McAfee One Time Password 3 · McAfee One Time Password 3.5 ... combining user name and password...

Administration GuideRevision B

McAfee One Time Password 3.5

COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee One Time Password 3.5 Administration Guide

Contents

1 Introduction 7Supported operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Supported user databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Supported protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9McAfee OTP Client Software Development Kit (SDK) . . . . . . . . . . . . . . . . . . . . 9Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Integration 15Integration modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15VPN/RADIUS access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Programming APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3 Installation 17Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Install McAfee OTP on a Windows-based computer . . . . . . . . . . . . . . . . . . . . 18

4 Configuring McAfee OTP 19Administration console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Select pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Mouse functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configure the Server object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Mobile Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Onetime Password Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configure the RADIUS object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 24RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Additional Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configure the Logs object type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Other Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configure the Alerts object type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Alert Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configure the Licenses object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 27License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configure the Databases object type . . . . . . . . . . . . . . . . . . . . . . . . . . 28Create a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Delete a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Duplicate a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Create an LDAP database . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Create an SQL database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Create a RADIUS Forward database . . . . . . . . . . . . . . . . . . . . . . . 39

McAfee One Time Password 3.5 Administration Guide 3

Create a database group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configure the Clients object type . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Create a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Delete a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Duplicate a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Create a RADIUS client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Create a Native client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Create a Web services client . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configure the Delivery Method object type . . . . . . . . . . . . . . . . . . . . . . . 47Enable a delivery method type . . . . . . . . . . . . . . . . . . . . . . . . . 48Configure the SMS Gateway delivery method . . . . . . . . . . . . . . . . . . . 48Configure the HTTP delivery method . . . . . . . . . . . . . . . . . . . . . . . 49Configure the Extended HTTP delivery method . . . . . . . . . . . . . . . . . . . 51Configure the SMTP delivery method . . . . . . . . . . . . . . . . . . . . . . . 53Configure the Netsize delivery method . . . . . . . . . . . . . . . . . . . . . . 54Configure the Concurrent Sender delivery method . . . . . . . . . . . . . . . . . 56Configure the Instant Messaging delivery method . . . . . . . . . . . . . . . . . . 56Configure the SMPP delivery method . . . . . . . . . . . . . . . . . . . . . . . 58Configure the CIMD2 delivery method . . . . . . . . . . . . . . . . . . . . . . 58Configure the UCP File delivery method . . . . . . . . . . . . . . . . . . . . . . 58Configure the Prefetch Detection delivery method . . . . . . . . . . . . . . . . . 59

Configure the Misc object type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Configure the Expired Password Notification settings . . . . . . . . . . . . . . . . 59Configure the OATH settings . . . . . . . . . . . . . . . . . . . . . . . . . . 60Configure the Prefetch OTP options . . . . . . . . . . . . . . . . . . . . . . . 62Configure the Unlock User Accounts options . . . . . . . . . . . . . . . . . . . . 62Configure the AES Encryption options . . . . . . . . . . . . . . . . . . . . . . 63Configure the Embedded HTTP Server Options . . . . . . . . . . . . . . . . . . . 65Configure the Pledge Enrollment options . . . . . . . . . . . . . . . . . . . . . 65Configure the Web Manager options . . . . . . . . . . . . . . . . . . . . . . . 66Web Manager - User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Self Service - Admin Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Self Service - User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Configure the Yubico options . . . . . . . . . . . . . . . . . . . . . . . . . . 72

5 Maintenance and use 73McAfee OTP monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Start or stop McAfee OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

A Pledge 77About Pledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Pledge Profile Factory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Pledge Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Pledge Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Register for a Pledge Profile Factory account . . . . . . . . . . . . . . . . . . . . . . . 79Customize the Pledge Corporate Profile . . . . . . . . . . . . . . . . . . . . . . . . . 80Request a Pledge web service account . . . . . . . . . . . . . . . . . . . . . . . . . 81Configure the Pledge Enrollment database . . . . . . . . . . . . . . . . . . . . . . . . 81Configure the Pledge Enrollment client . . . . . . . . . . . . . . . . . . . . . . . . . 82Enable the Pledge Enrollment services . . . . . . . . . . . . . . . . . . . . . . . . . 82Pledge Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Self enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Administrator enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Contents


B Microsoft Forefront Threat Management Gateway integration 85Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Install Microsoft TMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Microsoft TMG configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 87Configure advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Configure McAfee OTP Server for Microsoft TMG . . . . . . . . . . . . . . . . . . . . . 88Configure the Microsoft TMG client . . . . . . . . . . . . . . . . . . . . . . . . 88Configure a new database . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

C Configuring a cluster 91Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91McAfee OTP redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Configure McAfee OTP redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Configure the VPN Gateway or application with multiple McAfee OTP servers . . . . . . . . . . 93Test the McAfee OTP cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93McAfee OTP cluster configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

D Web Service Client API (SOAP) 95Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95SOAP operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

getCommands Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 96getOTPObject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Required fields / xml elements . . . . . . . . . . . . . . . . . . . . . . . . . 101requestAuthAndOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101verifyOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102authenticateUser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104getUserAttributeValue . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106storeData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108fetchData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Client code examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Index 115

Contents


Contents


1 Introduction

McAfee® One Time Password (McAfee OTP) adds a layer of security that is flexible and efficient toimplement and that protects applications and systems with strong, multi‑factor authentication. Forexample, combining user name and password authentication with one‑time password as the secondauthentication method on a mobile device protects the authentication process and the "key" to anorganization’s applications and systems.

After McAfee OTP verifies a user name and password against a defined user store, it sends the enduser a one‑time password. The end user enters the one‑time password and is authenticated to theapplication or system only after McAfee OTP verifies the entered password.

McAfee OTP generates and distributes one‑time passwords to end users by a variety of methods,including email, Short Message Service (SMS) to a mobile phone, and Instant Messaging (IM) servicessuch as Google Talk, Microsoft MSN Messenger, and Skype.

McAfee OTP supports hardware and software tokens that generate one‑time passwords using the HOTP(RFC 4226) and TOTP (RFC 6238) OATH standards. In addition, McAfee offers Pledge, that wheninstalled on a mobile device, generates one‑time passwords using the OATH standard.

You can integrate McAfee OTP with applications and systems that support RADIUS (RemoteAuthentication Dial In User System). Also, you can integrate McAfee OTP using one of the many nativeintegration modules that McAfee provides.

1


Integration modules exist for Apache Reverse Proxy and Web Server, Citrix, Microsoft IIS, MicrosoftOutlook Web Access, Novell GroupWise WebAccess, VPN (including Cisco, Check Point, F5, Blue Coat,and Juniper), and more. Other applications can be integrated with McAfee OTP using APIs or webservices.

Figure 1-1 McAfee OTP architecture

Contents Supported operating systems Supported user databases Supported protocols McAfee OTP Client Software Development Kit (SDK) Features

Supported operating systemsMcAfee OTP supports any operating system that has support for Java Virtual Machine (JVM) version1.6 or later.

McAfee OTP supports 32‑bit and 64‑bit versions of these operating systems:

1 IntroductionSupported operating systems


• Microsoft Windows Server 2003, 2008 R2 • IBM AIX

• Linux • Mac OS X

• Sun Solaris

Supported user databasesMcAfee OTP supports these user stores.

• LDAP, including:

• Sun Directory Server

• Microsoft Active Directory

• Novell eDirectory

• SQL through JDBC or ODBC, including:

• Oracle

• Miscrosoft SQL Server

• MySQL

Other user stores are supported through APIs.

Supported protocolsMcAfee OTP supports these protocols.

• LDAP

• HTTP/HTTPS

• SMPP

• SMTP

• Web Services/SOAP

• CIMD2

• Instant messaging, including:

• Google Talk

• Microsoft MSN Messenger

• Skype

McAfee OTP Client Software Development Kit (SDK)Use the Java Client API to integrate McAfee OTP with applications that do not include integrationmodules.

For information about downloading COM and .NET APIs, go to the McAfee Technical SupportServicePortal.

IntroductionSupported user databases 1


https://mysupport.mcafee.com


For information about integrating Microsoft .NET applications using the Java Client API, go to theMcAfee KnowledgeBase.

FeaturesMcAfee OTP supports the following features.

Table 1-1 McAfee OTP features

Feature Definition

Configuration interface Manages and maintains McAfee OTP settings.

Expired passwordnotification

McAfee OTP detects when a password expires, and then notifies end users.

One‑time passwordSMS and emaildelivery

McAfee OTP delivers one‑time passwords using SMS and email, which allowseasy deployment of two‑factor authentication for end users.

Delivery methodconfiguration

Configure the McAfee OTP delivery method at the McAfee OTP client level.

This feature overrides the automatic delivery method selection.

One‑time passwordretries

After failing to enter the password correctly the first time, allows end usersto re‑enter the one‑time password.

Emergency one‑timepasswords

When a mobile device is lost or forgotten, allows end users to generateone‑time passwords.

McAfee Short MessageService Module(McAfee SMS Module)

The McAfee SMS Module is an on‑demand service that is hosted on McAfeeservers, so there is no need to install the product in your environment.Access the McAfee SMS service through the McAfee SMS Gateway plug‑in.The plug‑in is easy to set up, and provides status controls, usage statistics,and automatic failover for lapses in the SMS service.

TOTP anti‑replay check The McAfee OTP keeps track of the one‑time passwords used. For each TOTPdevice, the anti‑replay check feature restricts one–time password use toonce during a specified time interval.

Maximum steps tosync TOTP device

Configure the maximum number of steps end users are allowed to sync aTOTP device with the McAfee OTP during a specified time interval.

API to sync OATHHOTP/TOTP devices

Using a new API, sync OATH HOTP/TOTP devices by sending two one‑timepasswords in sequence. For more information, go to the McAfeeKnowledgeBase.

LDAP user stores Use any LDAP‑compliant directory service to look up users and userattributes.

SQL user stores Use any JDBC or ODBC‑compliant database to look up users and userattributes.

Multiple OATH keysupport for SQLdatabases

McAfee OTP provides multiple OATH key support for SQL databases.

Multiple user stores For each McAfee OTP client, there is no limit on the number of user storesthat can be added. For example, you can add multiple user stores forfailover. However, when one set of users is saved in two different userstores, configure SMS delivery for the users in one user store, and emaildelivery for users in the other user store.

Test Tool A stand‑alone application used to test the McAfee OTP. Use this tool to testwhether the user store is configured correctly, and the one‑time passworddistribution plug‑in is working as expected. The Test Tool supports the nativeAPI and RADIUS protocol.

1 IntroductionFeatures


https://kc.mcafee.com/corporate/index?page=content&id=KB76374



Table 1-1 McAfee OTP features (continued)

Feature Definition

Remote configuration Manage the McAfee OTP from a remote location. This feature is ideal forservers with limited access, and for servers without a graphical interface.

The remote configuration feature does not support any test functions.

External McAfee OTPcreation andverification

McAfee OTP supports any algorithm that creates and verifies one‑timepasswords through an API.

Pledge Pledge is a software token that you download and install on a mobile device.Pledge provides strong authentication by generating one‑time passwordsusing the OATH algorithm. Pledge supports multiple platforms, including:• iPhone

• Android

• Windows Mobile

• Any mobile phone that supports Java Platform, Micro Edition (Java ME).

Pledge enrollment A web application installed on the Tomcat server, that allows end users tofollow an easy, step‑by‑step Pledge Enrollment process that downloads aPledge Profile, which includes an HOTP key. Using a web services interfacethat is integrated with the Profile Factory, administrators can customize thePledge Profile.

