One Identity Authentication Manager for Linux Thin Clients 9.0support-public.cfm.quest.com/44016_AM_for_Linux_Thin_Clients... · One Identity Authentication Manager for ... Authentication

One Identity Authentication Manager for Linux Thin Clients 9.0.2

Installation and Configuration Guide

Copyright 2017 One Identity LLC.

ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC .The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document.If you have any questions regarding your potential use of this material, contact:One Identity LLC.Attn: LEGAL Dept4 Polaris WayAliso Viejo, CA 92656Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.

PatentsOne Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.OneIdentity.com/legal/patents.aspx.

TrademarksOne Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.OneIdentity.com/legal. All other trademarks are the property of their respective owners.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Authentication Manager for Linux Thin Clients Installation and Configuration GuideUpdated - December 2017Version - 9.0.2

http://www.oneidentity.com/

http://www.oneidentity.com/legal/patents.aspx

http://www.oneidentity.com/legal

Contents

Preface 6

Overview 1

rsUserAuth Usage 1

Architecture 1

RFID Badge Integration 2

Smart Card Integration 3

Installing rsUserAuth 5

Configuring EAM 6

Configuring the EAM console 6

Configuring the EAM controller 6

Roaming Secret 6

Token Selection 7

Configuring rsUserAuth 8

Parameters and Options 8

Mandatory Parameters 8

Optional Parameters and Options 9

Command line arguments 10

Example 11

The Configuration File 11

Description 11

Template 11

Enabling High Availability 13

Subject 13

Procedure 13

Logging on to a Roaming Session 14

Logging on with an RFID Badge 14

Subject 14

Description 14

Logging on with your Login and Password 15

Subject 15

Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide 3

Description 15

Resetting your Password 15

Subject 15

Pre-requisite 16

Description 16

Customizing Messages 17

Subject 17

Procedure 17

rsUserAuth Log File 18

Use Case: Installing and Configuring rsUserAuth on IGEL Thin Clients 23

Subject 23

Description 23

Delivery and Customization 24

The rsUserAuth.tar.bz2 file 24

Content 24

Customization 24

The rsUserAuth.inf file 24

Upload to an FTP server 25

IGEL Configuration 25

Custom partition 25

Procedure 25

One Identity Authentication Manager Session 27

Procedure 27

Smart Card Settings 29

Procedure 30

Logging on to IGEL 30

Enrolling your RFID Badge with a PIN 31

Subject 31

Description 31

Procedure 32

Modifying the PIN of your RFID Badge 32

Subject 32

Description 32

Procedure 33


Authentication Module Log File 33

About us 34

Contacting us 34

Technical support resources 34


Preface

SubjectThis guide explains how to install, configure and use rsUserAuth (Authentication Manager roaming session) on Linux systems (32&64 bit and ARM).

Audience This guide is intended for system integrators.

Required Software

EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.

Typographical Conven-tions

Bold Indicates:

l Interface objects, such as menu names, buttons, icons and labels.

l File, folder and path names.

l Keywords to which particular attention must be paid. Italics - Indicates references to other guides.

Code - Indicates portions of program codes, command lines or messages displayed in command windows.

CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).

< > Identifies parameters to be supplied by the user.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Documentation support

The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.

Authentication Manager for Linux Thin Clients 9.0.2 Installation andConfiguration Guide

Preface

6

1

Overview

rsUserAuth Usage

rsUserAuth is the authentication module of the EAM (Enterprise Access Management) suite on Linux thin clients. It enables rapid implementation of connection procedures using authentication mechanisms with physical tokens (smart cards and RFID badges), in addition to the standard authentication method of login/password.

rsUserAuth is used to implement strong authentication in the following scenarios of use:

l Authentication with smart cards.

l Authentication with RFID badges.

NOTE:

l For RFID badges, only PCSC type badges are supported.

l The list of other supported authentication devices and software versions are provided in One Identity EAM Release Notes.

rsUserAuth requires EAM Web Services to retrieve the RFID badge or smart card owner credentials. These credentials are used by a specified start script which for example allows access to a Windows session through a Citrix client. A specified end script is then called at the end of the process.

