlocked. If you do not specify a valuefor this setting, McAfee OTP sets the value of the Locked Attribute to empty.
4 Configuring McAfee OTPConfigure the Misc object type
62 McAfee One Time Password 3.5 Administration Guide
Configure the AES Encryption optionsMcAfee OTP V3.1 (and above) supports AES encryption and decryption. Using AES, McAfee OTP canstore OATH keys and other sensitive information encrypted in McAfee OTP databases.
Task1 In the select pane, expand the Misc object type, then select AES Encryption.
2 In the configuration pane, select the Enable AES Encryption checkbox.
3 Configure the remaining settings.
Tasks• General Settings on page 63
Specify the attributes for McAfee OTP to encrypt.
• Advanced Settings on page 63Use the configuration pane to configure the settings in the Advanced Settings area.
• Test encryption and decryption on page 64Use the configuration pane to configure the settings in the Test encryption & decryption area.
General SettingsSpecify the attributes for McAfee OTP to encrypt.
Task1 In the General Settings area, click Add.
2 In the configuration pane corresponding to the database, select the External Database handler checkbox,and type ext.aes in the field that opens.
3 Click Save Config.
Advanced SettingsUse the configuration pane to configure the settings in the Advanced Settings area.
Option Definition
AES Key Specifies the key to use for AES encryption and decryption:• To specify a 128‑bit key, provide a string of 32 characters.
• To specify a 256‑bit key, provide a string of 64 characters.
Do not modify the AES key in a production environment. All data encrypted with the keythat you erase can no longer be decrypted or recovered.
Key size Selects a key size from the drop‑down list:• 128
• 192
• 256
Units: bits
AES prefix Specifies the encryption format of an encrypted value. The prefix is added to the frontof the value.Default: {AES}
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 63
Option Definition
Key type format Selects a format for the AES key: hex (hexadecimal) or Base64.Default: hex
Data format Selects a format for the encrypted data: hex (hexadecimal) or Base64.Default: hex
Use CBC Selecting this checkbox enables cipher‑block chaining (CBC).
IV (CBC) Specifies the initialization vector required to implement CBC.
The initialization vector must be specified in hexadecimal format and be 32 characters inlength (16 bytes).
Lock Locks and unlocks the AES settings.
Locking the settings protects them from being changed unintentionally.
Test encryption and decryptionUse the configuration pane to configure the settings in the Test encryption & decryption area.
Option Definition
Value Specifies a value to encrypt or decrypt with the AES key that you configured.
For the test, specify a value that is as long as or longer than the AES key.
Result Clicking Encrypt or Decrypt displays the encryption or decryption result, respectively.
4 Configuring McAfee OTPConfigure the Misc object type
64 McAfee One Time Password 3.5 Administration Guide
Configure the Embedded HTTP Server OptionsMcAfee OTP includes an embedded HTTP server, which is used for Pledge Enrollment, Web Manager,and other web applications.
Task1 In the select pane, expand the Misc object type, then select Embedded HTTP Server.
2 In the configuration pane, select the Enable Embedded HTTP Server checkbox.
3 Configure the remaining settings.
Option Definition
Port number Specifies the port number of the embedded HTTP server.Default: 8080
Enable SSL Selecting this checkbox enables SSL for the HTTP server.Default: Selected
SSL Options ‑ PKCS12 file Selects the P12 certificate file used by the SSL protocol.
SSL Options ‑ PKCS Password Specifies the password that protects the P12 certificate file.
Enable AJP Selecting this checkbox enables the AJP option for the Apache front end.
AJP is an acronym for Apache JServ Protocol.
The embedded HTTP server reads the configuration settings each time it starts. Therefore, McAfeeOTP must be restarted for the new settings to take effect. If McAfee OTP is started manually, andnot as a service, you can restart the embedded HTTP server using the start‑stop button located onthe configuration pane.
Configure the Pledge Enrollment optionsUsing the Pledge Enrollment web application, end users can easily download a Pledge Profile, whichincludes an HOTP key, PIN code settings, and custom GUI settings. Using the web services interfacethat is integrated with the Profile Factory, administrators can customize the PIN code and GUI settings.
Task1 In the select pane, expand the Misc object type, then select Pledge Enrollment.
2 In the configuration pane, select the Enable Pledge Enrollment checkbox.
3 Configure the remaining settings.
Tasks• Configuration settings on page 66
Use the configuration pane to configure the settings in the Configuration area.
See also Enable the Pledge Enrollment services on page 82
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 65
Configuration settingsUse the configuration pane to configure the settings in the Configuration area.
Option Definition
OATH user databasefor PledgeEnrollment
Specifies the McAfee OTP database where the Pledge Enrollment process enrollsusers.
This McAfee OTP database must be a LDAP or SQL database with OATH enabled.
Pledge Web ServicesUsername
Specifies the web services user name that McAfee OTP uses when logging in to thePledge Profile Factory.
To obtain a Pledge web services user name and password, contact McAfee TechnicalSupport Service Portal.
Pledge Web ServicesPassword
Specifies the web services password that McAfee OTP uses when logging in to thePledge Profile Factory.
To obtain a Pledge web services user name and password, contact McAfee TechnicalSupport Service Portal.
Client NameDetection
Specifies the client name that the Pledge Enrollment web application uses whenconnecting to the McAfee OTP client.
This client name must be added to the enable client name detection settings on theMcAfee OTP client. The McAfee OTP client must be assigned the same McAfee OTPdatabase where the Pledge Enrollment process enrolls users.
Allow user to enrollmultiple profiles
Selecting this checkbox allows end users to enroll for more than one Pledge Profile.If multiple profiles are not allowed, Pledge Enrollment overwrites the existing OATHkey with a new key.
Launch PledgeEnrollment
Clicking this button opens the Pledge Enrollment interface in your web browser.
The Launch button is only available when the administration console is started fromthe McAfee OTP Server monitor. If the Launch Pledge Enrollment button is not available,you can access the Pledge Enrollment application by entering a URL with thefollowing format in your browser’s address bar: https://OTPServeripaddress:8080/PledgeEnrollment
Configure the Web Manager optionsMcAfee OTP includes a tool to manage administrative tasks for users. Using the tool, administratorsand help desk personnel can manage day‑to‑day tasks such as adding and changing PIN codes,assigning and re‑synchronizing tokens, Pledge enrollment, and creating emergency one‑timepasswords.
Self service in McAfee OTP supports only LDAP v3 directories.
Task1 In the select pane, expand the Misc object type, then select Web Manager.
2 In the configuration pane, select the Enable Web Manager checkbox.
3 Configure the remaining settings.
4 Configuring McAfee OTPConfigure the Misc object type
66 McAfee One Time Password 3.5 Administration Guide
Tasks• Authentication settings on page 67
Use the configuration pane to configure the settings in the Authentication area.
• Other on page 67Use the configuration pane to configure the settings in the Other area.
Authentication settingsUse the configuration pane to configure the settings in the Authentication area.
Option Definition
Client for authentication Specifies the McAfee OTP client used by the Web Manager to authenticate endusers and administrators.
Enable OTP protection Select this checkbox to require one‑time password authentication.
OtherUse the configuration pane to configure the settings in the Other area.
Option Definition
Mobile attribute Specifies the LDAP attribute that stores the Web Manager mobile phone number.
This setting is required when the LDAP database is an McAfee OTP database with OATHenabled.
PIN codeattribute
Specifies the LDAP attribute that stores the Web Manager PIN code. A PIN code is usedwith a one‑time password to increase the security in the authentication process.
PIN code must be enabled and configured in the database.
Client for OATH Selects the McAfee OTP client used by the Web Manager to re synchronize tokens andverify the identity of users. Select a McAfee OTP client that is connected to an McAfeeOTP database with OATH enabled.
Launch WebManager
Click this button to open the Web Manager interface in your web browser.
The Launch button is only available when the administration console is started from theMcAfee OTP monitor. If the Launch button is not available, you can access the WebManager application by entering a URL with this format in your browser’s address bar:https://OTPServeripaddress:portnumber/webmanager
Web Manager - User GuideMcAfee OTP includes a tool to manage administrative tasks for users. Using the tool, administrators,and help desk personnel can manage day‑to‑day tasks such as adding and changing PIN codes,assigning and re‑synchronizing tokens, Pledge enrollment, and creating emergency one‑timepasswords.
Login page with username and password
https://OTPServeripaddress:8080/webmanager
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 67
Option Definition
Manager User view Search for users.To edit a user, double‑click or right‑click a user in the result set.
Available forms whenediting a user
When editing a user, use these options:• General Information
• Change mobile number.
• Disable user from using one‑time passwords.
• Unlock locked accounts.
• Verify whether users have OATH‑tokens and/or PIN code enabled.