OATH support McAfee OTP supports tokens based on the OATH HOTP/TOTP standard.

McAfee OTP Nativeclient names

McAfee OTP supports Native clients through an API. McAfee OTP nowsupports multiple Native clients at one IP address by allowing you to assigna name to each client’s integration module. In this way, each client can beseparately configured in McAfee OTP.

Web service support McAfee OTP supports a new client type through an API for any application orsystem using SOAP‑based web services.

Alerts Configure McAfee OTP to send error messages and alerts to one or moreadministrators using SMS or email.

Easy configuration Configure McAfee OTP, including user stores, delivery methods, andintegrations, in less than one day.

Java, COM, .NET, andPHP APIs

Use these APIs to create custom integration modules for your applications.

Plug‑in interface Used to add both McAfee and custom delivery methods.

Custom user storehandler

If the user stores have special requirements, advanced users can write acustom database handler that overrides the internal database handler.

PIN code protectionfor one‑timepasswords

Add a PIN code to the one‑time password for added protection. PIN codesare stored in an LDAP or SQL user store.

OTP protection andaccount lockoutmanagement

Configure how many times an end user is allowed to incorrectly logon beforetheir account is locked.

Hashed PIN codes McAfee OTP supports the following hash functions applied to a PIN code:• MD5

• SHS

• SSHA

PIN code management PIN codes are managed by an administrator, service desk, or self‑servicefunction in the McAfee OTP Web Manager.

IntroductionFeatures 1



Feature Definition

Prefetch one‑timepasswords

Allows end users and administrators to store one‑time passwords when thereis no mobile coverage. For example, one‑time passwords can be stored astext in a mobile or email account, or printed on cards or paper. This featureis controlled by a web administration application.

Failover and clustering McAfee OTP supports failover and full active‑active clustering with sharedauthentication session data. You can configure multiple McAfee OTP databaseobjects for failover, or configure failover for a Database group.

RADIUS support McAfee OTP can act as a RADIUS server to support any RADIUS‑awareapplication. Most VPN solutions have RADIUS support, including:• Cisco

• Check Point

• AppGate

• Juniper

RADIUS attributedetection

Allows the implementation of different rights for different groups, such ascontractors, employees, and vendors. It also allows the implementation ofmultiple authentication methods and two‑factor authentication.

RADIUS Forward A new database object type that McAfee OTP uses to pass through andforward a RADIUS request to another RADIUS server. In addition tosupporting integration with other RADIUS servers, RADIUS Forward supportsRSA SecurID and SafeWord tokens, as well as the migration of legacytokens.

Multiple RADIUS UDPports

Configure the McAfee OTP RADIUS module to listen on multiple UDP ports,which allows the RADIUS module to assign each RADIUS McAfee OTP clientto its own port, and support multiple clients.

Custom RADIUS rejectmessages

Customize the messages returned when authentication fails, a system erroroccurs, or a one‑time password is incorrectly entered.

Integration modules McAfee OTP comes with these integration modules:• Apache Reverse Proxy Server • EPiServer

• CA Siteminder • Microsoft Forefront ThreatManagement Gateway

• Citrix Access Gateway • Microsoft Forefront UnifiedAccess Gateway

• Citrix Presentation Server • Microsoft Outlook Web Access

• Citrix Web Interface • Microsoft SharePoint

• Citrix XenApp Server

Platform independence McAfee OTP can be run on any Java‑compliant platform, including:• Windows • HP‑UX


• Solaris

Session data McAfee OTP can store both persistent and one‑time session data. Thisfeature supports active‑active clustering and failover among multiple McAfeeOTP servers without any user errors.

User attributes Using APIs, retrieve any available user attribute from the directory service.




Feature Definition

Yubico YubiKey McAfee OTP supports the one‑time password that YubiKey generates inOATH‑HOTP mode using the standard RFC 4226 HOTP algorithm, andencrypts using the Advanced Encryption Standard (AES) algorithm. McAfeeOTP has added support for the Yubico validation server through web servicesand stores AES keys locally in a SQL database or LDAP directory. Keys areeasily imported and stored, supporting automatic enrollment.

Self‑service andservice desk functionsfor token management

Allows end users and administrators to reset passwords, manage secretquestion and answers, and generate PIN codes.

IntroductionFeatures 1


2 Integration

McAfee OTP can be integrated with applications and systems through integration modules andprotocols. For example, McAfee OTP can be integrated with most VPN services using the RADIUSprotocol. Since McAfee OTP can act as a RADIUS server, most VPN/RADIUS‑aware products can beintegrated without any installation. Configuring the McAfee OTP and the VPN/RADIUS productcompletes the integration.

Using Java, COM, .NET, and PHP Client APIs, you can write custom integration modules for yourapplications. By using the Client APIs, you can add strong authentication to your custom applications.

Contents Integration modules VPN/RADIUS access Programming APIs

Integration modulesMcAfee OTP supports these integration modules.

Apache Apache Reverse Proxy ServerApache Web Server 1.3/2.0

CA SiteMinder r6SiteMinder r12

Citrix Citrix Access Gateway 4.2Citrix Access Gateway 4.5

Citrix Access Gateway 5.X VPX

Citrix Access Gateway Enterprise Edition (NetScaler VPX)

Citrix Presentation Server 4.6

Citrix Web Interface 4.0/4.2

Citrix Web Interface 4.5

Citrix Web Interface 5.4

Citrix XenApp Server 5.1

Citrix XenApp Server 5.2/5.3

IBM Lotus Domino (Apache Proxy)

2


Microsoft ISA Server 2006

TMG 2010

UAG 2010

IIS 6.0

IIS 7.x ‑ IIS Custom AD Membership Provider ‑ ASP.NET

Outlook Web Access 2003

Outlook Web Access 2007

SharePoint 2007 AD Membership Provider ‑ ASP.NET

SharePoint 2010 AD Membership Provider ‑ ASP.NET

IIS Custom AD Membership Provider ‑ ASP.NET

EPiServer AD Membership Provider ‑ ASP.NET

EPiServer SQL Membership Provider ‑ ASP.NET

Novell IChain 2.3

Novell Access Manager

GroupWise WebAccess 6

GroupWise WebAccess 7

For information about new and updated integration modules and configuration guides, go to the McAfeeTechnical Support ServicePortal.

VPN/RADIUS accessMcAfee OTP acts as a RADIUS server to support most VPNs and other RADIUS‑aware applications.

McAfee recommends that the VPN/RADIUS application support the RADIUS challenge‑responsestandard.

These vendors provide RADIUS servers that have been tested with McAfee OTP and approved:

• Cisco • Juniper

• Check Point • Palo Alto

• F5 • AppGate

With the RADIUS challenge‑response standard, you can use all McAfee OTP authentication methods.Without the standard, you can use the Pledge software token and all OATH tokens.

Programming APIsMcAfee OTP can be integrated with custom applications through its Java, COM, and .NET APIs.

2 IntegrationVPN/RADIUS access




3 Installation

Review the requirements and instructions to download and install McAfee OTP on a Windows platform.

Contents Requirements Install McAfee OTP on a Windows-based computer

RequirementsTo install and operate McAfee OTP on a Windows platform, the system must meet the followingminimum requirements.

Hardware server or virtual machine (VM)

• McAfee OTP is software that you install on any server in your internal network or DMZ.

• Use any modern hardware server or a virtual machine running on top of a modern hardware serveras the installation platform.

• The hardware server must have a static IP address configured.

• If you configure McAfee OTP using DNS names, the server must be able to contact DNS servers.

Operating system

• You can install McAfee OTP on any operating system that supports Java Virtual Machine (Java VM )version 1.6 or later, including:

• Microsoft Windows 2003 R2 • Sun Solaris

• Microsoft Windows 2008 R2 • IBM AIX


• You can install McAfee OTP on both 32‑bit and 64‑bit operating systems.

Communication

• The McAfee OTP queries your LDAP or JDBC user store using default TCP ports 389 for LDAP, and636 for secure LDAP (LDAPS).

• Integration modules must send requests to McAfee OTP using TCP port 3100. RADIUS modulesmust send requests using UDP port 1645 or 1812.

• To use McAfee SMS Module, configure the McAfee OTP to send one‑time passwords to the SMSservice over HTTPS on TCP port 443.

These port numbers are the default values and can be customized.

3


Software

When registering and downloading the software, select the version of the installer that correctlycorresponds to your operating system platform.

Install McAfee OTP on a Windows-based computerUse the installation process on a Windows‑based computer as a guide for how installation is done onother operating system platforms. For platforms other than Windows, you have the option of installingMcAfee OTP in GUI or console mode. For example, you can install in console mode on Linux byentering the following installation command on the command line: sh ./otp3install.bin ‑iconsole

Task1 Start the installation program: otp3install.exe

The Introduction opens.

2 Click Next.

The License Agreement step opens.

3 Read the license agreement, select the I accept the terms of the License Agreement option, and click Next.

The Select Install Set step opens.

4 Select an installation option, and click Next.

The Choose Install Folder step opens.

5 Specify an installation folder, or accept the default value, and click Next.

The Select License File step opens.

6 Specify the location of the license.dat file that you received from McAfee, and click Next.

The Install Windows Service step opens.

7 Select the Install Windows Service checkbox, and click Next.

The Choose Link Folder step opens.

8 Specify where to create shortcuts to the software, and click Next.

The shortcuts are identified by a product icon. You click the icon to manually start the McAfee OTP.

The Pre‑Installation Summary opens.

9 Review the Pre‑Installation Summary, and click Install.

The Install Complete step opens.

10 Click Next.

The Start the OTP Server step opens.

11 To start McAfee OTP, select Yes, and click Done.

The installer closes, and the McAfee OTP opens.

3 InstallationInstall McAfee OTP on a Windows-based computer


4 Configuring McAfee OTP

Configure the settings to manage and maintain McAfee OTP.

Contents Administration console Configure the Server object type Configure the RADIUS object type Configure the Logs object type Configure the Alerts object type Configure the Licenses object type Configure the Databases object type Configure the Clients object type Configure the Delivery Method object type Configure the Misc object type

Administration consoleUse the administration console to perform all configuration tasks.

• Click the product icon created when McAfee OTP is installed.

• Start the McAfee OTP process, then click Configuration.

Option Definition

Menu bar Creates configuration objects, update functions, and access Help.

Select pane (left) Provides the option to select, create, configure, delete, or view an objecttype.

Configuration pane (right) Provides the option to view the configuration options of an object selectedin the select pane.

Save Config Saves the configuration to the otp.properties file in the installationdirectory.

Close Closes the administration console.

Select paneSelect the type of object to create, configure, delete, or view.

Option Definition

Server Select to configure the McAfee OTP.

RADIUS Select to configure McAfee OTP as a RADIUS server for McAfee OTP RADIUS clients.

Logs Select to configure logging and the log files.

4


Option Definition

Alerts Select to configure error messages and alerts that can be sent to a list ofadministrators using SMS or email.

Licenses Select to manage McAfee OTP licenses.

Databases Select to configure connections to user stores.

Clients Select to configure McAfee OTP clients.

Delivery Methods Select to configure and enable one or more delivery methods for the McAfee OTP.Available methods include:• CIMD2 • NetSize

• Concurrent Sender • McAfee SMS

• Extended HTTP • SMPP

• HTTP • SMTP

• Instant Messaging • UCP File

Misc Select this object type to configure these functions:• Expired Password Notification • Embedded HTTP Server

• OATH Configuration • Pledge Enrollment

• Prefetch Proxy Config • Web Manager

• Unlock User Accounts • Yubico

• AES Encryption

Mouse functionsThe administration console supports the following mouse functions.