Architecture

rsUserAuth can only be installed in Active Directory mode or in Active Directory/AD LDS mode.


Overview

1

NOTE:

l Credentials are checked on the controller each time a roaming session is started and retrieved.

l For users who are not allowed to use a roaming session, the Windows creden-tials are required. The validity of the credentials is then checked.

RFID Badge Integration

Depending on your EAM configuration, you may be using RFID badges with PIN. If it is the case, a PIN replacing the primary directory password is associated with each RFID badge.

1. The RFID badge serial number is read on the thin client by the rsUserAuth authentication module.

2. rsUserAuth sends a request to the EAM Web Services to retrieve the owner’s name and his credentials.


Overview

2

3. The EAM Security Service sends an LDAP request to the directory to retrieve the information.

4. The result is returned to rsUserAuth.

5. rsUserAuth processes the result as follows. If:

l The badge is associated with a user and a roaming session is active, the user credentials are returned to a specified script (start script) that can be executed. Example: a Citrix session is opened.

l The badge is associated with a user but there is no active roaming session, either the user’s Windows password or PIN is requested to start a roaming session. The user credentials are then returned to a specified script that can be executed.

l The badge is not associated with a user, then a self-enrollment procedure is proposed. In that case, the user credentials are required. A roaming session is then started and the specified script is executed.In an RFID+ PIN configuration, in addition to the user credentials, a PIN must be chosen. This PIN must respect the PIN policy defined in EAM.

l The user password needs to be changed, the current and the new password are required. A roaming session is then started and the specified script is executed.

l The PIN must be changed when the RFID+ PIN authentication method is used: the current PIN is required and a new PIN must be chosen.

l The badge is blacklisted or locked, an error message is returned.

Smart Card Integration

1. The smart card serial number and owner are read on the thin client by the rsUserAuth authentication module.

2. rsUserAuth sends a request to the EAM Web Services to check the owner and retrieve his credentials.

3. The EAM Security Service sends an LDAP request to the directory to retrieve the information.

4. The result is returned to rsUserAuth.

5. rsUserAuth processes the result as follows. If:

l The card is associated with the card user and a roaming session is active, the user credentials are returned to a specified script that can be executed. Example: a Citrix session is opened.

l The card is not associated with the right user, an error is returned.

l The card is associated with a user but there is no active roaming session, the card PIN is requested to retrieve the user credentials stored on the card and start a roaming session. The credentials are then returned to the specified script that is executed (for example opening a Citrix session).If this fails, the user’s Windows password is requested for starting a roaming


Overview

3

session, the specified script is then started and the credentials on the card are updated.

l The user password needs to be changed, the PIN and new password are required (the current password is read on the token if available, otherwise it is requested). A roaming session is then started and the specified script is executed and the credentials on the card are updated.

l The card is blacklisted or locked, an error message is returned.

NOTE: PIN management is not supported: modifying and unblocking PINs must be done through the CardOS API tool.


Overview

4

2

Installing rsUserAuth

Depending on your thin client system type, you must copy the corresponding rsUserAuth binary with the execution right.

Then, you must copy the message catalog file rsUserAuth.cat in the same directory as the rsUserAuth binary, or in the directory that is specified by the message catalog parameter (in this case the name of the message catalog can be modified).

NOTE: You can customize these messages. For more information, see Customizing Messages.


Installing rsUserAuth

5

3

Configuring EAM

Configuring the EAM console

rsUserAuth supports the self-enrollment for RFID badges feature and allows the user to change his password if required.

To enable these features, you must provide the authorizations to the following modules in the EAM console:

l Password authentication method and Roaming session for users, in the User Security Profile.

l Enterprise SSO for the Web Service workstation, in the Access Point Profile.

You must also initialize and assign smart cards to users.

For more information, see One Identity EAM Console - Guide de l'administrateur.

Configuring the EAM controller

Roaming Secret

IMPORTANT: Security requirement: the data exchanged between the EAM Web Service and rsUserAuth is ciphered. Therefore, a shared secret is mandatory.

The shared secret is stored in the Windows register string value: ExternalRoamingSessionSecret.

This value is set under the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Framework\Authentication key.