User Identity Verification Verifies the identity of a user.
Pledge Enrollment Redirects the user to the Pledge web application.
Manage Tokens Manages hardware tokens for users and tokens out of synch.
Emergency OTP When two‑factor authentication is enabled, the user is asked for a one‑timepassword. If the user forgot or lost their mobile device, they are unable to logon. To log on, an administrator can create an emergency one‑time passwordthat is valid for one use.
PIN Code Generates user PIN codes.
Self Service - Admin GuideMcAfee OTP includes a Self Service tool to let users reset their own password, manage secret questionand answers, and generate a PIN code. Users log on to their accounts using a user name andpassword. If a user forgets their password, they can use a one‑time password, or answer apre‑configured question.
Self Service supports only LDAP v3 directories.
Task1 In the select pane, expand the Misc, then select Self Service.
2 In the configuration pane, select the Enable Self Service checkbox.
3 Configure the remaining settings.
Configuration settingsUse the configuration pane to configure the settings in the Configuration area.
Option Definition
LDAP database Selects a configured LDAP database from the drop‑down list. Self Service connects tothis database to collect and/or update attribute information.
Mobile attribute Specifies the LDAP attribute that stores the user’s mobile phone number.
Mail attribute Specifies the LDAP attribute that stores the user’s mail address.
PIN Codeattribute
Specifies the LDAP attribute that stores the user’s PIN code. If the PIN code isconfigured for the LDAP database, but a value is not entered on the configurationpane, the value for the LDAP database will be used. If a PIN code attribute value isnot configured for the LDAP Database, McAfee OTP database, or the Web Managerconfiguration pane, the web form for Self Service does not appear.
4 Configuring McAfee OTPConfigure the Misc object type
68 McAfee One Time Password 3.5 Administration Guide
Option Definition
Display nameattribute
Specifies the LDAP attribute that stores the user’s display name.
Password resetsettings
Specifies these options:• Minimum password length.
• Maximum password length.
• Password policy.
Example: A‑Z:1|a‑z:1|0‑9:1|#@:0This policy generates a password that contains:• At least one character between A–Z
• At least one character between a–z
• At least one digit between 0–9
• Optional characters are # and @
Example: A‑Z:2|0‑9:2|#@:1This policy generates a password that contains:• At least one character between A–Z
• At least one digit between 0–9
• Optional characters are # and @
Secret Question and Answer (Q/A)Use the configuration pane to configure the settings in the Secret Question and Answer (Q/A) area.
Option Definition
Enable Secret Questionand Answer (Q/A)
Select the checkbox to activate this feature. When a user logs on, this featureis manageable in the Manage Q and A web form.
If this feature is disabled, the web form does not appear.
Total number of questions The number of configured questions and answers the question bank holds foreach user.
Prompted number ofquestions
The number of questions a user is prompted if they forget their login password.For example, if a user has configured five questions in the question bank, butconfigured two prompted number of questions, only two random questions arerequired an answer to successfully log on.
Answer all questions Answer all questions checked, the user is prompted to answer only twoquestions, even if the question bank contains five questions.
Allow custom questions Allows the user to create their own questions.
Q/A attribute Holds the question and answer information.
This value is encrypted.
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 69
LockoutUse the configuration pane to configure the settings in the Lockout area. If a user attempts to log onand uses an incorrect password for a specified number of times, Self Service locks out the user fromtheir account.
Option Definition
Number of tries Number of user login attempts that are allowed when an incorrect password isused.
Lockout time (minutes) Amount of time a user is locked out of their account.
Lockout attribute Holds the lockout time value.
Launch Self Serviceand Launch ForgotPassword button
Opens the Self Service interface in your web browser.
• Any change to the Self Service configuration page needs McAfee OTPto be restarted.
• The Launch button is only available when the administration console isstarted from the McAfee OTP monitor. If the Launch button is notavailable, you can access the Self Service application by entering aURL with this format in your browser’s address bar:https://OTPServeripaddress:portnumber/selfservicehttps://OTPServeripaddress:portnumber/selfservice/module/selfservice/jsp/forgot.jsp
Information for Self ServiceChange default question of Secret Question and Answers
The default questions are stored in this file system:
drive:\pathtoMcAfeerootfolder\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\classes\module\selfservice
The questions are stored in questionbank.txt. When changes are saved to this file, save the file asUTF‑8 with the same format.
Change PIN Code length
Open DSEditor.properties and search for this parameter:
drive:\pathtoMcAfeerootfolderIM4OTP.PINCODE.LENGTH=4
\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\NEIDMgmt
IM4OTP.PINCODE.LENGTH=4
Disable OTP as an option for forgotten password
Open DSEditor.properties and search for this parameter:
drive:\pathtoMcAfeerootfolder
\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\NEIDMgmt
Change this setting to false:
PWDRESET_ALLOW_OTP=true
Enable Help menu
4 Configuring McAfee OTPConfigure the Misc object type
70 McAfee One Time Password 3.5 Administration Guide
Open DSEditor.properties and look for this parameter:
drive:\pathtoMcAfeerootfolder
\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\NEIDMgmt
DISPLAY_HELP_LINK=true
EXTERNAL_HELP_LINK=http://www.mcafee.com
Enable/Disable Language as an option
Open DSEditor.poperties and search for this parameter:
drive:\pathtoMcAfeerootfolder
\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\NEIDMgmt
DISPLAY_LANGUAGE=true
Self Service - User GuideMcAfee OTP includes a Self Service tool to let users reset their own password, manage secret questionand answers, and generate a PIN code. Users log on with a user name and password. If a user forgetstheir password, they may use their user name and one‑time password, or answer a preregisteredquestion.
Log on page with username and passwordhttps://OTP_server_name/selfservice/To log on to Self Service, a user must enter a user name and password.
Log on page for forgotten passwordhttps://OTP_server_name/selfservice/module/selfservice/jsp/forgot.jspIf a user needs to log on to their account, and has forgotten their password, they must enter theiruser name and one‑time password.
Management pages for self administrationA user has three forms to choose from, depending on the configuration of their solution.
Form Definition
Personal Information Reset user passwords and verify user information, such as a mobile number ormail address.
These settings are not editable.
Secret Question andAnswers
Allows users to configure their questions and answers.
Displays if the Secret Question and Answers feature is enabled.
PIN Code Generates a PIN code.
If this form does not appear, a value is not configured for the PIN code.
Configuring McAfee OTPConfigure the Misc object type 4
McAfee One Time Password 3.5 Administration Guide 71
Configure the Yubico optionsTo integrate the Yubico YubiKey Validation Server, which provides McAfee OTP validation andmanagement services through web services APIs, use the configuration pane to configure the Yubicooptions.
Task1 In the select pane, expand the Misc object type, then select Yubico.
2 In the configuration pane, select the Enable Yubico checkbox.
3 Configure the remaining settings.
4 Configuring McAfee OTPConfigure the Misc object type
72 McAfee One Time Password 3.5 Administration Guide
5 Maintenance and use
To maintain and use McAfee OTP, use the options on the monitor.
McAfee OTP monitorTo enable the McAfee OTP monitor, select the Server object type in the select pane. In the Options area inthe configuration pane, select the Enable Monitor checkbox. If this checkbox is selected, the monitoropens when McAfee OTP starts.
The monitor requires GUI support.
Use the following monitor options.
Option Definition
Configuration Clicking this option opens the administration console. Select and configure these objecttypes:• Server • Databases
• RADIUS • Clients
• Logs • Delivery Methods
• Alerts • Misc
• Licenses
Show Details Clicking this option displays the server statistics.
Shutdown Clicking this option shuts down McAfee OTP.
Contents Start or stop McAfee OTP Server statistics
Start or stop McAfee OTPMcAfee OTP supports Microsoft Windows Server 2003, 2008, UNIX, Linux, and Mac OS X operatingsystems.
McAfee recommends that you stop McAfee OTP by clicking Shutdown on the McAfee OTP monitor. For thisoption, the monitor must be enabled.
Contents Start and Stop McAfee OTP on a Windows-based computer Start and stop McAfee OTP on a UNIX, Linux, or Mac OS X-based computer
5
McAfee One Time Password 3.5 Administration Guide 73
Start and Stop McAfee OTP on a Windows-based computerTo start and stop McAfee OTP on Windows‑based computer, use the following options.
• Start and stop McAfee OTP using Microsoft Windows Services.
• Start McAfee OTP by running the following program file, which is located in the installationdirectory: OTPServer.exe.
• Stop McAfee OTP by clicking Shutdown on the monitor.
Start and stop McAfee OTP on a UNIX, Linux, or Mac OS X-based computerTo start and stop McAfee OTP on a UNIX, Linux, or Mac OS X‑based computer, use the followingoptions.