Option Definition

Tooltips Provides context‑sensitive help.

Mouse left‑click Allows you to view and select menu items on the menu bar, expand and selectobject types in the select pane, and open, close, minimize, and resize windows.

Mouse right‑click Provides a context menu for a selected object type in the select pane.

Configure the Server object typeUse the configuration pane to configure the Server object type settings.

Task1 In the select pane, select the Server object type.

Server configuration options open in the configuration pane.

2 In the configuration pane, configure the remaining settings.

4 Configuring McAfee OTPConfigure the Server object type


Server SettingsThe following settings are located in the Server Settings area on the configuration pane.

Option Definition

Port number Specifies the port number that Native and remote McAfee OTP clients use whenconnecting to the McAfee OTP.Default: 3100

Bind to IP Address Specifies the IP address of the server on which the McAfee OTP is installed.

All Selecting this checkbox specifies that the McAfee OTP accepts connections fromMcAfee OTP Native clients on all IP addresses assigned to the host server’s system.

Port number Specifies the number of milliseconds that the connection between the McAfee OTPclient and the McAfee OTP can be idle before the session times out.

A zero value specifies that there is no timeout.

Mobile NumbersThe following settings are located in the Mobile Numbers area on the configuration pane.

Option Definition

Check Mobile Number Selecting this checkbox specifies checking the mobile number for non‑numericcharacters and removing them, including spaces.

This setting does not remove the “+” character from mobile numbers.

Default Country Prefix Specifies removing any leading zeros and then adding the default country prefixthat you provide.

This setting is only available when the Check Mobile Number checkbox is selected.

Onetime Password OptionsThe following settings are located in the Onetime Password Options area on the configuration pane.

Option Definition

OTP Length Specifies the length of the one‑time password in number of characters.

OTP Valid Time Specifies how long in minutes the one‑time password is valid.

A zero value specifies that one‑time password is valid indefinitely.

OTP Retries Specifies the number of times that the end user can automatically receive a newone‑time password after entering the previous password incorrectly. A zero valuedisables this function.

This setting is only available for McAfee OTP RADIUS clients.

Retry Message Specifies the message that the end user receives after entering an incorrectone‑time password.

This setting is only available when the OTP Retry function is enabled.

Configuring McAfee OTPConfigure the Server object type 4


Option Definition

Regenerate Timeout Specifies the time in seconds required between McAfee OTP requests. This setting isdesigned to prevent end users from requesting multiple one‑time passwords in quicksuccession.

To disable this requirement, set the timeout value to zero.

Composition Select one of these options to specify the set of characters allowed in a one‑timepassword:• Digits (0–9)

• Letters & Digits (A–Z,a–z,0–9)

• Custom Characters — Specifies a custom set of letters and digits.

Letters are case‑sensitive.

Client SettingsThe following settings are located in the Client Settings area on the configuration pane.

Option Definition

All Clients Are Allowed Selecting this checkbox specifies that all McAfee OTP clients are allowed to useMcAfee OTP Server.

Allowed Clients Specifies a comma‑separated list of IP addresses corresponding to the McAfeeOTP clients that are allowed to use McAfee OTP.

This setting is only available when not all clients are allowed.

Allow remote configuration Selecting this checkbox allows remote configuration of McAfee OTP.

Remote Password Specifies the password that is required for remote configuration of McAfee OTP.

This setting is only available when remote configuration is allowed.

EncryptionThe following settings are located in the Encryption area on the configuration pane.

Option Definition

No encryption Selecting this option specifies that messages between the McAfee OTP client andMcAfee OTP are not encrypted.

Encryption if Client doesencryption

Selecting this option specifies that messages between the McAfee OTP client andMcAfee OTP are encrypted if the McAfee OTP client supports encryption.

Always encryption Selecting this option specifies that messages between the McAfee OTP client andMcAfee OTP are always encrypted.

McAfee OTP rejects messages from the McAfee OTP client that are not encrypted.

4 Configuring McAfee OTPConfigure the Server object type


OptionsThe following settings are located in the Options area on the configuration pane.

Option Definition

Enable Monitor Select this checkbox to start the statistics monitor when the McAfee OTP starts.

Debug Select this checkbox to display the output of the Debug function on the console.

Use Secure Random Select this checkbox to use the FIPS‑compliant java.security.SecureRandomalgorithm when generating the one‑time password for the end user.

Global OptionsThe following settings are located in the Global Options area on the configuration pane.

Option Definition

Prevent SQLInjection Attacks

Selecting this checkbox specifies that all user names and passwords are checked forthe following patterns found in SQL statements: ', ", or, select, drop, ‑‑, insert.

If any of these patterns are found, user authentication is denied.

Use whitelist Selecting this checkbox specifies that McAfee OTP only accepts characters in usernames and passwords that are defined in a whitelist.

To define the whitelist for SQL databases, you can use a regular expression or a listof characters.

Is RegEx Selecting this checkbox allows you to define the whitelist for SQL databases using aregular expression.

This option is only available when the Use whitelist checkbox is selected.

Test Using this field, you can verify characters against the whitelist configured for SQLdatabases.

This field is only available when the Use whitelist checkbox is selected.

Prevent LDAPInjection Attacks

Selecting this checkbox specifies that all user names are checked for the followingcharacters: *, (, ), &.

If any of these characters are found, user authentication is denied.

LDAP followreferrals

Selecting this checkbox specifies that McAfee OTP automatically follows a referral toanother LDAP directory, which is provided when a directory tree is distributed overmultiple LDAP servers.

LDAP idlereconnect

Specifies the number of minutes that an LDAP connection can be idle before McAfeeOTP forces a reconnection.

A zero value disables forced reconnection.

Set System Charset Selecting this checkbox allows you to specify a system character set other thanUTF‑8, the default.

All McAfee OTP clients must be configured for the character set that you specify.

Configuring McAfee OTPConfigure the Server object type 4


Configure the RADIUS object typeUse the configuration pane to configure the RADIUS object type settings.

Task1 In the select pane, select the RADIUS object type.


RADIUS Server SettingsThe following settings are located in the RADIUS Server Settings area on the configuration pane.

All settings apply to the McAfee OTP when configured as a RADIUS server.

Option Definition

Enable RADIUS Selecting this checkbox enables McAfee OTP as a RADIUS server.

Port number Specifies the port number that McAfee OTP Native clients use when connectingto McAfee OTP configured as a RADIUS server.Default: 1645

The RADIUS protocol uses UDP, the User Datagram Protocol, not TCP, theTransmission Control Protocol.

Bind to IP Address Specifies the IP address of the server on which McAfee OTP is installed andconfigured as a RADIUS server.

All Selecting this checkbox specifies that McAfee OTP configured as a RADIUSserver accepts connections from McAfee OTP Native clients on all IP addressesassigned to the host server’s system.

Timeout Specifies the number of milliseconds that the connection between the McAfeeOTP client and McAfee OTP can be idle before the RADIUS session times out.

A zero value specifies that there is no timeout.

Debug Packets Selecting this checkbox writes the output of the Debug function to the McAfeeOTP console and log file.

Restart RADIUS Serverafter reconfiguration

Selecting this checkbox restarts McAfee OTP each time that you update andsave the RADIUS server configuration.

Additional PortsThe following settings are located in the Additional Ports area on the configuration pane.

All settings apply to McAfee OTP Server when configured as a RADIUS server.

Option Definition

Enable Selecting this checkbox configures McAfee OTP to listen on more than one port.

Port number Specifies an additional port number on which McAfee OTP listens.

Used by Client Specifies the McAfee OTP client that is assigned to the specified port number.

4 Configuring McAfee OTPConfigure the RADIUS object type


Configure the Logs object typeUsing the configuration pane, configure the Logs object type settings.

Task1 In the select pane, select the Logs object type.

Logs configuration options open in the configuration pane.


Log FilesThe following settings are located in the Log Files area on the configuration pane.

Option Definition

System Log File Specifies the name and location of the log file that stores all debugging information.

• To disable logging to a system file, leave this field blank.

• For information about extending the McAfee OTP logging API with morelogging destinations, go to the McAfee KnowledgeBase.

Accounting file Specifies the name of the log file that stores all successful user authenticationevents.

To disable logging to an accounting file, leave this field blank.

Roll AccountingFile Now

Clicking this button rolls the current log file, and opens a new log file.

Loglevel Specifies one of the following log levels:• Trace • Warn

• Debug • Error

• Info • Fatal

Default: Debug

Max logfile size Specifies the maximum size that a log file can reach before it is rolled, and a new logfile is opened.

When a log file is rolled, it is saved as a back‑up file.

Units: Kilobytes (KB)

Default: 5000

Max backup index Specifies the maximum number of back‑up log files that can be saved before McAfeeOTP removes the oldest file.Default: 100

Examples: Saving 100 logging files, each file 5000 KB in size, requires 500megabytes (MB) of disk space.

Configuring McAfee OTPConfigure the Logs object type 4



Option Definition

Append sessionnumber

Selecting this checkbox adds session numbers to the log file.Default: Selected

External LogHandler

(Optional) Specifies a Java class name that implements the following interface:se.nordicedge.interface.OTPlogging

• To use an external log handler, specify a value for this setting.

• To use the default log handler, leave this field blank.

• For the new setting to take effect, restart McAfee OTP.

Other SettingsThe following settings are located in the Other Settings area on the configuration pane.

Option Definition

Check for config changesevery

Specifies a time interval in seconds for checking the McAfee OTPconfiguration file for changes.

To disable this function, set the time interval to zero.

Check classpath duringstartup

Selecting this checkbox specifies that McAfee OTP reads changes in the libdirectory during startup.

Configure the Alerts object typeUse the configuration pane to configure the Alerts object type settings.

Task1 In the select pane, select the Alerts object type.

Server configuration options open in the configuration pane.

2 Select the Enable Alerts checkbox.


Tasks• Alert Configuration on page 27

The following settings are located in the Alert Configuration area on the configuration pane.

4 Configuring McAfee OTPConfigure the Alerts object type


Alert ConfigurationThe following settings are located in the Alert Configuration area on the configuration pane.Option Definition

Use Method Selects the McAfee OTP delivery method that triggers the first alert from the drop‑downlist.Default: All

The McAfee OTP delivery methods must be configured before they are available in thedrop‑down list.

Alert events Select one of these checkboxes to specify which errors trigger alerts:• RADIUS errors

• User database errors

• Sending OTP errors

• Other errors

Default: All

Message Prefix Specifies a prefix that is added to each alert message.

Recipients Specifies the email address or mobile phone number of each alert recipient.

Entered one email address or mobile phone number per line.

Test Click Test to output a test alert.

Configure the Licenses object typeUse the configuration pane to configure the License object type settings.The new license system supports multiple license files. For example, you can have in the licensesdirectory one license file that supports 50 users and another license file that supports 100 users,totaling registered licenses for 150 users.

• Since the license system for McAfee OTP V3 is new and not compatible with V2, you needto obtain new license files from McAfee to upgrade.

• For more information, go to the McAfee Technical Support ServicePortal.

Task1 Copy the new license file to the license directory.

The license file name must end with the file name extension .dat or .xml.

2 In the select pane, select the Licenses object type.

3 In the configuration pane, click Detect New.

4 In the Registered Licenses field, verify that the value is updated to include the number of licenses inthe new license file.