Configuring EAM

6

Token Selection

A roaming session can be retrieved for RFID badges and smart cards.

To limit the EAM research to RFID badges only (only supported at that time by rsUserAuth), you must set the following Windows register string value: ExternalRoamingSessionToken.

This value is set under the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\Framework\Authentication key.

Two values are available:

l ExternalRoamingSessionToken = SmartCard means that only smart cards are searched.

l ExternalRoamingSessionToken = RFID means that only RFID badges are searched.


Configuring EAM

7

4

Configuring rsUserAuth

rsUserAuth needs configuration parameters that can be provided with command lines and/or with a configuration file.

IMPORTANT: Each command line overrides its corresponding configuration file parameter if it exists.

Parameters and Options

Mandatory Parameters

l EAM web service url.Example: https://129.182.77.100:9765/soapYou can define a list of several Web servers: when a Web server is not responding, the next server in this list is used. The URLs must be separated by a comma and only https must be used. Example:https://129.182.77.100:9765/soap,//129.182.77.200:9765/soap,//129.182.77.300:9765/soap

l Cacert file path or path of certification authority for https connections.If there is a list of EAM Web services, you must define the directory where the certificates are or a list of certificate files. If there is a list of certificate files, then the certificate file paths must be separated by a comma and the list must have the same number of items as the EAM Web service list.The list of certificate files and the EAM Web service list must be in the same order.

Example:If the EAM Web service list contains:https://129.182.77.100:9765/soap,//129.182.77.200:9765/soap,//129.182.77.300:9765/soapThe certificate files list must contain:/etc/rsUserAuth/ca1.crt,/etc/rsUserAuth/ca2.crt,/etc/rsUserAuth/ca3.crt



8

l ca1.crt is used with 129.182.77.100 web server.



l or a certificate directory can be used: /etc/rsUserAuth

l Shared secret or shared secret complete pathExample: My_Secret or /etc/rsUserAuth/secret

l Start script to execute when the badge is detected. This script can use 3 parameters:

l $1 = username

l $2 = password

l $3 = domain

l Example: /home/rsUserAuth/start.bash

l End script to execute when the badge is removedExample: /home/rsUserAuth/stop.bash

Optional Parameters and Options

l rsUserAuth configuration file: complete path and file name. By default, it is/etc/rsUserAuth:rsUserAuth.ini

l Verbose mode: the log messages are directed either to stderr or stderr and log file.

l Tapping mode: this feature is only available for RFID badges. By default, this mode is disabled.

l Message catalog path: complete path and file name. By default, it is./rsUserAuth.cat

l Level for trace: the level for trace can be chosen among these values:

l none.

l low.

l medium.

l high.

l details.

NOTE: For more information on the log file, see rsUserAuth Log File.

l Path of the logging directory: complete path of the logging directory. By default, the logging directory is /tmp.

l Version number: provides the version of the rsUserAuth binary.

l Help: provides the command line options.



9

l Welcome Message: allows to display a customized message when the process is ready to accept a card on the reader.

l Authentication configuration file path: complete path and file name where the settings for smart cards are set.Example: pkcs#11 library path.Authentication configuration settings:smartcard_pkcs_library=/usr/local/lib/libcardos11.so.

l Process To Spy: name of the process for which the end activates the end script.This feature is only available with the RFID tapping mode.

l Password authentication: allows to authenticate with the password method and to reset the user primary password.

Command line arguments

l -h: help menu.

l -v: version information.

l -d: verbose (debug) mode with output on stderr.

l -D: verbose mode with output on stderr and log file.

l -u url: EAM web service url list.

l -s secret: shared secret.

l -S path: secret path and file.

l -e exe: start script.

l -x exe: end (stop) script.

l -c ca.cert: Cacert file list or path of the certification authority.

l -M path: message catalog path.

l -l level: level for trace.

l -L path: path of the logging directory.

l -t: tapping mode.

l -T delay: delay for dynamic tapping mode (in seconds).

l -w: welcome message will be displayed.

l -A path: authentication configuration file path.

l -y name: name of the process to spy (RFID tapping mode).

l -P: password authentication is supported.

l -n domain: default domain name for password authentication.