• Start McAfee OTP by running the OTPServer program file in the background using the followingUNIX command: OTPServer &.
• Stop McAfee OTP by using the UNIX kill command.
• Stop McAfee OTP by clicking Shutdown on the monitor.
Server statisticsTo view the server statistics, click Show Details on the monitor.
Table 5-1 Sending one‑time passwords statistics
Option Definition
Total OTPs Displays the total number of created and sent one‑time passwords.
Table 5-2 One‑time password statistics
Option Definition
Successful OTPs Displays the number of one‑time passwords that the McAfee OTP clients successfullyreturned.
Failed OTPs Displays the number of one‑time passwords that the McAfee OTP clients failed toreturn.
Unfetched OTPs Displays the number of one‑time passwords that the McAfee OTP clients did notretrieve.
Expired OTPs Displays the number of one‑time passwords that expired.
Table 5-3 RADIUS statistics
Option Definition
RADIUS Packets Sent Displays the number of RADIUS packets sent.
RADIUS Packets Received Displays the number of RADIUS packets received.
Table 5-4 Licenses statistics
Option Definition
Nr of Licenses Displays the total number of registered licenses.
RADIUS Packets Received Displays how many registered licenses out of the total are currently in use.
5 Maintenance and useMcAfee OTP monitor
74 McAfee One Time Password 3.5 Administration Guide
Table 5-5 Connections statistics
Option Definition
Active Connections Displays the number of connections to McAfee OTP Native clients that arecurrently active.
Successful Connections Displays the number of successful connections to McAfee OTP Native clients.
Failed Connections Displays the number of failed connections to McAfee OTP Native clients.
Table 5-6 Encryption statistics
Option Definition
Encrypted Requests Displays the number of encrypted requests from McAfee OTP Native clients toMcAfee OTP.
Unencrypted Requests Displays the number of unencrypted requests from McAfee OTP Native clientsto McAfee OTP.
Rejected Unencrypted Req Displays the number of unencrypted requests from McAfee OTP Native clientsto McAfee OTP that were rejected because they were not encrypted.
To enable this feature, select the Always encryption option in the Encryption area inthe configuration pane.
Table 5-7 User database authentication statistics
Option Definition
Successful Logins Displays the number of times that end users successfully authenticated to LDAP andJDBC/ODBC databases.
Failed Logins Displays the number of times that end users failed to authenticate to LDAP andJDBC/ODBC databases.
Locked Accounts Displays the number of times that McAfee OTP locked user accounts, because thenumber of login attempts to LDAP or JDBC/ODBC databases exceeded the maximumallowed.
Maintenance and useMcAfee OTP monitor 5
McAfee One Time Password 3.5 Administration Guide 75
5 Maintenance and useMcAfee OTP monitor
76 McAfee One Time Password 3.5 Administration Guide
A Pledge
Pledge provides a secure, two‑factor authentication method for users to log on to applications.
Contents About Pledge Register for a Pledge Profile Factory account Customize the Pledge Corporate Profile Request a Pledge web service account Configure the Pledge Enrollment database Configure the Pledge Enrollment client Enable the Pledge Enrollment services Pledge Enrollment
About PledgeThe Pledge system consists of these components:
McAfee One Time Password 3.5 Administration Guide 77
• Pledge Profile Factory — A web service that administrators use to configure and customize PledgeCorporate Profiles, which include logos, background pictures, colors, PIN code settings, and contactinformation. Pledge Corporate Profiles provide the template for Pledge User Profiles used by Pledgeclients.
• Pledge Enrollment — A service that automates the delivery of Pledge User Profiles to end userdevices.
• Pledge Client — Pledge is a mobile client used to generate one‑time passwords based on the OATHalgorithm.
How Pledge works
Reference Definition
1 Using Pledge Enrollment, the end user enrolls in Pledge.
2 Pledge Enrollment sends a request for McAfee OTP to check the user's credentials.
3 McAfee OTP verifies the end user's credentials.
4 Pledge Enrollment sends a web service request to the Pledge Profile Factory.
5 Pledge Profile Factory performs these actions:• Generates a random symmetric key and corresponding counter.
• Packages the Pledge corporate profile into a .zip file.
• Generates a unique Pledge Profile ID.
• Combines the above information into an XML message, and sends to PledgeEnrollment.
6 Pledge Enrollment sends the Open Authentication (OATH) key and counter to McAfeeOTP.
7 McAfee OTP saves the key in the configured database.
A PledgeAbout Pledge
78 McAfee One Time Password 3.5 Administration Guide
Reference Definition
8 Pledge Enrollment sends the Pledge Profile ID to the end user or administrator. On asupported device, the end user starts the Pledge client application, selects +, and entersthe Pledge Profile ID.
9 To download the Pledge User Profile, which includes the Pledge Corporate Profile, OATHkey, and Pledge Profile ID, the Pledge client application contacts the Pledge ProfileFactory via an HTTPS connection.
10 The Pledge Profile Factory sends the corresponding Pledge User Profile, flags the PledgeProfile ID, and removes the OATH key.
Once end users are enrolled in Pledge, they can use Pledge to sign online requests from a web server,such as purchase transactions, or auction bidding.
Pledge Profile FactoryAdministrators use the Pledge Profile Factory to configure and customize the settings for PledgeCorporate Profiles.
Pledge Corporate Profiles provide the template for Pledge User Profiles used by Pledge clients.
Administrators can also use the Pledge Profile Factory to verify Pledge licensing information.
Pledge EnrollmentPledge Enrollment is a service that automates the delivery of Pledge User Profiles to end user devices.
End users can enroll in Pledge themselves, or through Pledge administrators.
The Pledge Enrollment service is embedded into McAfee OTP, but can also be downloaded and installedseparately into a DMZ solution.
Pledge ClientThe Pledge Client can be installed on most devices and generates one‑time passwords used fortwo‑factor authentication with McAfee OTP or other OATH compliant systems.
The Pledge Client supports multiple Pledge profiles, which is useful for authentication to multipleservices or ISP‑solutions.
Access the Pledge client from all major application stores, or visit Mobile Software Token Pledge.
Register for a Pledge Profile Factory accountTo register for a Pledge Profile Factory account, use the administration tool for Pledge profiles.
Task1 Go to the Pledge Profile Factory.
2 Click Register here.
3 In the Email field, type your email address.
The email address becomes the administrator user name for the Pledge Profile Factory account.
If you are an administrator creating a Pledge Profile Factory account for a customer, use your ownemail address.
PledgeRegister for a Pledge Profile Factory account A
McAfee One Time Password 3.5 Administration Guide 79
4 In the Company field, type the name of your company.
Your company name becomes the name of the Pledge Profile Factory account.
If you are an administrator creating a Pledge Profile Factory account for a customer, use your owncompany's name.
5 In the Enter code from captcha field, type the captcha code, then click Register.
a When the Registration successful! message appears, click OK.
b Navigate and open the email sent to the administrator's email address.
c Click on the registration link.
The Pledge Profile Factory registration window appears.
6 In the Email field, type the email address.
7 In the Enter code from captcha field, type the captcha code, then click Log in.
An email is sent to the administrator's email address, which includes the one‑time password.
8 In the Enter OTP (sent via mail) field, type the one‑time password, then click OK.
Customize the Pledge Corporate ProfileUsing the Pledge Profile Factory, administrators can customize a corporate profile with background,logo, icon, button, background color, text color, PIN code length, and Profile TTL.
Changes made in the Pledge Profile Factory do not take effect until the end user is enrolled for a PledgeProfile.
Task1 Click the Design tab, and configure the Profile design options.
2 Click the Settings tab, and configure the following options.
Option Definition
PIN length Enables or disables PIN code protection of Pledge User Profiles. Pledge PIN codeprotection is used to enforce security when devices are not centrally managed andend users are not using a PIN code to protect their device.
To disable this function, set to 0 .
Profile TTL Determines how long a Pledge User Profile XML message will be available fordownload from the Pledge Profile Factory. When an end user or administrator enrollfor a Pledge User Profile, the end user will have 120 minutes to download thePledge User Profile on their device before it expires.
Support info Customizable text message field, which is displayed on Pledge User Profiles. Usethis text box to inform end users about Pledge security policies, where to find help,and how to contact support.
Allow PledgeDesktop
Enable or disable Pledge Desktop clients requests to download Pledge Profiles.
A PledgeCustomize the Pledge Corporate Profile
80 McAfee One Time Password 3.5 Administration Guide
3 Click Save.
4 Click Logout.
PIN code and support information options must be configured before the end user enrolls for aPledge User Profile.
Request a Pledge web service accountTo enroll in a Pledge web service account, request access from support.