Tasks• License Information on page 28

Use the configuration pane to configure the settings in the License Information area.

Configuring McAfee OTPConfigure the Licenses object type 4



License InformationUse the configuration pane to configure the settings in the License Information area.

Option Definition

Registered Licenses Displays the number of licenses specified in the license files.

Detect new Click this button to check for new licenses in the license directory and update thevalue in the Registered Licenses field.

Used Licenses Displays the number of registered licenses used by current users.

Reset Clicking this button resets the value in the Used Licenses field to zero.

Unused Licenses Displays the number of registered licenses available to new users.

Counter started Displays the date and time that the license counter was started.

Refresh Clicking this button refreshes the information displayed in the License Information areaon the configuration pane.

Configure the Databases object typeThe Databases object type contains configuration details that allow McAfee OTP to connect to a userstore, read information from the user store, and authenticate users.

Contents Create a database Delete a database Duplicate a database Create an LDAP database Create an SQL database Create a RADIUS Forward database Create a database group

Create a databaseCreate and add a database for connections to user stores.

Task1 To create a database, choose from these options:

• In the select pane, right‑click the Databases object type, then select the New Database type from thecontext menu.

• In the select pane, select the Databases object type, then select the New Database type on theconfiguration pane.

2 In the Database Display Name field, specify a unique, meaningful name.


Delete a databaseDelete a database that is no longer needed.

You can also access the database actions through the File menu on the menu bar.

4 Configuring McAfee OTPConfigure the Databases object type


Task1 In the select pane, navigate to the database.

2 Right‑click the database, and select Delete from the context menu.

Duplicate a databaseDuplicate an existing database.

You can also access the database actions through the File menu on the menu bar.

Task1 In the select pane, navigate to the database .

2 Right‑click the database, and select Duplicate Database from the context menu.



Create an LDAP databaseCreate an LDAP database using the following steps.

Task1 To select the LDAP database type, use one of these options:

• In the select pane, right‑click the Databases object type, then select the New LDAP database typefrom the context menu.

• In the select pane, right‑click the Databases object type, then select the New LDAP database typeon the configuration pane.

2 To configure the new LDAP database for use with tokens based on the Open Authentication (OATH)HOTP or TOTP standard, select the Uses HOTP or TOTP (OATH) checkbox.

Selecting this checkbox modifies the available settings in the Account Settings, Onetime Password Prefetch,and PIN code areas on the configuration pane.

Select this checkbox when configuring the new LDAP database for use with Pledge, the McAfeesoftware token.

3 On the configuration pane, configure the remaining settings.

Configuring McAfee OTPConfigure the Databases object type 4


Tasks• Host Settings on page 30

Use the configuration pane to configure the settings in the Host Settings area.

• Search Settings on page 31Use the configuration pane to configure the settings in the Search Settings area.

• Account Settings (HOTP/TOTP Disabled) on page 32Use the configuration pane to configure the settings in the Account Settings area when theUses HOTP or TOTP (OATH) checkbox is not selected.

• Account Settings (HOTP/TOTP Enabled) on page 32Use the configuration pane to configure the settings in the Account Settings area when theUses HOTP or TOTP (OATH) checkbox is selected.

• PIN Code on page 34Use PIN codes to add a layer of security to the OTP process.

• Advanced options on page 35Use the configuration pane to configure the settings in the Advanced options area.

Host SettingsUse the configuration pane to configure the settings in the Host Settings area.

Option Definition

Host Address Specify the IP address or DNS name of the LDAP server.

For multiple LDAP servers (replicas), separate the host addresses with a space character.

Port number Specify the port number of the LDAP server.Default: 389 (LDAP) or 636 (LDAPS).

SSL Select this checkbox to specify that the SSL protocol is used when communicating overa network.

SSL is an acronym for Secure Sockets Layer.

TLS Select this checkbox to specify that the TLS protocol is used when communicating overa network.

TLS is an acronym for Transport Layer Security.

Admin DN Specify the Distinguished Name (DN) of an administrative user that has read and writeaccess to the Account Disable attribute for all user accounts.

An Active Directory (AD) search using LDAP requires the DN and password of aprivileged user. If the DN is not specified, McAfee OTP connects to the LDAP server usingan anonymous bind.

Password Specify the password of an administrative user that has read and write access to theAccount Disable attribute for all user accounts.

Test Connection Test the connection to the LDAP server.

This feature cannot be used with the OTP Remote Configuration tool.



Search SettingsUse the configuration pane to configure the settings in the Search Settings area.

Option Definition

Base DN Specifies the location in the directory tree from which McAfee OTP searches forusers.

Scope Specifies the scope of the directory search:• BASE — Search the Base DN only.

• ONE — Search the BASE DN and one level below.

• SUB — Search the Base DN and all levels below.

No of Connections Specifies the maximum number of connections that McAfee OTP can have to theLDAP server.

Filter Start Specifies the beginning of the search filter.

Filter End Specifies the end of the search filter.

Samples Click this button to allow the selection of a sample search that populates theFilter Start and Filter End fields with values.

Samples are available for Microsoft Active Directory, Novell eDirectory, and anLDAP directory.

Test LDAP Authentication Test the authentication for LDAP.

Search Filters—LDAP Examples

Configure search filters that return users based on specified user attributes, or membership inspecified user groups. For example, you can search for users whose mobile attribute is empty, andsend those users one‑time passwords by email instead of SMS.

Filter Start = “(&(cn=”

Filter End = “)(objectclass=user)(mobile=*))”

Filter = “(&(cn=<username>)(objectclass=user)(mobile=*))”

Or you can search for all users who are members of the SMS OTP delivery method group.

Filter Start = “(&(cn=”

Filter End = “)(objectclass=user)(memberOf=CN=OTP‑SMS‑users,DC=company,

DC=local))”

Filter = “(&(cn=<username>)(objectclass=user)(memberOf=CN=OTP‑SMS‑users,

DC=company,DC=local))”



Account Settings (HOTP/TOTP Disabled)Use the configuration pane to configure the settings in the Account Settings area when the Uses HOTP orTOTP (OATH) checkbox is not selected.

Option Definition

OTP Attribute Specify the LDAP attribute that McAfee OTP uses to look up an email address, instantmessaging address, or mobile phone number.

To specify multiple attributes, separate them with commas.

Accept Pwdchange

Select this checkbox to allow Active Directory users to log in with the account optionuser must change password at next logon enabled.

Login Retries Specify the maximum number of incorrect passwords that users can provide beforethe user’s account is locked.

Specifying a value for this field enables the lock user function. If you do not specify avalue for this field, there is no limit to the number of incorrect passwords that users canprovide. Locked accounts are automatically unlocked after a specified time period thatyou configure.

Locked Attribute Specify the LDAP attribute that McAfee OTP reads to determine whether the useraccount is locked.

When the number of login retries exceeds the maximum, McAfee OTP sets the LockedAttribute to the Locked Value.

Locked Value Specify the value of the Locked Attribute when the user account is locked.


Disable OTPAttribute

Specify the LDAP attribute that McAfee OTP reads to determine whether the user canlog in without authenticating with a one‑time password.

Disable OTPValue

Specify the value of the Disable OTP Attribute when authentication with a one‑timepassword is not required.

Not Select this checkbox to specify that authentication with a one‑time password is notrequired when the Disable OTP Attribute is not set to the Disable OTP Value. Checkbox optionsinclude:• Deselected — The value of the Disable OTP Attribute is the same as the value that you

specify for the Disable OTP Value setting.

• Selected — The value of the Disable OTP Attribute is not the same as the value that youspecify for the Disable OTP Value setting.

See also Configure the Unlock User Accounts options on page 62

Account Settings (HOTP/TOTP Enabled)Use the configuration pane to configure the settings in the Account Settings area when the Uses HOTP orTOTP (OATH) checkbox is selected.

Option Definition

OATH Key Specifies the LDAP attribute that McAfee OTP uses to read and store the user’s OATHkey.

Accept Pwd change Select this checkbox to allow Active Directory users to log in with the account optionuser must change password at next logon enabled.



Option Definition

Login Retries Specify the maximum number of incorrect passwords that users can provide beforethe user’s account is locked.

Specifying a value for this field enables the lock user function. If you do not specify avalue for this field, there is no limit to the number of incorrect passwords that userscan provide. Locked accounts are automatically unlocked after a time period that youconfigure.

Locked Attribute Specify the LDAP attribute that McAfee OTP reads to determine whether the useraccount is locked.


Locked Value Specify the value of the Locked Attribute when the user account is locked.


Time drift attribute(TOTP)

Specifies the LDAP attribute which stores a time drift value for TOTP tokens.Data Type: String


Onetime Password PrefetchAllow users to obtain a configurable number of one‑time passwords in advance.

Onetime Password Prefetch is useful when mobile phone coverage is an issue, or to generateemergency one‑time passwords, using the McAfee OTP Web Manager, when end users lose or forget amobile device. McAfee OTP can also be configured to send a new set of prefetch one‑time passwordsto the user each time all of the passwords are used.

Users prefetch one‑time passwords through a web server that is configured with the McAfee OTPPrefetch web application. Users log on to the web application, request prefetch one‑time passwords,and are sent to a mobile phone number or email address.

Click Configure Prefetch OTP to configure the settings for Onetime Password Prefetch.

The Onetime Password Prefetch options are only available when the Enable OTP Prefetch checkbox is selected.

Option Definition

Prefetch OTP Attribute Select the attribute that contains the McAfee OTP prefetch string.

Enable LDAP Filter (Optional) Specify an LDAP filter to allow users to use prefetch one‑timepasswords.

Maximum No of PrefetchOTPs

Specify the maximum number of prefetch one‑time passwords that can besent to a user at one time.

Must be used in order Select this checkbox to specify that the prefetch one‑time passwords mustbe used in order.

This option is global and applies to all user databases.

OTP Length Specify the length of each prefetch one‑time password in characters.



Option Definition

Automatically send newPrefetch OTPs when last OTPis used

Select this checkbox to specify that a new set of prefetch one‑timepasswords is automatically sent to users when the last password from theprevious set is used.

Message to user Specify the message sent to users that includes the prefetched one‑timepassword. McAfee OTP replaces the tag $$OTP$$ with the one‑timepassword. If you omit the tag from the message, McAfee OTP appends theone‑time password to the end of the message.

This option is global and applies to all user databases.

Message Delivery Specify whether to send a set of prefetch one‑time passwords in onemessage, or multiple messages.

Allow administration creationof Prefetch OTP

Select this checkbox to allow administrators to create prefetch one‑timepasswords for any end user.

Deselecting this checkbox limits requests for prefetch one‑time passwords toend users themselves.

Administrator Database Specify the McAfee OTP database to use when authenticating theadministrator or group of administrators that can create prefetch one‑timepasswords for end users.

Allowed IP Addresses Specify a comma‑separated list of client IP addresses from which anadministrator can create prefetch one‑time passwords.

PIN CodeUse PIN codes to add a layer of security to the OTP process.

When prompted for a one‑time password, users must first enter the PIN code, then the one‑timepassword without a space separating the two strings.

For example, if the PIN code is 1234, and the one‑time password is OTPOTP, the resulting string is1234OTPOTP.

End users and help desk personnel create PIN codes using the McAfee OTP Web Manager.

The PIN code configuration options include hashed PIN codes. McAfee OTP supports these hashalgorithms:

• SHA1

• Secure SHA256 (SSHA256)

SHA is an acronym for Secure Hash Algorithm. The Secure SHA256 algorithm is also known as theSalted SHA256 algorithm.