10

Example

rsUserAuth -u https://192.168.45.120:9765/soap -S /etc/rsUserAuth/secret.txt -e start.bash -x stop.bash -l medium -A /etc/rsUserAuth/authConf.txt

The Configuration File

Description

The default configuration file name is rsUserAuth.ini, it is located in the /etc/rsUserAuth directory. The configuration file name and path can be customized, its full pathname must be provided with the argument -p of the rsUserAuth command line.

Template

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; rsUserAuth configuretion file

; default path of the .ini file is /etc/rsUserAuth/rsUserAuth.ini

; this file contains settings for rsUserAuth

; each setting has a specific label followed by "=" and its value,

; you must validate and uncomment the

; to validate settings, you must update and uncomment the right lines. [general]

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; User Access web service url.

;url=https://192.168.45.120:9765/soap

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Cacert file path of certification authority

;caCrt_Path=/etc/rsUserAuth/ca.crt

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; shared secret

;secret=My_Secret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; shared secret path including the name of the file

;secret_Path=/etc/rsUserAuth/secret.txt



11

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; path of the message catalog including the name of the file

;messages_Path=/etc/rsUserAuth/messages.cat

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; start script which will be executed after retreiving

; roaming session

; parameters are:

; $1 is username

; $2 is password

; $3 is domain

;startExec=/home/rsUserAuth/start.bash

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; command which will be executed after card is removed

;endExec==/home/rsUserAuth/sop.bash

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; tapping mode may be "on" or "off", default value is "off"

;tapping=on

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; tapping delay for dynamic tapping. Delay is in seconds, default is 3

;tappingDelay=3

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;logging parameters

; logLevel may be "none", "low", "medium", "high", details"

; logDirectory : default value is /tmp. Be careful to have write

permissions for this directory

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;logLevel= none

;logDirectory= /tmp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; welcome message may be "on" or "off", default value is "off"

;welcomeMessage=on

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;authentication configuration file path

;authenticationConfigurationFile_Path=/etc/rsUserAuth/authConf.txt

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



12

; Name of the process to spy (RFID tapping mode only)

;processToSpy=My_process

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Password authentication is allowed

;passwordAuthenticationMethod=on

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; Default domain name in case of password authentication

;defaultDomain=myDomain

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Enabling High Availability

Subject

Authentication Manager for Linux is highly available as it can support more than one server at a time. To enable high availability, execute the following procedure.

Procedure

Set the following configuration parameters:

l EAM Web service (-u parameter): enter a URL list of the Web servers, separated by a comma, such as:https://129.182.77.111:9765/soap, //129.182.77.222:9765/soap,//129.182.77.333:9765/soap, etc.

l Certificate file path (-c parameter): enter a list of certificate files separated by a comma, such as: /etc/rsUserAuth/ca111.crt,/etc/rsUserAuth/ca222.crt,/etc/rsUserAuth/ca333.crt, etc.

NOTE: The number of certificates must be the same as the number of Web servers in the list and must be ordered in the same way.



13

5

Logging on to a Roaming Session

Logging on with an RFID Badge

Subject

This section explains how to connect to a roaming session on a Linux thin client with your RFID badge.

Description

An RFID badge can either be:

l Placed on the device, i.e. active mode. The roaming session is:

l Started (retrieving roaming session and executing the start script which may open a Citrix session for example) when the badge is placed on the reader.

l Locked (the end script is executed) when the badge is withdrawn.

IMPORTANT: The badge must remain on the device as long as the roaming session is needed.

l Placed on the device for a specific length of time, i.e. dynamic tapping mode. The roaming session is:

l Started (retrieving roaming session and executing the start script which may open a Citrix session for example) when the badge is placed on the reader.

l set in:

l passive mode if the badge is withdrawn before the delay expires.

l active mode if the badge is not withdrawn before the delay expires.

l Quickly presented to the device, i.e. passive mode or tapping mode. The roaming session is:



14

l Started (retrieving roaming session and executing the start script which may open a Citrix session for example) when the badge is placed on the reader and withdrawn.

l Locked (the end script is executed) when the badge is presented again and withdrawn.