Task1 Send an email to [email protected] with the email address and company name used for
Pledge Profile Factory registration.
2 Receive an email from McAfee support that contains the account name and password.
Configure the Pledge Enrollment databaseThe McAfee OTP database is used by the Pledge Enrollment web application to store Pledge OATHkeys. This database can be any LDAP or SQL database.
Task1 Start McAfee OTP.
Always right‑click and select Run as administrator when starting otpserver.exe on Windows servers.
The monitor appears.
2 Click Configuration.
3 In the select pane, select Databases, then click a database button in the configuration pane.
4 In the Database Display Name field, specify a unique, meaningful name.
5 Select the Uses HOTP or TOTP (OATH) checkbox.
6 In the Host Settings area, configure the settings.
7 In the Search Settings area:
a Click the ... button.
The Select BaseDN window appears.
b Select the container where user objects exist, then click OK.
c Click the Sample button, then select Microsoft Active Directory.
d Click OK | Yes.
8 In the Account Settings area:
a Click the ... button.
The McAfee Schema Selector window appears.
b Select an attribute, then click OK.
PledgeRequest a Pledge web service account A
McAfee One Time Password 3.5 Administration Guide 81
See also Create an LDAP database on page 29Create an SQL database on page 35
Configure the Pledge Enrollment clientThe Pledge Enrollment service requires McAfee OTP to be configured with a corresponding McAfee OTPNative client.
Pledge Enrollment uses TCP port 3100
Task1 In the select pane, select the Clients object type, then select New Native Client In the configuration
pane.
2 In the Name & Address area:
a In the Client Display name field, specify a unique, meaningful name.
b In the Client IP Address, type 127.0.0.1.
3 From the User Database drop‑down list, select Pledge Enrollment Database.
4 Click the Advanced button.
The Native client name detection window appears.
5 Select the Enable name detection checkbox.
6 In the Client Name field, type a client name, and click OK.
See also Create a Native client on page 44
Enable the Pledge Enrollment servicesEnable the Pledge Enrollment service, and configure it to use the newly created Pledge Enrollmentdatabase and the Web Service account received from support.
Before you beginVerify that both the firewall from server hosting McAfee OTP, and the network firewallsallow TCP connection on port 443 to Pledge Profile Factory address necs.nordicedge.se.
Task1 In the select pane, expand the Misc object type, then select Pledge Enrollment.
2 From the OATH database drop‑down list, select the OATH database.
3 In the Pledge web services username field, type the user name received from McAfee support.
4 In the Pledge web services password field, type the password received from McAfee support.
5 In the Client Name Detection field, type the client name detection name.
A PledgeConfigure the Pledge Enrollment client
82 McAfee One Time Password 3.5 Administration Guide
6 Click Save Config.
To allow users to use Pledge User Profiles on more than one device, select the Allow user to enrollmultiple profiles checkbox.
7 In the select pane, select Embedded HTTP Server.
8 Click the Enable Embedded HTTP Server checkbox, and click Save.
9 Click Start HTTP Service.
To protect Pledge Enrollment service with SSL, select Enable SSL. If the Start HTTP Service button is notvisible, restart McAfee OTP by closing the configuration window, then click Shutdown.
See also Configure the Pledge Enrollment options on page 65
Pledge EnrollmentThe end user installs Pledge once, then downloads one or more shared secrets depending on the sitesor companies they need access.
Contents Requirements Self enrollment Administrator enrollment
RequirementsVerify that the following requirements are met to complete enrollment and successfully use Pledge.
Port connections
• Pledge Client application must have access to services.nordicedge.net on port 443 to downloadprofiles from Pledge Profile Factory.
• Pledge Enrollment server must have access to necs.nordicedge.se on port 443 to make a webservice connection to Pledge Profile Factory.
• Administrator workstation must have access to services.nordicedge.se on port 443 to log on toPledge Profile Factory.
Supported end user devices
• iPhone
• Android
• Microsoft Windows Mobile
• Any mobile phone that supports Java Micro Edition (JME)
PledgePledge Enrollment A
McAfee One Time Password 3.5 Administration Guide 83
Self enrollmentAn end user uses the following steps to create a Pledge User Profile.
Task1 On a supported device, install the Pledge client application from:
• A website provided by McAfee
• An application store, such as the Apple AppStore or Android Market
2 Go to the Pledge Enrollment service.
3 To receive a Pledge Profile ID, enter the user name and password, then click Enroll.
The Pledge Profile ID number appears.
4 To test the Pledge Enrollment service, click Test Pledge Profile.
5 On the device, start the Pledge client application.
6 To add a profile, select +, and type the Pledge Profile ID.
7 On the Test Pledge OTP Profile page, enter the user name and one‑time password, then click Verify.
Administrator enrollmentAdministrators can enroll a unique Pledge Profile ID for end users.
Task1 Verify the end user has the Pledge Client installed on a supported device.
2 Go to the Pledge Enrollment service page.
a In the User name (admin) field, type the administrator user name.
b In the Password (admin) field, type the administrator password.
c In the Pledge user name field, type the end user's user name.
d Click Enroll.
The Pledge Profile ID appears.
3 Instruct the end user how to add the Pledge Profile ID in the Pledge Client application.
4 To test the profile, ask the end user for the one‑time password.
A PledgePledge Enrollment
84 McAfee One Time Password 3.5 Administration Guide
B Microsoft Forefront Threat ManagementGateway integration
To enable strong authentication for web publishing using the Microsoft TMG framework applications,integrate McAfee OTP with Microsoft Forefront Threat Management (Microsoft TMG) .
Contents Installation Configuration Configure McAfee OTP Server for Microsoft TMG
InstallationReview the requirements and install the Microsoft TMG client for use with McAfee OTP.
Contents System requirements Install Microsoft TMG
System requirementsVerify that the following requirements are met to successfully integrate McAfee OTP with MicrosoftTMG.
McAfee OTP
• Version 3 or later
• Must be configured before the filter can be used
Ports
• Access to an AD using LDAP/LDAPS (port 389 or 636).
• LDAP/LDAPS port must be opened from McAfee OTP server to the AD server.
• RADIUS port 1812 must be opened from the Microsoft TMG server to the McAfee OTP server.
• McAfee OTP port 3100 must be opened from Microsoft TMG server to the McAfee OTP server.
See also Configuring McAfee OTP on page 3
McAfee One Time Password 3.5 Administration Guide 85
Install Microsoft TMGInstall the Microsoft TMG files on your system.
Task1 Unzip the file sin NE_OTP_TMG_ver1.0.zip, which includes these files:
File Definition
otpwebfilter.dll The McAfee TMG web filter
usr_pwd_pcode.htm McAfee OTP login template
nordicedge.js McAfee OTP login javascript
dojo.js AJAX javascript
otp.reg Registry file to set McAfee OTP address
2 Back up the log on page:
<tmg_home>\Templates\CookieAuthTemplates\ISA\HTML\usr_pwd_pcode.htm
Sample:C:\Program Files\Microsoft Forefront Threat Management
Gateway\Templates\CookieAuthTemplates\ISA|HTML\usr_pwd_pcode.htm
3 Copy files:
Copy the content in tmg directory of the NE_OTP_TMG_ver1.0.zip to the TMG server installationdirectory.
Sample:C:\Program Files\Microsoft Forefront Management Gateway
4 Register the McAfee OTP webfilter.
Register otpwebfilter.dll with the command:regsvr32 otpwebfilter.dll
ConfigurationTo use Microsoft TMG with McAfee OTP, configure the options.
Parameters Description
OTPSERVERIP McAfee OTP Serverhost, all McAfee OTP names and ports, syntax"hostname:portnr:hostname2:portnr2"
This value must match the order in the RADIUS TMG configuration.
Task1 Edit the otp.reg, and replace the IP address with the current IP address of the McAfee OTP.
2 Run the .reg file on the TMG server.
Tasks• Microsoft TMG configuration on page 87
Configure the settings for the Microsoft TMG Server Management tool.
• Configure advanced options on page 88Configure the advanced options in the Microsoft TMG Server Management tool.
B Microsoft Forefront Threat Management Gateway integrationConfiguration
86 McAfee One Time Password 3.5 Administration Guide
Microsoft TMG configurationConfigure the settings for the Microsoft TMG Server Management tool.Administration
Task1 Start the Microsoft TMG Server Management tool.
2 Open the web listener you want protected.
3 Click the Authentication tab.
4 Enable HTML Form Authentication.
5 Enable Collect additional delegation credentials in the form.
6 Click Configure Validation Server.
7 Add a McAfee OTP server.
If you are using multiple McAfee OTP servers, add each server individually, and ensure that theorder of the servers matches the order configured in otp.reg.
a Click Add.
b Type the DNS name or IP address of McAfee OTP, and the server description.
c Type the shared secret.