To configure the PIN code settings, click Configure PIN Code.

The PIN code configuration options are only available when the Enable PIN Code checkbox is selected.



Option Definition

Select LDAP attribute forthe PIN code

Select the attribute where the PIN code is stored.

The PIN code must be stored in the same attribute in the LDAP database as inthe McAfee OTP database. If you leave the attribute setting empty, McAfee OTPaccepts the one‑time password without the PIN code.

Show advanced hashedPIN code options (Global)

Select this checkbox to enable hashed PIN codes.

All hashed PIN code options are global and apply to all user databases.

Digest Charset Specify the character set used by the user store where the hashed PIN codesare saved.Default: ISO–8859–1

This setting is only available when configuring hashed PIN codes.

Hashed value format Choose one of these formats to use when reading hashed PIN codes:• Base64

• Hexadecimal

This setting is only available when configuring hashed PIN codes.

Advanced optionsUse the configuration pane to configure the settings in the Advanced options area.

Option Definition

ExternalDatabasehandler

Select this checkbox to allow the extension of the database handler with yourown Java class.In the field that opens, specify a Java class name that extendsse.nordicedge.radius.DBHandler.

Create an SQL databaseCreate an SQL database using the following steps.

Task1 To select the SQL database type, use one of these options:

• In the select pane, right‑click the Databases object type, then select the New SQL database typefrom the context menu.

• In the select pane, right‑click the Databases object type, then select the New SQL database type onthe configuration pane.




3 To configure the new SQL database for use with tokens based on the Open Authentication (OATH)HOTP or TOTP standard, select the Uses HOTP or TOTP (OATH) checkbox.

Select this checkbox to modify the available settings in the SQL Queries area on the configurationpane.

Select this checkbox when configuring the new SQL database for use with Pledge, the McAfeesoftware token installed on a mobile device.

4 On the configuration pane, configure the remaining settings.

Tasks• JDBC/ODBC Settings on page 36

Use the configuration pane to configure the settings in the JDBC/ODBC Settings area.

• SQL Queries (HOTP/TOTP Disabled) on page 37Use the configuration pane to configure the settings in the SQL Queries area when the UsesHOTP or TOTP (OATH) checkbox is not selected.

• SQL Queries (HOTP/TOTP Enabled) on page 38Use the configuration pane to configure the settings in the SQL Queries area when the UsesHOTP or TOTP (OATH) checkbox is selected.

• Onetime Password Prefetch on page 38The SQL database Onetime Password Prefetch settings are the same as the LDAP database.

• PIN code on page 38The SQL database PIN code settings are the same as the LDAP database.

• Advanced options on page 39The SQL database Advanced options settings are the same as the LDAP database.

JDBC/ODBC SettingsUse the configuration pane to configure the settings in the JDBC/ODBC Settings area.

Option Definition

Driver Manager Specify the Driver Manager using JDBC syntax.ODBC example: sun.jdbc.odbc.JdbcOdbcDriverMySQL example: com.mysql.jdbc.Driver

Database URL Specify the Database URL of the JDBC/ODBC database.ODBC example: jdbc:odbc:DatabasenameMySQL example: jdbc:mysql://Ipaddress:portnr:/dbname

Samples Provides sample settings for the Driver Manager and Database URL fields.

Username Specify the user name for the JDBC/ODBC database.

Password Specify the password for the JDBC/ODBC database.

No of conns Specify the number of concurrent database connections in the connection poolavailable to McAfee OTP.

Test Connection Test the database connection.



SQL Queries (HOTP/TOTP Disabled)Use the configuration pane to configure the settings in the SQL Queries area when the Uses HOTP or TOTP(OATH) checkbox is not selected.

Option Definition

Authenticate Specify the SQL query used for authentication, which must return the user name.Example: SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ ANDPASSWORD='$$PASSWORD$$'

OTP Field Specify the SQL query that retrieves the mobile phone number or email addressfrom the user’s account.

In the query, use the $$NAME$$ tag for the user name.

Login Retries Specify the maximum number of incorrect passwords that users can providebefore the user’s account is locked.

Specify a value for this field to enable the lock user function. If a value for thisfield is not specified, there is no limit to the number of incorrect passwords thatusers can provide. Locked accounts are automatically unlocked after a time periodthat you configure.

Get Locked (GetDisabled)

Specify the SQL query that reads whether the user account is locked.

Use the $$NAME$$ tag for the user name in the SQL query.

Example: SELECT disabled FROM users WHERE name='$$NAME$$' ANDdisabled='TRUE'

Set Locked (SetDisabled)

Specify the SQL query to execute when the maximum number of Login Retries isexceeded.


Example: UPDATE users SET disabled='TRUE' WHERE name='$$NAME$$'

Get Disable OTP Specify the SQL query that determines whether the user can log in without aone‑time password.Example: SELECT skipotpflag UserTable WHERE name='$$NAME$$'

If you do not specify a value for this field, authentication with a one‑time passwordis always required.

Test Authentication Test the authentication.




SQL Queries (HOTP/TOTP Enabled)Use the configuration pane to configure the settings in the SQL Queries area when the Uses HOTP or TOTP(OATH) checkbox is selected.

Option Definition

Authenticate Specify the SQL query used for authentication, which must return the user name.Example: SELECT NAME FROM UserDB WHERE NAME='$$NAME$$’ ANDPASSWORD='$$PASSWORD$$'

Get OATHKey Specify the SQL query that retrieves the OATH key from the user’s account.Example: SELECT OATHKey FROM UserDB WHERE NAME='$$NAME$$'

Set OATHKey Specify the SQL query that sets the OATH key in the user’s account.Example: UPDATE users SET OATHKey ='$$KEY$$' WHERE name='$$NAME$$'

Login Retries Specify the maximum number of incorrect passwords that users can providebefore the user’s account is locked.

Specify a value for this field to enable the lock user function. If a value for thisfield is not specified, there is no limit to the number of incorrect passwords thatusers can provide. Locked accounts are automatically unlocked after a time periodthat you configure.

Get Locked (GetDisabled)

Specify the SQL query that reads whether the user account is locked.


Example: SELECT disabled FROM users WHERE name='$$NAME$$' ANDdisabled='TRUE'

Set Locked (SetDisabled)

Specify the SQL query to execute when the maximum number of login retries isexceeded.


Example: UPDATE users SET disabled='TRUE' WHERE name='$$NAME$$'

Test Authentication Test the authentication.


Onetime Password PrefetchThe SQL database Onetime Password Prefetch settings are the same as the LDAP database.

See also Onetime Password Prefetch on page 33

PIN codeThe SQL database PIN code settings are the same as the LDAP database.

See also PIN Code on page 34



Advanced optionsThe SQL database Advanced options settings are the same as the LDAP database.

See also Advanced options on page 35

Create a RADIUS Forward databaseUse a RADIUS Forward database to allow McAfee OTP to pass through and forward RADIUS requeststo a third‑party RADIUS Server, which supports RSA SecurID and SafeWord tokens.

Task1 To select the RADIUS Forward database type, use one of these options:

• In the select pane, right‑click the Databases object type, then select the New RADIUS Forwarddatabase type from the context menu.

• In the select pane, right‑click the Databases object type, then select the New RADIUS Forwarddatabase type in the configuration pane.


3 Click Add RADIUS Server, and specify the IP address and port number of the RADIUS server.

McAfee OTP uses this information when forwarding requests to the server.

4 (Optional) To remove a RADIUS server, select it, and click Remove RADIUS Server.

5 On the configuration pane, configure the remaining options.

Option Definition

Shared Secret Specify the secret shared by the McAfee OTP server and the RADIUSserver.

Forward additional RADIUSattributes

Specify whether the McAfee OTP server forwards additional RADIUSattributes to the other RADIUS server.

Test RADIUS request Test authentication to the selected RADIUS server.

Create a database groupConfigure multiple McAfee OTP databases as a group.Database groups can include LDAP, JDBC, and RADIUS Forward databases, or a combination.

When databases are configured as a group, McAfee OTP searches them in the order that they arelisted on the configuration pane. When a matching user name and password are found in a specifieddatabase for a specified user, McAfee OTP uses that database for that user.

LDAP and JDBC databases must be configured before they can be added to a database group.

Task1 To select the Database group database type, use one of these options:

• In the select pane, right‑click the Databases object type, then select the Database Group databasetype from the context menu.

• In the select pane, right‑click the Databases object type, then select the Database Group databasetype in the configuration pane.


3 In the Database Group Settings area, click Add Database, then select one or more databases.



4 Click Up and Down to position the selected databases in the list.

5 (Optional) To remove a database from the database group, click Remove Database.

Configure the Clients object typeMcAfee OTP uses McAfee OTP client objects to manage connections to McAfee OTP clients.

These McAfee OTP clients are supported:

• RADIUS — Use the RADIUS challenge‑response protocol to communicate with McAfee OTP.

Examples: Firewall and VPN (BlueCoat, Cisco, Citrix, F5, and Juniper)

• Native — Communicate with McAfee OTP using the API that it provides.

Examples: CA SiteMinder, Microsoft Outlook Web Access, Microsoft SharePoint, and NovellGroupWise Web Access.

• Web services — Use SOAP‑based web services implemented through an API to communicate withMcAfee OTP.

See also Web Service Client API (SOAP) on page 5

Contents Create a client Delete a client Duplicate a client Create a RADIUS client Create a Native client Create a Web services client

Create a clientCreate a McAfee OTP client object to manage connections to McAfee OTP clients.

Task1 To create a client, choose from these options:

• In the select pane, right‑click the Clients object type, then select the New Client type from thecontext menu.

• In the select pane, select the Clients object type, then select the New Client type in theconfiguration pane.

2 In the Client Display Name field, specify a unique, meaningful name.


Delete a clientDelete a client that is no longer needed.

Task1 In the select pane, navigate to the client.

2 Right‑click the client, and select Delete from the context menu.

4 Configuring McAfee OTPConfigure the Clients object type


Duplicate a clientDuplicate an existing client.

Task1 In the select pane, navigate to the client.

2 Right‑click the client, and select Duplicate Client from the context menu.



Create a RADIUS clientCreate a RADIUS client using the following steps.

Task1 To select the RADIUS client type, use one of these options:

• In the select pane, right‑click the Clients object type, then select the New RADIUS client type fromthe context menu.

• In the select pane, right‑click the Clients object type, then select the New RADIUS client type in theconfiguration pane.


3 In the Client IP Address field, specify the IP address of the RADIUS client.

• Do not specify a DNS name.

• You can specify multiple IP addresses by using a wildcard character, such as “*”.


AdvancedClick Advanced to configure the RADIUS client settings.

Contents RADIUS Client Attribute Detection Listen on RADIUS Ports Encoding RADIUS Reject Error Messages

RADIUS Client Attribute DetectionSpecify a different client configuration and database for each user group at the same IP address,differentiate between user groups, such as employees, partners, and customers, and enable differentauthentication methods for each user group at the same IP address.

Option Definition

Enable Attribute Detection Specifies whether the RADIUS attribute detection feature is enabled.

RADIUS attribute number Specifies a RADIUS attribute by number.

RADIUS attribute value Specifies a value for the selected RADIUS attribute.

Configuring McAfee OTPConfigure the Clients object type 4


Option Definition

Match type Specifies whether the match must be exact.

Match case Specifies whether the match is case‑sensitive.