NOTE:

l In tapping mode, a specified process can be spied..

l If a process is started at start script execution and ended although the badge is not presented for the second time, the end script is executed and the badge state is reset. A configuration parameter must be used for this feature.

Logging on with your Login and Password

Subject

This section explains how to connect to a roaming session on a Linux thin client with your login and password.

Description

To log on, the user needs to provide his login, password and domain.

Once the credentials are successfully checked by EAM, the start script is executed.

When a new authentication is requested, the end script is executed.

NOTE: No roaming session is started, only the scripts are started/ended.

Resetting your Password

Subject

You can reset your password by answering a series of personal questions.



15

Pre-requisite

You must have defined a series of personal questions & answers with Authentication Manager.

Description

You must answer your personal questions to be able to reset your password.

Once the questions are successfully checked by EAM, you must define a new password.

NOTE: A PFCP (Password Format Control Policy) may be displayed to help you define your new password.



16

6

Customizing Messages

Subject

The default message catalog file provided is rsUserAuth.cat. The text of the messages can be customized and located, therefore a new message catalog must be generated. When:

l No message catalog path is set as rsUserAuth argument (through a command line or the configuration file), this new message catalog must be named rsUserAuth.cat and installed in the same directory as the rsUserAuth binary.

l A message catalog path is set, you must install and name the message catalog according to the configuration parameter.

Procedure

1. Edit the provided rsUserAuth.msg file.

2. You can change the text for each message, but you must respect the format for each of them. Example:2 Internal error.\nPlease contact your administrator.

Can be changed into2 Please contact the helpdesk.

3. When you have finished with your modifications, save your updates in a new file (for example: my_rsUserAuth.msg) and then generate the message catalog (for example my_rsUserAuth.cat) as follows:gencat my_rsUserAuth.cat my_rsUserAuth.msg

NOTE: rsUserAuth cannot start if the message catalog is unavailable.


Customizing Messages

17

7

rsUserAuth Log File

Each time rsUserAuth starts, a log file named rsUserAuth_pid.log is created.

Depending on your needs, different levels of trace can be selected: none, low, medium, high, details.

Each log information is preceded by the date and time.

IMPORTANT: No cleaning mechanism or control of space directory are implemented..

Here are the first lines of the rsUserAuth log file:16/09/22 10:51:07.443 :START :0000 ***

16/09/22 10:51:07.444 :START :0000 *** Trace File for rsUserAuth

16/09/22 10:51:07.444 :START :0000 *** Trace Level=4

16/09/22 10:51:07.444 :START :0000 *** rsUserAuth version 1.4.6110

16/09/22 10:51:07.444 :START :0000 *** rsUserAuth pid 16747

16/09/22 10:51:07.444 :START :0000 ***

16/09/22 10:51:07.444 :START :0000 *** system name Linux

16/09/22 10:51:07.444 :START :0000 *** release 3.2.0-4-686-pae

16/09/22 10:51:07.444 :START :0000 *** version #1 SMP Debian 3.2.51-1

16/09/22 10:51:07.444 :START :0000 *** machine i686

16/09/22 10:51:07.444 :START :0000 ***

16/09/22 10:51:07.444 :RoamingEngine.cpp :0336 message catalog opening...(null)

16/09/22 10:51:07.444 :RoamingDisplay.cpp :0010 RoamingDisplay (null)

16/09/22 10:51:07.444 :RoamingDisplay.cpp :0034 the catalog of messages is open

16/09/22 10:51:07.444 :RoamingEngine.cpp 0339 message catalog ret 1

16/09/22 10:51:07.444 :RoamingEngine.cpp :0477

configuration parameters

url: https://129.182.77.106:9765/soap

startExec: /etc/rsUserAuth/start.bash


rsUserAuth Log File

18

endExec: /etc/rsUserAuth/stop.bash

tapping mode: off

tappingDelay: 5

welcome: on

secret_Path:

messages_Path:

Cacert_Path: /etc/rsUserAuth

smartcard_pkcs_library:

PasswordAuthenticationMethod: on

16/09/22 10:51:07.444 :RoamingEngine.cpp :0592 list of web servers :