• The shared secret must match the shared secret in McAfee OTP.
• If using multiple McAfee OTP servers for fail over, set down the timeout todecrease the wait time during a fail over.
Sample value set to three will have the TMG server try three times, and wait three seconds eachtime, resulting in a wait time of nine seconds for the end user.
d Click OK.
8 Click Advanced.
9 Verify that Require all users to authenticate is enabled.
10 Click OK twice.
11 Select Configuration | Add‑ins.
12 Click Web Filters.
13 Verify that OTP authentication filter is listed, and placed before all other authentication filters.
14 Click Apply.
15 Restart the Microsoft Forefront TMG Firewall service.
Microsoft Forefront Threat Management Gateway integrationConfiguration B
McAfee One Time Password 3.5 Administration Guide 87
Configure advanced optionsConfigure the advanced options in the Microsoft TMG Server Management tool.
Task1 Click Advanced.
2 Verify that the Require all users to authenticate checkbox is selected.
3 Click OK twice.
4 Select Configuration | Add‑ins | Web Filters.
5 Click Apply.
6 Verify that OTP authentication filter is listed, and is prioritized before all other filters.
7 Restart Microsoft Forefront TMG Firewall.
Configure McAfee OTP Server for Microsoft TMGTo configure the settings for Microsoft TMG, use the McAfee OTP administration console.
Before you beginConfigure at least one delivery method if not using an software or hardware token OATHsolution.
Task1 In the select pane, select Clients | RADIUS.
2 In the configuration pane, verify that the port number is 1812.
Tasks• Configure the Microsoft TMG client on page 88
Add the Microsoft TMG client for use with McAfee OTP.
• Configure a new database on page 89Configure a new database for Microsoft TMG.
Configure the Microsoft TMG clientAdd the Microsoft TMG client for use with McAfee OTP.
Task1 To create the Microsoft TMG client type, use one of these options:
• In the select pane, right‑click the Clients object type, then select New Client from the context menu.
• In the select pane, select the Clients object type, then select New Client in the configuration pane.
2 In the Client Display Name field, type a unique, meaningful name.
B Microsoft Forefront Threat Management Gateway integrationConfigure McAfee OTP Server for Microsoft TMG
88 McAfee One Time Password 3.5 Administration Guide
3 In the Client IP Address field, type the IP address of the Microsoft TMG server.
• Do not specify a DNS name.
• You can specify multiple IP addresses by using a wildcard character.
4 Configure the remaining settings.
See also Configure the Clients object type on page 40
RADIUS OptionsUse the configuration pane to configure the settings for the RADIUS Client.
Option Definition
Shared Secret Specifies the RADIUS client shared secret.The RADIUS client and the RADIUS client application must have the sameshared secret.
This must match the shared secret configured in the TMG server RADIUSconfiguration.
Supports RADIUSAccess‑Challenge
Deselect this checkbox.
Allow multiple user requests Allows an end user to request one‑time passwords from multiple RADIUSendpoints. This setting is useful when single users request onetimepasswords from redundant VPN servers.
This field is only available when the RADIUS client does not support thechallenge‑response protocol.
Auth. Server IP Address Specifies the IP address of the Microsoft TMG server.
Configure a new databaseConfigure a new database for Microsoft TMG.
Task1 Select the new database type by using one of these methods:
• In the select pane, right‑click the Databases object type, then select the type of database from thecontext menu.
• In the select pane, select the Databases object type, then select the type of database in theconfiguration pane.
2 In the Database Display Name field, specify a unique, meaningful name.
3 Configure the remaining settings.
4 Click OK twice.
5 Click Save Config.
See also Configure the Databases object type on page 28
Microsoft Forefront Threat Management Gateway integrationConfigure McAfee OTP Server for Microsoft TMG B
McAfee One Time Password 3.5 Administration Guide 89
B Microsoft Forefront Threat Management Gateway integrationConfigure McAfee OTP Server for Microsoft TMG
90 McAfee One Time Password 3.5 Administration Guide
C Configuring a cluster
Configure McAfee OTP in a cluster.
Contents Requirements McAfee OTP redundancy Configure McAfee OTP redundancy Configure the VPN Gateway or application with multiple McAfee OTP servers Test the McAfee OTP cluster McAfee OTP cluster configuration
RequirementsTo configure a cluster, the following minimum requirements must be met.
• Two configured McAfee OTP servers
• McAfee OTP configured with SMS and/or Pledge
McAfee One Time Password 3.5 Administration Guide 91
McAfee OTP redundancyMcAfee OTP supports full active‑active clusters to allow users to log on with two‑factor authenticationto any of the McAfee OTP servers within the same cluster.
For example, when a user authenticates with a user name and password with McAfee OTP server 1,then the end user receives and enters the one‑time password to the McAfee OTP server 2 forverification.
Figure C-1 McAfee OTP redundancy
Configure McAfee OTP redundancyTo configure a cluster, each McAfee OTP server must point to all other McAfee OTP servers.
For this example:
• McAfee OTP server 1 points to McAfee OTP server 2.
• McAfee OTP server 2 points to McAfee OTP server 1.
Task1 Configure McAfee OTP server 1.
a Open and edit C:\Program Files\NordicEdge\OTPServer3\hazelcast.xml.
If using UNIX/Linux, open and edit /opt/NordicEdge/OTPServer3/hazelcast.xml.
b Change tcp‑ip enabled to true.
c Change interface to the IP address of McAfee OTP server 2.
In this case 192.168.92.183.
d Save and close the file.
e Restart McAfee OTP server 1.
C Configuring a clusterMcAfee OTP redundancy
92 McAfee One Time Password 3.5 Administration Guide
2 Configure McAfee OTP server 2.
a Open and edit C:\Program Files\NordicEdge\OTPServer3\hazelcast.xml.
If using UNIX/Linux, open and edit /opt/NordicEdge/OTPServer3/hazelcast.xml.
b Change tcp‑ip enabled to true.
c Change interface to the IP address of McAfee OTP server 2.
In this case 192.168.92.238.
d Save and close the file.
e Restart McAfee OTP server 2.
For more information about cluster configuration, go to the Hazelcast webpage.
McAfee OTP server 1 and 2 appear as a cluster.
Configure the VPN Gateway or application with multiple McAfeeOTP servers
Configure the VPN Gateway or application to the McAfee OTP cluster.
In the following scenario, the McAfee OTP web test application is used to demonstrate how toconfigure two McAfee OTP servers with redundancy.
Task1 Open the configuration for McAfee OTP web test application: C:\inetpub\wwwroot
\OTPServerWebTestApp\Web.config
2 Type the IP addresses to McAfee OTP server 1 and 2.
In this case 192.168.92.238:3100;192.168.92.183:3100
3 Save and close the file.
4 Restart the IIS server.
Test the McAfee OTP clusterTest and verify the active‑active cluster configuration.
Task1 Go to the OTP Web Test App.
2 Type the user name and password.
3 Select SMS or Pledge, then click Login.
The OTPServer.exe window appears.
4 Shutdown McAfee OTP server 1.
Configuring a clusterConfigure the VPN Gateway or application with multiple McAfee OTP servers C
McAfee One Time Password 3.5 Administration Guide 93
5 On the OTP Web Test App ‑ Custom Login page, type the one‑time password, then click Verify.
The Welcome to the OTP Protected Web Test App Site message and OTPServer.exe window appear.
6 Verify that the McAfee OTP server 2 successfully verified the one‑time password.
McAfee OTP cluster configuration The group name and password option can be used to create separate clusters.
For example, McAfee OTP server production and McAfee OTP server test.
<group>
<name>ne‑otp‑prod</name>
<password>SecretPassword</password>
</group>
With the tcp‑ip option, you can configure one or many McAfee OTP servers, specific ports or if a rangeof IP addresses for McAfee OTP in the cluster.
<tcp‑ip enabled="true">
<hostname>otpserver1.domainlocal</hostname>
<hostname>otpserver2.domainlocal</hostname>
<hostname>otpserver3.domainlocal:1980</hostname>
<interface>192.168.1.21</interface>
<interface>192.168.1.0‑7</interface>
</tcp‑ip>
C Configuring a clusterMcAfee OTP cluster configuration
94 McAfee One Time Password 3.5 Administration Guide
D Web Service Client API (SOAP)
McAfee OTP exposes client functionality, corresponding to the McAfee OTP Native client API, such asSOAP services.
Contents Setup Integration SOAP operations Commands Client code examples
SetupSetup a Web Service SOAP Client to use the Web Service API.
Before you begin• A working knowledge of Web Services and the WSDL format.
• A client capable of communicating with a SOAP server.