Listen on RADIUS PortsSpecify the RADIUS port numbers on which McAfee OTP listens.

The Listen on RADIUS Ports settings are only available when McAfee OTP is configured as a RADIUS server,and Additional Ports are enabled in the configuration pane.

Option Definition

Listen on ALL available portnumbers

Specify whether McAfee OTP listens on all RADIUS port numbers.

Selected ports Specify one or more RADIUS port numbers on which McAfee OTP listens.

This option is only available when the previous option is disabled.

EncodingUse the configuration pane to configure the settings in the Encoding Settings area.

Option Definition

Charset encoding Specifies a system character set.

The RADIUS standard uses UTF‑8 encoding to transform packet data to strings.

RADIUS Reject Error MessagesConfigure end user error messages that are sent when authentication fails.

Option Definition

Failed Auth/Error Specify the message that is sent when the user fails to authenticate or a system erroroccurs.

• This message is sent by RADIUS attribute 18.

• To disable this message, leave this field blank.

Failed OTP Specifies a message that is sent when the user’s one‑time password fails.

• This message is sent by RADIUS attribute 18.

• To disable this message, leave this field blank.



RADIUS OptionsUse the configuration pane to configure the settings in the RADIUS Options area.

Option Definition

Shared Secret Specify the RADIUS client’s shared secret.

The RADIUS client and the RADIUS client application must have the sameshared secret.

Supports RADIUSAccess‑Challenge

Select this checkbox to specify that the RADIUS client supports the RADIUSchallenge‑response protocol.

Response Message Specify the message that is sent to the RADIUS client for prompting the userto enter a one‑time password.

This field is only available when the RADIUS client supports thechallenge‑response protocol.

Allow multiple user requests Select this checkbox to allow an end user to request one‑time passwordsfrom multiple RADIUS endpoints.This setting is useful when single users are requesting one‑time passwordsfrom redundant VPN servers.

This field is only available when the RADIUS client does not support thechallenge‑response protocol.

Auth. Server IP Address Specify the IP address of the RADIUS client, VPN, or firewall.


Prefetch OTP OptionsUse the Prefetch OTP Options for RADIUS clients that do not support the challenge‑response protocol.

The Prefetch OTP Options are only available when the RADIUS client is configured to use only prefetchone‑time passwords.

Option Definition

Use ONLY OATH OTP orPrefetch OTPs

Select this checkbox to specify using only OATH tokens or prefetch one‑timepasswords.

This checkbox is only available when the RADIUS client does not support thechallenge‑response protocol.

Require Password ANDPrefetch OTP

Specify that users must enter a string which is the concatenation of thedatabase password and the one‑time password.

This setting is only available when prefetch one‑time passwords are enabled.

Example: dbpassword012345

Generate Prefetch OTP ifnone exists

When end users log on with user name and password, specify the ability togenerate prefetch one‑time passwords if none exist.

This setting is only available when prefetch one‑time passwords are enabled.



User DatabaseFrom the User Database drop‑down list, select one of the configured databases for the RADIUS client touse.

See also Configure the Databases object type on page 28

Other optionsUse the configuration pane to configure the settings in the Other options area.

Option Definition

Uses externalOTP API

Select this checkbox to specify that the external code using the API generates andverifies the one‑time password instead of McAfee OTP. Type the Java class name thatimplements the interface in the field that opens:se.nordicedge.interfaces.OTPVerificationHandler


Click Radius Attributes to specify attributes that are sent following successfulauthentication. In the interface that opens, add each attribute and attribute number tothe attribute list. Attribute values include:• Static Value • Login Name

• UserDN • external code

• User Attribute

Force OTPDeliveryMethod

Select an McAfee OTP delivery method from the drop‑down list.

This setting overrides the McAfee OTP default, which uses the delivery methods in theorder they are configured by the administrator.

Create a Native clientCreate a Native OTP client using the following steps.

Task1 To select the Native client type, use one of these options:

• In the select pane, right‑click the Clients object type, then select the New Native client type fromthe context menu.

• In the select pane, right‑click the Clients object type, then select the New Native client type in theconfiguration pane.


Example: CA SiteMinder.

3 In the Client IP Address field, specify the IP address of the Native client.


• You can specify multiple IP addresses by using a wildcard character, such as “*”.




Tasks• Advanced — Native Client Name Detection on page 45

McAfee OTP uses the name of the integration module to differentiate between user groupsat the same IP address, and applies a different client configuration and database to eachone.

• Options on page 45Use the configuration pane to configure the settings in the Options area.

• User Database on page 45From the User Database drop‑down list, select one of the configured databases for the Nativeclient to use.

• Other options on page 46Use the configuration pane to configure the settings in the Other options area.

Advanced — Native Client Name DetectionMcAfee OTP uses the name of the integration module to differentiate between user groups at the sameIP address, and applies a different client configuration and database to each one.

Option Definition

Enable Name Detection Select this checkbox to enable the Native Client Name Detection feature, and enabledifferent authentication methods for each user group at the same IP address.

Client Name Specify the client name used by the integration module.

OptionsUse the configuration pane to configure the settings in the Options area.

Option Definition

Accept User Lookuponly

Select this checkbox to allow McAfee OTP to look up users based on user nameonly, issue one‑time passwords, and enable authentication with a one‑timepassword instead of user name and password.

The password field can be empty.

Client Name Specify the client name used by the integration module.

This field is available when Accept User Lookup only is selected.

User DatabaseFrom the User Database drop‑down list, select one of the configured databases for the Native client touse.




Other optionsUse the configuration pane to configure the settings in the Other options area.

Option Definition


Select this checkbox to specify that the external code using the API generates andverifies the one‑time password instead of McAfee OTP Server. Type the Java class namethat implements the interface in the field that opens:se.nordicedge.interfaces.OTPVerificationHandler

Force OTPDelivery Method

Select an McAfee OTP delivery method from the drop‑down list.


Create a Web services clientCreate a Web services client using the following steps.

Task1 To select the Web services client type, use one of these options:

• In the select pane, right‑click the Clients object type, then select the New Web services client typefrom the context menu.

• In the select pane, right‑click the Clients object type, then select the New Web services client type inthe configuration pane.

2 In the WS Client Name field, specify a unique, meaningful name.

The name must correspond to the client name in the client’s web services requests.

3 In the WS Client Password field, specify a password for the Web services client.


Tasks• Options on page 46

Use the configuration pane to configure the settings in the Options area.

• User Database on page 47From the User Database drop‑down list, select one of the configured databases for the Webservices client to use.

• Other Options on page 47Use the configuration pane to configure the settings in the Other Options area.


Option Definition

Accept User Lookuponly

Select this checkbox to allow McAfee OTP to look up users based on user nameonly and issue one‑time passwords, and enable authentication with a one‑timepassword instead of user name and password.

The password field can be empty.



User DatabaseFrom the User Database drop‑down list, select one of the configured databases for the Web services clientto use.


Other OptionsUse the configuration pane to configure the settings in the Other Options area.

Option Definition


Selecting this checkbox specifies that the external code using the API generates andverifies the one‑time password instead of McAfee OTP. Type the Java class name thatimplements the interface in the field that opens:se.nordicedge.interfaces.OTPVerificationHandler

Force OTPDeliveryMethod

Selects an McAfee OTP delivery method from the drop‑down list of configured methodsfor McAfee OTP to use.


Configure the Delivery Method object typeConfigure one or more methods for McAfee OTP to use to deliver one‑time passwords.

These options are available:

• Show all — Displays all delivery method types.

• Show enabled — Displays enabled delivery method types only.

• Show disabled — Displays disabled delivery method types only.

Contents Enable a delivery method type Configure the SMS Gateway delivery method Configure the HTTP delivery method Configure the Extended HTTP delivery method Configure the SMTP delivery method Configure the Netsize delivery method Configure the Concurrent Sender delivery method Configure the Instant Messaging delivery method Configure the SMPP delivery method Configure the CIMD2 delivery method Configure the UCP File delivery method Configure the Prefetch Detection delivery method

Configuring McAfee OTPConfigure the Delivery Method object type 4


Enable a delivery method typeEnable a delivery method type for McAfee OTP to use to deliver one‑time passwords.

Task1 In the select pane, right‑click the Delivery Method object type, then select the Delivery object type.

2 In the configuration pane, enable the Delivery object type.

3 To change the order the delivery method types are used, right‑click the Delivery method type, thenselect Move up or Move down.

Configure the SMS Gateway delivery methodMcAfee SMS module is a plug‑in that delivers one‑time passwords to end users using the McAfee SMSGateway. The module provides status controls, usage statistics, and automatic failover for lapses inSMS service.

Task1 In the select pane, expand the Delivery Methods object type, then select McAfee SMS.

2 In the configuration pane, select the Enable McAfee SMS Gateway checkbox.

3 Configure the remaining settings.

Tasks• General Settings and Proxy areas on page 48

Use the configuration pane to configure the settings in the General Settings and Proxy areas.

• Location on page 49Select the geographic area that corresponds to your location.

• Configuration and Status on page 49To configure the settings in the Configuration and Status area, click Request a demo account .

• Advanced on page 49Click Advanced to open the following settings.

General Settings and Proxy areasUse the configuration pane to configure the settings in the General Settings and Proxy areas.

Option Definition

Username Specify the user name for the McAfee SMS service.

Password Specify the password for the McAfee SMS service.

Flash SMS Select this checkbox to allow McAfee SMS service to send Flash SMS messages toa mobile phone.

Message Specify the one‑time password message sent to mobile phones.

In the message, the one‑time password replaces the $$OTP$$ tag. If the tag isomitted, the one‑time password appends to the end of the message.

Enable HTTP proxyserver

Select this checkbox to enable support for an HTTP proxy server.

This setting is required when McAfee OTP is installed on a server that cannotaccess the Internet without going through an HTTP proxy.

4 Configuring McAfee OTPConfigure the Delivery Method object type


Option Definition

Server Specify the DNS name or IP address of the HTTP proxy server.

This field is only available when the HTTP proxy server is enabled.

Port Specify the port number of the HTTP proxy server.

This field is only available when the HTTP proxy server is enabled.

Disable PF SMSStatus

Select this checkbox to send a message to the McAfee SMS Gateway disablingSMS status control for users that have prefetch one‑time passwords stored in theuser database, reducing the waiting time for these passwords.

Username inaccounting file

Select this checkbox to include the user name in the McAfee OTP log accountingfile.

If you are not using the accounting file, you can ignore this setting.

Validate SSLCertificates

Select this checkbox to enable SSL certificate validation.

LocationSelect the geographic area that corresponds to your location.

Configuration and StatusTo configure the settings in the Configuration and Status area, click Request a demo account .

Option Definition

Test Send a test SMS message to a mobile phone through McAfee SMS Gateway.

Update Config Manually update the configuration for the McAfee SMS Gateway service.

Debug Write SMS debug information to the log files.

AdvancedClick Advanced to open the following settings.

Option Definition

Enable max Limit Set thresholds for SMS delivery.

Max SMS per user per day Maximum number of SMS messages that each user can send in one day.

Max SMS total per day Total number of SMS messages that all users can send in one day.

Configure the HTTP delivery methodSend one‑time passwords using the HTTP or HTTPS protocol to an SMS provider.

Task1 In the select pane, expand the Delivery Methods object type, then select HTTP.

2 In the configuration pane, select the Enable HTTP checkbox.


For more information, contact your SMS provider.



Tasks• Headers or Template file on page 50

Use the configuration pane to configure the settings in the Headers or Template file area.