16/09/22 10:51:07.444 :RoamingEngine.cpp :0596 https://129.182.77.106:9765/soap

16/09/22 10:51:07.444 :RoamingEngine.cpp :0690 arg_caCrt is a directory

16/09/22 10:51:07.444 :RoamingSession.cpp :1175 selected protocol: https

16/09/22 10:51:07.444 :RoamingSession.cpp :1183 web service : https://129.182.77.106:9765/soap

16/09/22 10:51:07.444 :RoamingSession.cpp :1186 certificate: /etc/rsUserAuth

16/09/22 10:51:07.453 :RoamingSession.cpp :1249 soap_call___wgws__GetVersion (https://129.182.77.106:9765/soap) version = 9.1.0

16/09/22 10:51:07.453 :RoamingSession.cpp :0096 init_for_soap successful

16/09/22 10:51:07.453 :RoamingEngine.cpp :0775 InitSoap successful

16/09/22 10:51:07.456 :RoamingEngine.cpp :0791 InitSessionKey successful

16/09/22 10:51:07.460 :Cpkcsmon.cpp :0062 Pkcs is not configured

16/09/22 10:51:07.460 :Cpcscmon.cpp :0039 !m_Pkcs->IsInit

16/09/22 10:51:07.460 :Cpcscmon.cpp :0043 Pkcs is unavailable

16/09/22 10:51:07.460 :Cpcscmon.cpp :0051 Put Card on Reader

16/09/22 10:51:07.461 :Cpcscmon.cpp :0168 2 PC/SC readers found

16/09/22 10:51:07.461 :Cpcscmon.cpp :0272 Reader 0: OMNIKEY CardMan (076B:5321) 5321 00 00

16/09/22 10:51:07.461 :Cpcscmon.cpp :0275 Card state:

16/09/22 10:51:07.461 :Cpcscmon.cpp :0288 No card in the reader




rsUserAuth Log File

19




16/09/22 10:51:09.436 :Cpcscmon.cpp :0299 Card present

16/09/22 10:51:09.436 :Cpcscmon.cpp :0327 Card ATR:

16/09/22 10:51:09.436 :Cpcscmon.cpp :0334 3b8f8001804f0ca000000306030001000000006a

16/09/22 10:51:09.436 :Cpcscmon.cpp :0432 has_UID...

16/09/22 10:51:09.443 :RoamingEngine.cpp :1315 onCardInsert 9AF989A2

16/09/22 10:51:09.443 :RoamingEngine.cpp :1366 Badge inserted at 1474534269.

16/09/22 10:51:09.443 :RoamingEngine.cpp :1374 onCardInsert tapping mode false , badge no previous

16/09/22 10:51:09.443 :RoamingEngine.cpp :1082 getSession

16/09/22 10:51:09.443 :RoamingSession.cpp :0629 RetrieveRoamingSession ...

16/09/22 10:51:09.443 :RoamingSession.cpp :0649 RetrieveRoamingSession for badge started

16/09/22 10:51:09.443 :RoamingSession.cpp :0359 SetRetrieveRoamingSessionDataIN ret: 0x0

16/09/22 10:51:09.443 :RoamingSession.cpp :0662 soap_call___wgws__RetrieveRoamingSession...

16/09/22 10:51:09.523 :RoamingSession.cpp :0665 soap_call___wgws__RetrieveRoamingSession

16/09/22 10:51:09.523 :RoamingSession.cpp :0462 GetRetrieveRoamingSessionDataOUT ret: 0x0

16/09/22 10:51:09.523 :RoamingSession.cpp :0718 RetrieveRoamingSession ret: 0x0

16/09/22 10:51:09.523 :RoamingSession.cpp :1327 RetrieveRoamingSession 0x0

16/09/22 10:51:09.523 :RoamingSession.cpp :1328 Version : 2

16/09/22 10:51:09.523 :RoamingSession.cpp :1329 UserDomain : dev.ua.dom

16/09/22 10:51:09.523 :RoamingSession.cpp :1330 UserLogin : Alix

16/09/22 10:51:09.523 :RoamingSession.cpp :1331 UserPassword :


rsUserAuth Log File

20

16/09/22 10:51:09.523 :RoamingSession.cpp :1332 UserPrincipalName : [email protected]