• McAfee OTP version 3.1
Task1 Select Misc | Embedded HTTP Server.
2 Verify that the embedded HTTP server is accordingly started and configured.
3 Configure a WS Client Name and WS Client Password for each Web Service client.
The WS Client Name and WS Client Password are used by the API to validate incoming requests.
IntegrationIntegrate with the API using the following information.
Code Generation from WSDL file
Many Web Services platforms include support for automatically generating complete clientfunctionality or stub versions of the SOAP messages described in the WSDL file. For the Java platform,please see either the AXIS project at the Apache Foundation, or JAX‑WS RI, for examples of suchimplementations.
McAfee One Time Password 3.5 Administration Guide 95
The provided WSDL file (the WSDL that the Web Service will generate) is in the document/literalwrapped syntax. This is currently the interoperability leader and is supported by the majority WebServices clients such as Metro, AXIS, gSoap, Websphere, and .NET.
The WSDL for these services may be downloaded from the following URL:
https://yourhost.yourdomain/neotp/otpws?wsdl
Integrating with the API with xml dataAPI
If no code generation is possible, integrate with the API at a lower level, and send the SOAP messagedirectly over HTTP.
Programming Language
When describing the functionality from a developers view, this document focuses on the Java platform.
The Web Service itself is language agnostic. SOAP message examples are added when appropriate.
SOAP operationsThe McAfee OTP Web Service API has two operations:
• getCommands
• getOTPObject
For more information about the API, please see the Java documentation.
Contents getCommands Operation getOTPObject
getCommands OperationGet available commands for the McAfee OTP Web Service API.
Returns: Array of strings containing available commands to send to the McAfee OTP WS API.
The SOAP request message for the getCommands operation:<?xml version="1.0" ?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:getCommands xmlns:ns2="http://ws.nordicedge.se/">
</S:Body>
</S:Envelope>
The SOAP response message for the getCommands operation:<?xml version="1.0" ?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
D Web Service Client API (SOAP)SOAP operations
96 McAfee One Time Password 3.5 Administration Guide
<ns2:getCommandsResponse xmlns:ns2="http://ws.nordicedge.se/">
<command>requestAuthAndOTP</command>
<command>requestOTP</command>
<command>verifyOTP</command>
<command>AuthenticateUser</command>
<command>requestAuth</command>
<command>getErrorDescription</command>
<command>storeData</command>
<command>fetchData</command>
<command>removeData</command>
<command>verifyOATHOTP</command>
<command>requestPrefetchedOTP</command>
<command>requestAdminPrefetchedOTP</command>
<command>getAvailableUserAttributes</command>
<command>getUserAttributeValue</command>
<command>requestUserOATHKey</command>
<command>updateOATHKey</command>
<command>reloadServerConfiguration</command>
<command>resyncOTPMobileCounter</command>
<command>setConfiguration</command>
<command>getConfiguration</command>
<command>getCharset</command>
<command>setCharset</command>
<command>getWSVersion</command>
<command>getClientVersion</command>
<command>getServerVersion</command>
</ns2:getCommandsResponse>
</S:Body>
</S:Envelope>
getOTPObjectgetOTPObject is the main operation of the API, and is used for all interactions with McAfee OTP.
For more information about the getOTPObject method, please see the Java documentation.
Web Service Client API (SOAP)SOAP operations D
McAfee One Time Password 3.5 Administration Guide 97
Table D-1 Java: getOTPObject
Parameter Type Description
obj OTPWsRequest An object containing all information needed for a specific command.
Returns: Object of type OtpWsResponse.
Example of a SOAP request message1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>requestAuthAndOTP</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>password</key>
15. <value>secret</value>
16. </keyValueParameter>
17. <keyValueParameter>
18. <key>message</key>
19. <value>Your OTP : $$OTP$$</value>
20. </keyValueParameter>
21. </otpWsRequest>
22. </ns2:getOTPObject>
23. </S:Body>
24. </S:Envelope>
As seen in row 8, the command for McAfee OTP is requestAuthAndOTP, this command requiresparameters such as userName and password. Refer to the java documentation for further details.
Example of a SOAP response message1. <?xml version="1.0" ?>
D Web Service Client API (SOAP)SOAP operations
98 McAfee One Time Password 3.5 Administration Guide
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr>HP1c8z</magicNr>
7. <errorCode></errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
As seen in row 6, the magicNr is the only value returned for the requestAuthAndOTP command. Seethe java documentation for further details.
OtpWsRequest objectThe OtpWsRequest object is the request object for the getOTPObject operation/method.
Table D-2 Fields of OtpWsRequest object
Field Type Description
clientName String Web Service client name.
clientPassword String Web Service client password.
command String The command to be executed in McAfee OTP.
keyValueParameter:• key
• value
KeyValuePair [ ]• String
• String
Contains the necessary information needed by the requestedcommand.
Example: OtpWsRequest object described in xml <otpWsRequest>
<clientName>webServiceClientName</clientName>
<clientPassword>webServiceClientPassword</clientPassword>
<command>requestAuthAndOTP</command>
<keyValueParameter>
<key>userName</key>
<value>ddarrell</value>
</keyValueParameter>
Web Service Client API (SOAP)SOAP operations D
McAfee One Time Password 3.5 Administration Guide 99
<keyValueParameter>
<key>password</key>
<value>secret</value>
</keyValueParameter>
...
</otpWsRequest>
OtpWsResponse objectThe OtpWsResponse object is the response object for the getOTPObject operation/method.
Table D-3 Fields of OtpWsResponse object
Field Type Description
magicNr String The magic number used to verify McAfee OTP.
errorCode String Numerical error code.
errorDescription String Error description in plain text.
message String General message sent from McAfee OTP.
status String Status message sent from McAfee OTP.
keyValueParameter:• key
• value
KeyValuePair [ ]• String
• String
Contains the information sent back to McAfee OTP.
Example: OtpWsResponse object described in xml
<otpWsRequest>
<magicNr></magicNr>
<errorCode></errorCode>
<errorDescription></errorDescription>
<message></message>
<status></status>
<keyValueParameter>
<key>result</key>
<value>UTF‑8</value>
</keyValueParameter>
...
</otpWsRequest>
D Web Service Client API (SOAP)SOAP operations
100 McAfee One Time Password 3.5 Administration Guide
CommandsA selection of commands are used for the getOTPOjbect operation.
For more information about the API, please see the Java documentation.
Required fields / xml elementsFor all requests to the Web Service, three fields are required.
Table D-4 Required fields for all commands
Field Type Description
clientName String Web Service client name.
clientPassword String Web Service client password.
command String Command to be executed on the McAfee OTP server.
The keyValueParameter field is optional.
requestAuthAndOTPRequest authentication and issuing a one‑time password from McAfee OTP.
To use this command, use one of these methods:
• Send the userName and password.
• Send the userName, password, and attribName.
• Send the userName, password, and message.
Returns: the magic number.
Table D-5 KeyValuePair / xml elements
Name (key) Optional Type Description
userName No String The userName, as KeyValue object with key userName.
password No String The user password, as KeyValue object with key password.
attribName Yes String The attribute name that holds the user's challenge value, asKeyValue object with key attribName.
message Yes String The message to send to the client.Use $$OTP$$ to insert the one‑time password, as KeyValue objectwith key message.
Returns: The magic number as seen in 5.2.3 row 6.
Example of the SOAP request message with userName and password:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
Web Service Client API (SOAP)Commands D
McAfee One Time Password 3.5 Administration Guide 101
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>requestAuthAndOTP</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>password</key>
15. <value>secret</value>
16. </keyValueParameter>
21. </otpWsRequest>
22. </ns2:getOTPObject>
23. </S:Body>
24. </S:Envelope>
Example of the SOAP response message:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr>HP1c8z</magicNr>
7. <errorCode></errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
verifyOTPVerify if a one‑time password is correct.
To use this command, use one of these methods:
D Web Service Client API (SOAP)Commands
102 McAfee One Time Password 3.5 Administration Guide
• Send the magicNr, otp, and userName.
• Send the magicNr and otp. If no userName was sent in the previous request, see command:requestOTP.
Table D-6 KeyValuePair / xml elements
Name (key) Optional Type Description
magicNr No String The magic number received from the requestAuthAndOTP.
otp No String The one‑time password received by the user.
userName Yes String The userName for the user.
Returns: true is successful, false if unsuccessful. In the example of the SOAP response message, seerow 13.