• Authentication on page 50Use the configuration pane to configure the settings in the Authentication area.

• Proxy on page 50Use the configuration pane to configure the settings in the Proxy area.

• Other Settings on page 51Use the configuration pane to configure the settings in the Other Settings area.

Headers or Template fileUse the configuration pane to configure the settings in the Headers or Template file area.

Option Definition

User Header The name of the HTTP header corresponding to the user’s mobile phone numberor email address.

OTP Header The name of the HTTP header corresponding to the one‑time password.

Headers in Query String Include HTTP headers in the query string as GET parameters.Example: ?USER=070112233&CHALLENGE=123456

Template file Name of the template file that replaces HTTP headers.

• The template file must contain the following two tags: $$IDENTITY$$and $$CHALLENGE$$.

• To use headers only, leave this field blank.

Auto‑Accept SSLCertificates

Allows McAfee OTP to automatically trust SSL certificates received over HTTPS.

Debug Enables logging of HTTP messages.

AuthenticationUse the configuration pane to configure the settings in the Authentication area.

Option Definition

Enable HTTP Authentication Enables HTTP authentication.

Username User name required for HTTP authentication.

Password Password required for HTTP authentication.

ProxyUse the configuration pane to configure the settings in the Proxy area.

Option Definition

Enable Proxy Server Enable HTTP requests and responses through a proxy server.

Proxy Server DNS name of the proxy server.

Proxy Port Port number of the proxy server.



Other SettingsUse the configuration pane to configure the settings in the Other Settings area.

Option Definition

Content Type Content type of HTTP email messages using the MIME standard.Default: application/x‑www‑form‑urlencoded

HTTP(/S) URL URL where the one‑time password is posted.

Success String The string that the HTTP server sends to McAfee OTP when the one‑time password isposted successfully.

Without this string, McAfee OTP continues processing as though the post failed.

Configure the Extended HTTP delivery methodThe Extended HTTP delivery method offers more configuration options than the HTTP delivery method.

Task

1 In the select pane, expand the Delivery Methods object type, then select Extended HTTP.

2 In the configuration pane, select the Enable Extended HTTP Sender checkbox.


Tasks

• Headers or Template file on page 51Use the configuration pane to configure the settings in the Headers or Template file area.

• Authentication and Proxy on page 52Use the configuration pane to configure the settings in the Authentication and Proxy area.

• Other Settings on page 52Use the configuration pane to configure the settings in the Other Settings area.

Headers or Template fileUse the configuration pane to configure the settings in the Headers or Template file area.

Option Definition

User Header The name of the HTTP header corresponding to the user’s mobile phonenumber or email address.

OTP Header The name of the HTTP header corresponding to the one‑time password.

Remove leading + Removes the leading “+” character from mobile phone numbers.

Replace + with 00 Removes the leading “+” character from mobile phone numbers, andreplaces it with two zeros.

Template File The name of the template file that replaces HTTP headers. The template filemust contain the following two tags: $$IDENTITY$$ and $$CHALLENGE$$.

To use headers only, leave this field blank.

Edit Allows you to edit the template file.

Auto‑Accept SSL Certificates Allows McAfee OTP to automatically trust SSL certificates received overHTTPS.

Debug Enables logging of HTTP messages.

Use GET Specifies GET as the HTTP method in place of POST.



Authentication and ProxyUse the configuration pane to configure the settings in the Authentication and Proxy area.

Option Definition

Proxy Server Enables HTTP requests and responses through a proxy server.• Proxy Server — The DNS name of the proxy server.

This field opens when the proxy server is enabled.

• Proxy Port — The port number of the proxy server.

This field opens when the proxy server is enabled.

HTTP Auth Enables HTTP authentication.• Username — The user name required for authentication.

This field opens when HTTP authentication is enabled.

• Password — The password required for authentication.

This field opens when HTTP authentication is enabled.

Client Cert Enables certificate authentication.• PKCS12 file — The full path name to the certificate file.

This field opens when certificate authentication is enabled.

• Password — The password required to decrypt the certificate file.

This field opens when certificate authentication is enabled.

Certificate authentication requires HTTPS.

Other SettingsUse the configuration pane to configure the settings in the Other Settings area.

McAfee OTP uses the URLs in the order that you specify them. If one URL fails, McAfee OTP failsover tothe last working URL.

Option Definition

Content Type The content type of HTTP email messages using the MIME standard.Default: application/x‑www‑form‑urlencoded

HTTP(/S) URL 1 The first of three URLs where McAfee OTP can post the one‑time password.

HTTP(/S) URL 2 The second of three URLs where McAfee OTP can post the one‑time password.

HTTP(/S) URL 3 The third of three URLs where McAfee OTP can post the one‑time password.

Success String The string that the HTTP server sends to McAfee OTP when the one‑timepassword is posted successfully. Without this string, McAfee OTP continuesprocessing as though the post failed.Default: application/x‑www‑form‑urlencoded

Set SOAP Action requestheader

Adds a SOAP Action header field to the HTTP request.



Configure the SMTP delivery methodSend one‑time passwords using the SMTP protocol.

• SMTP is an acronym for Simple Message Transfer Protocol.

• McAfee OTP sends all messages containing the “@” character to users by SMTP.

Task1 In the select pane, expand the Delivery Methods object type, and select SMTP.

2 In the configuration pane, select the Enable SMTP checkbox.


Tasks• SMTP Host on page 53

Use the configuration pane to configure the settings in the SMTP Host area.


• SMTP Options on page 54Use the configuration pane to configure the settings in the SMTP Options area.

SMTP HostUse the configuration pane to configure the settings in the SMTP Host area.

Option Definition

SMTP Host The IP address or DNS name of the SMTP host.

Mime Encoding The MIME encoding for messages delivered by the SMTP method.Default: ISO‑8859‑1

Port The port number of the SMTP host.Default: 25

SSL/TLS Use the SSL or TLS protocol.

Force TLS Use TLS, not SSL.

This checkbox is only available when SSL/TLS is enabled.


Option Definition

Enable SMTP Authentication Enables SMTP authentication.

Username The user name required for SMTP authentication.

Password The password required for SMTP authentication.



SMTP OptionsUse the configuration pane to configure the settings in the SMTP Options area.

Option Definition

Mail sender address The address of the email sender.

Mail To Address The address of the email recipient.

This setting is only available when the Mail address checkbox is not selected.

Mail address Use the user’s email address as the recipient’s address, and disable the Mail ToAddress field.

Subject The subject line of the email message.

This setting is only available when the User ID checkbox is not selected.

User ID Using the user’s mobile phone number or email address as the subject of the email,and disables the Subject field.

Body Text The body of the SMTP message, including the $$OTP$$ tag which is replaced by theone‑time password.

• If the $$OTP$$ tag is omitted, the one‑time password is appended to theend of the text.

• Clicking the browse button opens the body text editor.

Is filename Save the body text in a template file.

• Enter the full path name to the template file in the Body Text field.

• The template file can contain the $$IDENTITY$$ and $$OTP$$ tags.

Debug Write SMTP debug information to the log files.

Look up mailaddress in database

Specify an attribute that stores a complete email address. Use this function whenusing email as a back‑up delivery method.

McAfee OTP can look up the specified attribute when it encounters an email addressthat does not contain the “@” character.

Test Send a test email message.

Configure the Netsize delivery methodSend one‑time passwords using the Netsize SMS Gateway.

A Netsize account is required.

Task1 In the select pane, expand the Delivery Methods object type, and select Netsize.

2 In the configuration pane, select the Enable Netsize checkbox.




Tasks• Communication on page 55

Use the configuration pane to configure the settings in the Communication area.


• Message on page 55Use the configuration pane to configure the settings in the Message area.

• Endpoint Settings on page 55Use the configuration pane to configure the settings in the Endpoint Settings area.

• Options on page 56Use the configuration pane to configure the settings in the Options area.

CommunicationUse the configuration pane to configure the settings in the Communication area.

Option Definition

SMS Gateway Specifies the IP address or DNS name of the Netsize SMS Gateway.

Port nr Specifies the port number of the Netsize SMS Gateway.


Option Definition

Login Specifies the user name required for authentication.

Password Specifies the password required for authentication.

MessageUse the configuration pane to configure the settings in the Message area.

Option Definition

Message Specifies the message to send to the mobile phone that includes the one‑time password.McAfee OTP replaces the $$OTP$$ tag in the message with the one‑time password. If the tagis omitted from the message, McAfee OTP appends the one‑time password to the end of themessage.

Clicking the Browse button opens the editor.

Endpoint SettingsUse the configuration pane to configure the settings in the Endpoint Settings area.

Use these available settings:

• Sending (MT)

• Receive (MO)

• Notification (SR)

Please consult your Netsize customer service representative for more information.




Option Definition

Debug Selecting this checkbox enables debugging of Netsize packets in the console or log files.

Encryption Selecting this checkbox enables encryption.This function requires coordination between McAfee OTP and the Netsize SMS Gateway.

Consult your Netsize customer service representative for more information.

Message Type Specifies the presentation of the message on the mobile phone. Select one of thefollowing options:• Immediate Display (Flash)

• Stored on Mobile phone

• Stored on SIM‑card

Configure the Concurrent Sender delivery methodSimultaneously send one‑time passwords using two or more delivery methods.

Task1 In the select pane, expand the Delivery Methods object type, and select Concurrent Sender.

2 In the configuration pane, select the Enable Concurrent Sender checkbox.

3 From the Add Method drop‑down list, select the delivery method, then click Add.

The method is added to the Sending methods list.

4 (Optional) To remove a delivery method from the Sending methods list, select the delivery method,then click Delete.

Configure the Instant Messaging delivery methodSend one‑time passwords using these instant messaging methods.

• Skype

• Microsoft Live (MSN)

• Jabber (Google Talk)

Task1 In the select pane, expand the Delivery Methods object type, then select Instant Messaging.

2 In the configuration pane, select the Enable Instant Messaging checkbox.

3 In the OTP Message field, enter the message to be sent to the user's mobile phone using the $$OTP$$tag as a placeholder for the one‑time password.

4 Select the tab that corresponds to the instant messaging delivery method.

5 Configure the settings on the selected tab.



User PrefixAll three Instant Messaging delivery methods support the User Prefix feature, which the user ID has a prefixthat specifies the instant messaging service in use. Using the prefix, McAfee OTP can route theincoming instant message to the specified service.

Configure the prefix by typing a value in the User Prefix field on the tab corresponding to each InstantMessaging service on the configuration pane.

Google example:

User Prefix: GOOGLETALK

User ID: GOOGLETALK;[email protected]

SkypeBefore you test the Skype Instant Messaging delivery method, verify that these minimum requirements aremet.

• The Skype client is installed and running on McAfee OTP and logged on to the Skype network.

• McAfee OTP is running Java 1.5.

• To allow McAfee OTP to pass messages to the Skype client, select Yes when prompted by the Skypeclient.

When you test the Skype Instant Messaging delivery method, do not provide a user prefix.

Microsoft Live (MSN)Before you test the MSN Instant Messaging delivery method, verify that these minimum requirements aremet.

• You have a valid MSN account.

• Configure the MSN login id and MSN Password fields.

• The Debug checkbox is selected to write MSN debug information to the log files.

When you test the MSN Instant Messaging delivery method, do not provide a user prefix.

Jabber (Google Talk)Before you test the Jabber Instant Messaging delivery method with McAfee OTP, verify that you have a validJabber account, and configure the settings in the configuration pane.