16/09/22 10:51:09.523 :RoamingSession.cpp :1333 UserGUID : 05f5bbe53a62cd4e9b2a70529ebe6c77

16/09/22 10:51:09.523 :RoamingSession.cpp :1334 PINRequired : true

16/09/22 10:51:09.523 :RoamingSession.cpp :1335 PINNotInitialized : false

16/09/22 10:51:09.523 :RoamingSession.cpp :1336 RetrieveRoamingSession 0x0

16/09/22 10:51:09.523 :RoamingSession.cpp :1356 roaming session does not exist

16/09/22 10:51:09.523 :RoamingSession.cpp :1398 getRoamingSession result 0x0

16/09/22 10:51:09.523 :RoamingEngine.cpp :1112 getSession result : 0x0

16/09/22 10:51:09.523 :RoamingEngine.cpp :1172 getSession : password is empty

16/09/22 10:51:09.523 :RoamingEngine.cpp :1179 getSession : PIN is required




16/09/22 10:51:10.772 :RoamingEngine.cpp :1424 Badge withdrawn 1 s after detection.

16/09/22 10:51:10.772 :RoamingEngine.cpp :1435 onCardRemove bTapping true

16/09/22 10:51:10.772 :RoamingEngine.cpp :1468 onCardRemove (tapping mode) no previous

16/09/22 10:51:13.397 :RoamingEngine.cpp :3179 onRFIDPinCode

16/09/22 10:51:13.397 :RoamingEngine.cpp :2995 StartAndCheckSession : startNewSession ...

16/09/22 10:51:13.397 :RoamingSession.cpp :0728 InitiateRoamingSession ...

16/09/22 10:51:13.397 :RoamingSession.cpp :0749 InitiateRoamingSession for user '05f5bbe53a62cd4e9b2a70529ebe6c77' started

16/09/22 10:51:13.397 :RoamingSession.cpp :0527 SetInitRoamingSessionDataIN ret: 0x0

16/09/22 10:51:13.765 :RoamingSession.cpp :0597 GetInitRoamingSessionDataOUT ret: 0x0

16/09/22 10:51:13.765 :RoamingSession.cpp :0816 InitiateRoamingSession ret: 0x0

16/09/22 10:51:13.765 :RoamingSession.cpp :1595 InitiateRoamingSession 0x0


rsUserAuth Log File

21

16/09/22 10:51:13.765 :RoamingSession.cpp :1615 roaming session does not exist

16/09/22 10:51:13.765 :RoamingSession.cpp :1676 startNewSession returns 0x0

16/09/22 10:51:13.765 :RoamingEngine.cpp :2999 startNewSession ret = 0

16/09/22 10:51:13.765 :RoamingEngine.cpp :3008 StartAndCheckSession : startNewSession successful

16/09/22 10:51:13.766 :RoamingEngine.cpp :3029 Roaming Session is valid -> Starting /etc/rsUserAuth/start.bash with its arguments


rsUserAuth Log File

22

8

Use Case: Installing and Configuring rsUserAuth on IGEL Thin Clients

Subject

This section explains how to configure the One Identity authentication module rsUserAuth on IGEL thin clients.

NOTE:

l The list of supported authentication devices and software versions are provided in One Identity EAM Release Notes.

l There is no specific installation required for RFID badges, only the config-uration described in One Identity Authentication Manager Session is required.

Description

The One Identity Authentication Manager session can be configured with available parameters and specific register keys, the configuration file is not mandatory.

As CardOS libraries are not integrated in IGEL, a custom partition must be used. This partition is built from an FTP server. Two files must be uploaded to this server: rsUserAuth.inf and rsUserAuth.tar.bz2.