Example of the SOAP request message with userName, magicNr, and otp:1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>verifyOTP</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>magicNr</key>
15. <value>HP1c8z</value>
16. </keyValueParameter>
13. <keyValueParameter>
14. <key>otp</key>
15. <value>7256</value>
16. </keyValueParameter>
21. </otpWsRequest>
22. </ns2:getOTPObject>
23. </S:Body>
Web Service Client API (SOAP)Commands D
McAfee One Time Password 3.5 Administration Guide 103
24. </S:Envelope>
Example of the SOAP response message:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr></magicNr>
7. <errorCode></errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
13. <keyValueParameter>
15. <key>result</key>
15. <value>true</value>
16. </keyValueParameter>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
authenticateUserAuthenticates user name and password.
Table D-7 KeyValuePair / xml elements
Name (key) Optional Type Description
userName No String The userName for the user.
password No String The password.
Returns: String ok if the user is authenticated, otherwise the errorCode and errorDescription.
In the example of the SOAP response message with result: ok, see row 13.
In the example of the SOAP response message with errorCode and errorDescription, see rows 7 and 8.
Example of the SOAP request message with userName and password:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
D Web Service Client API (SOAP)Commands
104 McAfee One Time Password 3.5 Administration Guide
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>authenticateUser</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>password</key>
15. <value>secret</value>
16. </keyValueParameter>
21. </otpWsRequest>
22. </ns2:getOTPObject>
23. </S:Body>
24. </S:Envelope>
Example of the SOAP response message with result: ok:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr></magicNr>
7. <errorCode></errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
13. <keyValueParameter>
15. <key>result</key>
15. <value>ok</value>
Web Service Client API (SOAP)Commands D
McAfee One Time Password 3.5 Administration Guide 105
16. </keyValueParameter>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
Example of the SOAP response message with errorCode and errorDescription:1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr></magicNr>
7. <errorCode>3</errorCode>
8. <errorDescription>User failed authentication</errorDescription>
9. <message></message>
10. <status></status>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
getUserAttributeValueGet an attribute value from a user.
Table D-8 KeyValuePair / xml elements
Name (key) Optional Type Description
userName No String The userName for the user.
attributeName No String The attribute name.
Returns: If available, the user attribute value., otherwise an empty string. In the example of theSOAP response message, see row 13.
Example of the SOAP request message with userName and attributeName:1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
D Web Service Client API (SOAP)Commands
106 McAfee One Time Password 3.5 Administration Guide
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>requestAuthAndOTP</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>attributeName</key>
15. <value>mail</value>
16. </keyValueParameter>
21. </otpWsRequest>
22. </ns2:getOTPObject>
23. </S:Body>
24. </S:Envelope>
Example of the SOAP response message:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr></magicNr>
7. <errorCode>3</errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
13. <keyValueParameter>
14. <key>result</key>
15. <value>[email protected]</value>
16. </keyValueParameter>
11. </otpWsRequest>
Web Service Client API (SOAP)Commands D
McAfee One Time Password 3.5 Administration Guide 107
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
storeDataStore data in McAfee OTP.
Table D-9 KeyValuePair / xml elements
Name (key) Optional Type Description
userName No String The userName for the user.
data No String The data to store.
persistant No String Specifies if the data should be stored persistently.
Returns: the magic number, 0 if failure. In the example of the SOAP response message, see row 6.
Example of the SOAP request message:1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>storeData</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>data</key>
15. <value>Some data to be stored</value>
16. </keyValueParameter>
13. <keyValueParameter>
14. <key>persistant</key>
15. <value>true</value>
16. </keyValueParameter>
21. </otpWsRequest>
D Web Service Client API (SOAP)Commands
108 McAfee One Time Password 3.5 Administration Guide
22. </ns2:getOTPObject>
23. </S:Body>
24. </S:Envelope>
Example of the SOAP response message:1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr></magicNr>
7. <errorCode></errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
14. </S:Envelope>
fetchDataFetch stored data from McAfee OTP.
Table D-10 KeyValuePair / xml elements
Name (key) Optional Type Description
userName No String The userName for the user.
magicNr No String The magic number.
Returns: The data, an empty string if failure. In the example of the SOAP response message, see row13.
Example of the SOAP request message:1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <clientName>webServiceClientName</clientName>
Web Service Client API (SOAP)Commands D
McAfee One Time Password 3.5 Administration Guide 109
7. <clientPassword>webServiceClientPassword</clientPassword>
8. <command>fetchData</command>
9. <keyValueParameter>
10. <key>userName</key>
11. <value>ddarrell</value>
12. </keyValueParameter>
13. <keyValueParameter>
14. <key>magicNr</key>
15. <value>7Xs4PW</value>
16. </keyValueParameter>
21. </otpWsRequest>
22. </ns2:getOTPObject>
23. </S:Body>
24. </S:Envelope>
Example of the SOAP response message:
1. <?xml version="1.0" ?>
2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
3. <S:Body>
4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">
5. <otpWsRequest>
6. <magicNr></magicNr>
7. <errorCode></errorCode>
8. <errorDescription></errorDescription>
9. <message></message>
10. <status></status>
13. <keyValueParameter>
14. <key>result</key>
15. <value>Some data to be stored</value>
16. </keyValueParameter>
11. </otpWsRequest>
12. </ns2:getOTPObjectResponse>
13. </S:Body>
D Web Service Client API (SOAP)Commands
110 McAfee One Time Password 3.5 Administration Guide
14. </S:Envelope>
Client code examplesUse the basic client code examples when you use Java and C#.
The output will be different depending on what Web Service engine you use to create the code stubs.
Java example for the requestAuthAndOTP command
The stubs used in this example are generated with the java wsimport tool.
C# example for the requestAuthAndOTP command
The stubs used in this example are generated with Visual Studio 2010.
Web Service Client API (SOAP)Client code examples D
McAfee One Time Password 3.5 Administration Guide 111
Ruby client using the SOAP abstraction library Savon example for therequestAuthAndOTP command
The ruby client is using the SOAP abstraction library Savon.
For more information on Savon, go to the Savon website.
D Web Service Client API (SOAP)Client code examples
112 McAfee One Time Password 3.5 Administration Guide
Web Service Client API (SOAP)Client code examples D
McAfee One Time Password 3.5 Administration Guide 113
D Web Service Client API (SOAP)Client code examples
114 McAfee One Time Password 3.5 Administration Guide
Index
Aadministration console 19
mouse functions 20
AES Encryption options 63, 64
Advanced Settings 63
General Settings 63
Test encryption and decryption 64
AES Encryption options, Misc object type 63
Advanced Settings 63
General Settings 63
Test encryption and decryption 64
Alerts object type 26
Alert Configuration 27
APIprogram 16
CCIMD2 delivery method 58
CIMD2 delivery method, Delivery Method object type 58
Client Software Development Kit (SDK) 9client, Pledge Enrollment
configure 82
Clients object type 40–47
create 40
delete 40
duplicate 41
RADIUS client 41
clusteractive-active 92
configuration requirements 91
configure 91, 94
redundancy 92
redundancy configuration 92, 93
test configuration 93
two-factor authentication 92
commands, Web Service SOAP clientauthenticateUser 104
fetchData 109
getUserAttributeValue 106
requestAuthAndOTP 101
required fields / xml elements 101
storeData 108
verifyOTP 102
Concurrent Sender delivery method 56
Concurrent Sender delivery method, Delivery Method objecttype 56
configurationadministration console 19
select pane 19
configure, Alerts object typeAlert Configuration 27
configure, Clients object type 40
create 40
delete 40
duplicate 41
Native client 44–46
RADIUS client 41–44
Web services client 46, 47
configure, Databases object typecreate 28
Database group 39
delete 28
duplicate 29
LDAP 30–35
RADIUS Forward database 39
SQL 35–39
configure, Delivery Method object type 47
CIMD2 delivery method 58
Concurrent Sender delivery method 56
enable 48