Use Case: Installing and Configuring rsUserAuth on IGEL ThinClients

23

Delivery and Customization

The rsUserAuth.tar.bz2 file

Content

The following elements are delivered:

l CardOS_API_Version_Number_x86_Linux.tar.gz: CardOS libraries.

l IGELProvisionningScript.sh: script to be executed at installation.

l start.bash: example of script to execute when the smart card is inserted (not used in case of Citrix session).

l stop.bash: example of script to execute when the smart card is removed (not used in case of Citrix session).

l ca.cert: certificate for the secured connection (must be replaced with the customer's certificate).

l authConf.txt: smart card settings (PKCS library path).

Customization

You must unzip the rsUserAuth.tar.bz2 file to include the correct certificate file with the following command line: tar -xvjf rsUserAuth.tar.bz2

The ca.cert file must be replaced with a customer certificate. A sample certificate can be generated from the EAM controller: in the Administration Tools window > Controller configuration, click Configure Directory and Audit login/password, then Select the Web Service Security tab in the Controller Configuration window.

You must rebuild the compressed file with the following command line:tar -jcvf rsUserAuth.tar.bz2.

The rsUserAuth.inf file

The content of this custom partition file is as follows:[PART]

file="rsUserAuth.tar.bz2"

version="2"



24

The version parameter has been increased to replace the files that the thin client will load the next time it is started.

Upload to an FTP server

Both files: rsUserAuth.tar.bz2 and rsUserAuth.inf must be uploaded to an FTP server.

IGEL Configuration

Custom partition

On the IGEL thin client, a custom partition must be enabled.

Procedure

1. In IGEL, click on System > Setup > System > Firmware Customization.

2. Enable the customer partition as follows:

IMPORTANT: Do not change the name of the /One Identity partition as it is used in the installation scripts.



25

3. Click Apply.

4. Click Download and define the download source as follows:

5. Click OK.

The rsUserAuth.tar.bz2 file is downloaded and unzipped.

The content of the One Identity partition file is as follows:



26

One Identity Authentication Manager Session

On the IGEL thin client, the One Identity Authentication Manager Session must be enabled.

Procedure

1. In IGEL, click on System > Setup > System > One Identity AuthMgr Sessions.

2. Add a session and configure it as follows:

a. Desktop integration menu:



27

b. Connection menu:

c. Options menu:



28

d. Click Apply.

Smart Card Settings

Two new register keys are available for smart card settings:



29

Procedure

1. In IGEL, click on System > Registry > Sessions > rsuserauth0 > Parameters.

2. Click the authconf folder and select the Use Smartcard Authentication configuration file check box.

3. Click Apply.

4. Click the authconf_path folder and enter the following path:/etc/rsUserAuth/authConf.txt

5. Click Apply.

Logging on to IGEL

Once the IGEL thin client is configured, the authentication module is activated.



30

To authenticate, the user just has to present his authentication device and enter his password or PIN (depending on the presented device).

Enrolling your RFID Badge with a PIN

Subject

Depending on the EAM configuration (see RFID Badge Integration), you can be asked to enroll your RFID badge and associate it with a PIN.

Description

The following window appears:



31

Procedure

1. Enter the following information in the corresponding fields:

l User name.

l PIN.

l User password.

2. Click OK.

Your RFID badge is enrolled with the associated PIN.

Modifying the PIN of your RFID Badge

Subject

Depending on the EAM configuration (see RFID Badge Integration), you can be asked to modify the PIN of your RFID badge.

Description

The following window appears:



32

Procedure

1. Enter your current PIN in the corresponding field.

2. Enter your new PIN in the corresponding field and confirm it.

3. Click OK.

Your PIN has been modified.

Authentication Module Log File

A log file is available here: /var/log/rsuserauth[Session Number].debug.

NOTE: This log file path is specific to IGEL. For more information on the log file itself, see rsUserAuth Log File.



33

About us

About us

Contacting us

For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request

l View Knowledge Base articles

l Sign up for product notifications

l Download software and technical documentation

l View how-to-videos

l Engage in community discussions

l Chat with support engineers online

l View services to assist you with your product


About us

34

https://www.oneidentity.com/company/contact-us.aspx

https://support.oneidentity.com/

One Identity Authentication Manager for Linux Thin Clients 9.0support-public.cfm.quest.com/44016_AM_for_Linux_Thin_Clients... · One Identity Authentication Manager for ... Authentication

Documents