Extended HTTP delivery method 51, 52
HTTP delivery method 49, 50
Instant Messaging delivery method 56, 57
Netsize delivery method 54–56
Prefetch Detection delivery method 59
SMPP delivery method 58
SMS Gateway delivery method 48–51
SMTP delivery method 53, 54
UCP File delivery method 58
configure, Licenses object typeLicense Information 28
configure, Logs object typeLog Files 25
Other Settings 26
configure, McAfee OTP 19
administration console 19
Alerts object type 26, 27
McAfee One Time Password 3.5 Administration Guide 115
configure, McAfee OTP 19 (continued)Clients object type 40–47
Databases object type 28–39
Delivery Method object type 47–59
Licenses object type 27, 28
Logs object type 25, 26
Misc object type 59–72
RADIUS object type 24
select pane 19
Server object type 20–23
configure, Misc object type 59
Admin Guide 68
AES Encryption options 63, 64
Embedded HTTP Server Options 65
Expired Password Notification settings 59, 60
Oath settings 60, 61
OATH settings 60, 62
Pledge Enrollment options 65, 66
Prefetch OTP options 62
Self Service 68–71
Unlock User Accounts options 62
User Guide 67, 71
Web Manager options 66, 67
Yubico options 72
configure, RADIUS object type 24
Additional Ports 24
RADIUS Server Settings 24
configure, Server object typeClient Settings 22
Encryption 22
Mobile Numbers 21
Onetime Password Options 21
Options 23
create, Databases object typeLDAP 29
DDatabase group 39
database, Microsoft TMGconfigure 89
database, Pledge Enrollmentconfigure 81
Databases object type 28
create 28
delete 28
duplicate 29
Databases object type, Database group 39
Databases object type, LDAPAccount Settings (HOTP/TOTP Disabled) 32
Account Settings (HOTP/TOTP Enabled) 32
Advanced options 35
create 29
Host Settings 30
Onetime Password Prefetch 33
Databases object type, LDAP (continued)PIN Code 34
Search Settings 31
Databases object type, RADIUS Forward database 39
Databases object type, SQL 35
Advanced options 39
JDBC/ODBC Settings 36
Onetime Password Prefetch 38
PIN code 38
SQL Queries (HOTP/TOTP Disabled) 37
SQL Queries (HOTP/TOTP Enabled) 38
Delivery Method object type 47–59
enable 48
EEmbedded HTTP Server Options 65
Embedded HTTP Server Options, Misc object type 65
Expired Password Notification settings 59, 60
Expired Password Notification 60
Expired Password Notification settings, Misc object type 59
Expired Password Notification 60
Extended HTTP delivery method 51, 52
Authentication and Proxy 52
Headers or Template File 51
Other Settings 52
Extended HTTP delivery method, Delivery Method object type51
Authentication and Proxy 52
Headers or Template File 51
Other Settings 52
Ffeatures, McAfee One Time Password 10
HHTTP delivery method 49, 50
Authentication 50
Headers or Template file 50
HTTP delivery method, Delivery Method object type 49
Authentication 50
Headers or Template file 50
Iinstall, McAfee OTP 17
requirements 17
Windows-based computer 18
Instant Messaging delivery method 56, 57
Jabber 57
Microsoft Live 57
Skype 57
User Prefix 57
Instant Messaging delivery method, Delivery Method objecttype 56
Jabber 57
Index
116 McAfee One Time Password 3.5 Administration Guide
Instant Messaging delivery method, Delivery Method objecttype 56 (continued)
Microsoft Live 57
Skype 57
User Prefix 57
integration modules 15
integration modules, McAfee OTP 15
LLDAP database 29
Account Settings (HOTP/TOTP Disabled) 32
Account Settings (HOTP/TOTP Enabled) 32
Advanced options 35
Host Settings 30
Onetime Password Prefetch 33
PIN Code 34
Search Settings 31
Licenses object type 27
License Information 28
Logs object type 25
Log Files 25
Other Settings 26
Mmaintenance, McAfee OTP
McAfee OTP monitor 73
server statistics 74
McAfee OTPconfigure 19
configure to use with Microsoft TMG 88
install on a Windows-based computer 18
installation 17
installation requirements 17
start 73
start on a Linux-based computer 74
start on a Mac OS X-based computer 74
start on a UNIX-based computer 74
start on a Windows-based computer 74
stop 73
stop on a Linux-based computer 74
stop on a Mac OS X-based computer 74
stop on a UNIX-based computer 74
stop on a Windows-based computer 74
McAfee OTP monitor 74
Microsoft Forefront Threat Management Gateway 85
Microsoft TMG 85
configure with McAfee OTP 86
install 86
installation 85
system requirements 85
Microsoft TMG clientconfigure 88
RADIUS options 89
Microsoft TMG Server Management tool, Microsoft TMGadvanced options 88
configure 87
Misc object type 59–72
NNative client 44–46
Advanced — Native Client Name Detection 45
Options 45
Other options 46
User Database 45
Native client, Clients object type 44
Advanced — Native Client Name Detection 45
Options 45
Other options 46
User Database 45
Netsize delivery method 54–56
Authentication 55
Communication 55
Endpoint Settings 55
Message 55
Options 56
Netsize delivery method, Delivery Method object type 54
Authentication 55
Communication 55
Endpoint Settings 55
Message 55
Options 56
OOath settings 60, 61
Automatic OATH Enrollment 61
General OATH Settings 61
HOTP 60
TOTP 61
OATH settings 60, 62
Advanced automatic OATH enrollment 62
OATH settings, Misc object type 60
Advanced automatic OATH enrollment 62
Oath, Misc object typeAutomatic OATH Enrollment 61
General OATH Settings 61
HOTP 60
TOTP 61
operations, Web Service SOAP client 96
getCommands 96
getOTPObject 97
OtpWsRequest 99
OtpWsResponse 100
PPledge 77
about 77
Pledge Client 79
Index
McAfee One Time Password 3.5 Administration Guide 117
Pledge 77 (continued)Pledge Enrollment 79
Pledge Profile Factory 79
Pledge Corporate Profilecustomize 80
Pledge Enrollment 83
administrator 84
enable 82
requirements 83
user 84
Pledge Enrollment options 65–67
Configuration settings 66
Pledge Enrollment options, Misc object type 65
Configuration settings 66
Pledge Profile Factoryaccount registration 79
Pledge web service accountrequest 81
Prefetch Detection delivery method 59
Prefetch Detection delivery method, Delivery Method objecttype 59
Prefetch OTP options 62
Prefetch OTP options, Misc object type 62
RRADIUS
access 16
RADIUS client 41–44
Advanced settings 41
Encoding 42
Listen on RADIUS Ports 42
Other options 44
Prefetch OTP Options 43
RADIUS Client Attribute Detection 41
RADIUS Options 43
RADIUS Reject Error Messages 42
User Database 44
RADIUS client, Clients object typeAdvanced settings 41
Encoding 42
Listen on RADIUS Ports 42
Other options 44
Prefetch OTP Options 43
RADIUS Client Attribute Detection 41
RADIUS Options 43
RADIUS Reject Error Messages 42
User Database 44
RADIUS Forward database 39
RADIUS object type 24
Additional Ports 24
RADIUS Server Settings 24
Sselect pane 19
Self Service 68–71
Configuration settings 68
Information) 70
Lockout) 70
Log on page for forgotten password 71
Log on page with username and password) 71
Management pages for self administration 71
Secret Question and Answer (Q/A) 69
Self Service, Misc object type 68, 71
Admin Guide 68
Configuration settings 68
Information) 70
Lockout) 70
Log on page for forgotten password 71
Log on page with username and password) 71
Management pages for self administration 71
Secret Question and Answer (Q/A) 69
User Guide 71
Server object type 20
Client Settings 22
Encryption 22
Global Options 23
Mobile Numbers 21
Onetime Password Options 21
Options 23
Server Settings 21
SMPP delivery method 58
SMPP delivery method, Delivery Method object type 58
SMS Gateway delivery method 48–51
Advanceds 49
Configuration and Status 49
General Settings and Proxy 48
Location 49
Other Settings 51
Proxy 50
SMS Gateway delivery method, Delivery Method object type 48
Advanced 49
Configuration and Status 49
General Settings and Proxy 48
Location 49
Other Settings 51
Proxy 50
SMTP delivery method 53, 54
Authentication 53
SMTP Host 53
SMTP Options 54
SMTP delivery method, Delivery Method object type 53
Authentication 53
SMTP Host 53
SMTP Options 54
SQL database 35
Advanced options 39
JDBC/ODBC Settings 36
Onetime Password Prefetche 38
PIN code 38
Index
118 McAfee One Time Password 3.5 Administration Guide
SQL database 35 (continued)SQL Queries (HOTP/TOTP Disabled) 37
SQL Queries (HOTP/TOTP Enabled) 38
supported operating systems 8supported protocols 9supported user databases 9
UUCP File delivery method 58
UCP File Options 58
UCP File delivery method, Delivery Method object type 58
UCP File Options 58
Unlock User Accounts options 62
Unlock User Accounts options, Misc object type 62
VVPN
access 16
WWeb Manager 67
Web Manager options 66, 67
Authentication settings 67
Other settings 67
Web Manager options, Misc object type 66
Authentication settings 67
Web Manager options, Misc object type 66 (continued)Other settings 67
Web Manager, Misc object type 67
User Guide 67
Web service client, Clients object typeOptions 46
Other Options 47
User Database 47
Web Service SOAP clientclient code examples 111
commands 101
integration 95
setup 95
Web services client 46, 47
Options 46
Other Options 47
User Database 47
Web services client, Clients object type 46
YYubico 72
Yubico options, Misc object type 72
Index
McAfee One Time Password 3.5 Administration Guide 119
B00