Option Definition

Server Specifies the host name or IP address of the Jabber server.

Port nr Specifies the port number of the Jabber server.

Use SSL Selecting this checkbox specifies using the SSL protocol.

Jabber ID Specifies your Jabber user name.

Password Specifies your Jabber password.

When you test the Jabber Instant Messaging delivery method, do not provide a user prefix.



Configure the SMPP delivery methodSend one‑time passwords using the SMPP protocol.

SMPP is an acronym for Short Message Peer‑to‑ Peer.

Task

1 In the select pane, expand the Delivery Methods object type, and select SMPP.

2 In the configuration pane, select the Enable SMPP checkbox.


Configure the CIMD2 delivery methodSend one‑time passwords using the proprietary Nokia CIMD2 protocol.

Task

1 In the select pane, expand the Delivery Methods object type, then select CIMD2.

2 In the configuration pane, select the Enable CIMD2 checkbox.


Configure the UCP File delivery methodCreate one UCP file for each one‑time password. Use this method when one‑time passwords areprocessed by modem software, and then sent by SMS to end users.

UCP is an acronym for Uniformity Correction Parameters.

Task

1 In the select pane, expand the Delivery Methods object type, then select UCP File.

2 In the configuration pane, select the Enable UCP File checkbox.


Tasks

• UCP File Options on page 58Use the configuration pane to configure the settings in the UCP File Options area.

UCP File OptionsUse the configuration pane to configure the settings in the UCP File Options area.

Option Definition

File Directory to drop file Specifies the directory where one‑time passwords are stored, eachpassword in a separate UCP file.

Filename starts with Specifies a string that occurs at the beginning of each file name.Example: ucp

Filename ends with Specifies a string that occurs at the end of each file name.Example: .txt

Template File Specifies the name of the template file that provides the text contained inevery UCP file. The text includes a variable which is replaced by theone‑time password.



Option Definition

Control+New Line (0D0A)

Selecting this checkbox adds line breaks to the UCP file.

File character set Specifies the character encoding for the UCP file.Example: ISO–8859–1

Configure the Prefetch Detection delivery methodDetect if users are using only prefetch one‑time passwords. This delivery method is useful when some,but not all, users are using only prefetch one‑time passwords. When the Prefetch Detection deliverymethod is configured and selected, McAfee OTP checks the McAfee OTP attribute. If the attribute is setto a value that you configure, only prefetch one‑time passwords are used. In this case, McAfee OTPdoes not send a one‑time password by any delivery method.

Task1 In the select pane, expand the Delivery Methods object type, then select Prefetch Detection.

2 In the configuration pane, select the Enable Prefetch Detection checkbox.

3 In the OTP Attribute detection field, type the value of the OTP attribute when prefetch one‑time passwords onlyis true.

Example: PF‑ONLY

Configure the Misc object typeThe Misc object type includes the following miscellaneous configuration types.

Contents Configure the Expired Password Notification settings Configure the OATH settings Configure the Prefetch OTP options Configure the Unlock User Accounts options Configure the AES Encryption options Configure the Embedded HTTP Server Options Configure the Pledge Enrollment options Configure the Web Manager options Web Manager - User Guide Self Service - Admin Guide Self Service - User Guide Configure the Yubico options

Configure the Expired Password Notification settingsUse the configuration pane to configure the settings in the Expired Password Notification area.

Task1 In the select pane, expand the Misc object type, then select Expired Password Notification.

2 In the configuration pane, select the Enable Expired Password Notification checkbox.


Configuring McAfee OTPConfigure the Misc object type 4


Tasks• Expired Password Notification on page 60

Use the configuration pane to configure the settings in the Expired Password Notification area.

Expired Password NotificationUse the configuration pane to configure the settings in the Expired Password Notification area.

Option Definition

User attributes to send messageto

Specifies a comma‑separated list of attributes, each one storing an emailaddress or mobile phone number where the expired password notificationcan be sent.Example: mail,mobile

Message to the user Specifies the message that is sent to the end user when the user’spassword has expired.

Method to send notification with Selects the delivery method to use when sending the expired passwordnotification to end users.

Configure the OATH settingsMcAfee OTP supports the OATH HOTP and TOTP hardware tokens used by Pledge and other OATHsoftware tokens.

Task

1 In the select pane, expand the Misc object type, then select OATH Configuration.


Tasks• HOTP on page 60

Use the Oath Configuration pane to configure the settings in the HOTP area.

• TOTP on page 61Use the configuration pane to configure the settings on the TOTP area.

• General OATH Settings on page 61The following settings can be configured for both HOTP and TOTP tokens.

• Automatic OATH Enrollment on page 61The Automatic Oath Enrollment settings are only available when the Accept OATH Token Identifier andEnable Automatic Enrollment checkboxes are selected.

HOTPUse the Oath Configuration pane to configure the settings in the HOTP area.

Option Definition

Encrypt Key and counter Selecting this checkbox specifies whether the HOTP key and counter areencrypted in the database.

Validation LookAhead Value Specifies the number of unused one‑time passwords the user can generatewith the OATH device before the device is out‑of‑sync and needs to beresynchronized.

OTP Length Selects the length of the one‑time password.

Truncation value Specifies an offset value for OATH devices.

A value of –1 specifies variable truncation. Do not modify this value.

4 Configuring McAfee OTPConfigure the Misc object type


TOTPUse the configuration pane to configure the settings on the TOTP area.

Option Definition

Accept time drift Selecting this checkbox allows McAfee OTP to accept the preceding, current, orsucceeding one‑time password instead of only the current one‑time passwordto compensate for time drift.

Anti‑replay check Selecting this checkbox specifies that each one‑time password is only validonce in a specified time frame set by the software token, usually 30 or 60seconds.

Encrypt Key value Selecting this checkbox specifies that the TOTP key is encrypted in thedatabase.

Max Out of Synch TimeSteps

Specifies the maximum number of time steps that an OATH device can beout‑of sync with McAfee OTP. The time step is set by the OATH device, forexample, 30 seconds.

General OATH SettingsThe following settings can be configured for both HOTP and TOTP tokens.

Option Definition

Pin code placement Selects whether the end user enters the PIN code before or after theHOTP/TOTP token when a PIN code is used.

Accept OATH Token Identifier Selecting this checkbox adds support for software tokens that send atoken identifier in addition to a one‑time password.

Enable Automatic Enrollment(Class A ‑ OATH TokenIdentifier)

Selecting this checkbox specifies whether the automatic enrollmentprocess retrieves the OATH key and counter from the keyfile and uses theOATH token identifier to store them in the user database.

Automatic OATH EnrollmentThe Automatic Oath Enrollment settings are only available when the Accept OATH Token Identifier and EnableAutomatic Enrollment checkboxes are selected.

Option Definition

Key storage database Selects the database containing the keys and token identifier.

Check SQL Database Tests whether the TOKENDB database and tokens table exist in the selected SQLdatabase. If they do not exist, click Yes to create them.

The Check SQL Database button is only visible when the selected database is a SQLdatabase.

Object DN Selects an LDAP object in which to store the keys.

This field is only visible when the selected database is an LDAP database.

Attribute Selects an LDAP attribute in which to store the keys.

This field is only visible when the selected database is an LDAP database.

Upload keyfile todatabase

Clicking this button uploads the keys from the keyfile to the selected database.The keyfile must be a PSKC (RFC 6030) file or contain comma‑separated orsemicolon separated keys.

PSKC is an acronym for Portable Symmetric Key Container.



Option Definition

Allow multiple tokenassignments

Selecting this checkbox accepts a user that has one OATH token and wants toenroll for a second token.

Encrypt keys inkeystorage database

Selecting this checkbox specifies that the keys in the keystore are encrypted.

If AES is configured, the keys are encrypted using AES encryption. However, youmust configure AES encryption before you import the keyfile.

Advanced automatic OATH enrollmentSome LDAP databases limit the number of keys per object to 1,000. To overcome this limitation, youcan configure multiple LDAP objects and attributes for storing OATH keys on the Advanced Configurationdialog box. To open the dialog box, click Advanced in the Automatic OATH Enrollment area in configurationpane.

Configure the Prefetch OTP optionsConfigure how prefetch one‑time passwords are delivered to the end user. McAfee OTP can sendprefetch one‑time passwords by any configured McAfee OTP delivery method or by forwarding them toanother McAfee OTP server.

Task1 In the select pane, expand the Misc object type, then select Prefetch Proxy Config.

2 To send all prefetch one‑time passwords to another McAfee OTP server, select the Proxy Sending ofPrefetch OTPs checkbox in the configuration pane.

3 Type the IP address and port number of the proxy server (separated by a colon).

To specify multiple proxy servers, use a comma to separate each IP address‑port number pair.

4 From the Force Sending Prefetch OTP with Method drop‑down list, select the McAfee OTP delivery method touse when sending prefetch one‑time passwords.

Only configured McAfee OTP delivery methods are available.

Configure the Unlock User Accounts optionsConfigure how many minutes user accounts are locked before the server automatically unlocks them,and specify different values for the first and second lockout. The Unlock function is used together withthe OTP Databases object settings — Login Retries, Locked Attribute, and Locked Value — to manage access toMcAfee OTP user accounts.

Task1 In the select pane, expand the Misc object type, then select Unlock User Accounts.


Option Definition

Unlock Accounts afterFirst Lockout

Specifies in minutes how long user accounts are locked when they arelocked for the first time.

Unlock Accounts afterSecond Lockout

Specifies in minutes how long user accounts are locked when they arelocked for the second time.

Reset Value Specifies the value to write to the Locked Attribute in the McAfee OTPdatabase when the user account is unlocked. If you do not specify a valuefor this setting, McAfee OTP sets the value of the Locked Attribute to empty.



Configure the AES Encryption optionsMcAfee OTP V3.1 (and above) supports AES encryption and decryption. Using AES, McAfee OTP canstore OATH keys and other sensitive information encrypted in McAfee OTP databases.

Task1 In the select pane, expand the Misc object type, then select AES Encryption.

2 In the configuration pane, select the Enable AES Encryption checkbox.


Tasks• General Settings on page 63

Specify the attributes for McAfee OTP to encrypt.

• Advanced Settings on page 63Use the configuration pane to configure the settings in the Advanced Settings area.

• Test encryption and decryption on page 64Use the configuration pane to configure the settings in the Test encryption & decryption area.

General SettingsSpecify the attributes for McAfee OTP to encrypt.

Task1 In the General Settings area, click Add.

2 In the configuration pane corresponding to the database, select the External Database handler checkbox,and type ext.aes in the field that opens.

3 Click Save Config.

Advanced SettingsUse the configuration pane to configure the settings in the Advanced Settings area.

Option Definition

AES Key Specifies the key to use for AES encryption and decryption:• To specify a 128‑bit key, provide a string of 32 characters.

• To specify a 256‑bit key, provide a string of 64 characters.

Do not modify the AES key in a production environment. All data encrypted with the keythat you erase can no longer be decrypted or recovered.

Key size Selects a key size from the drop‑down list:• 128

• 192

• 256

Units: bits

AES prefix Specifies the encryption format of an encrypted value. The prefix is added to the frontof the value.Default: {AES}



Option Definition

Key type format Selects a format for the AES key: hex (hexadecimal) or Base64.Default: hex

Data format Selects a format for the encrypted data: hex (hexadecimal) or Base64.Default: hex

Use CBC Selecting this checkbox enables cipher‑block chaining (CBC).

IV (CBC) Specifies the initialization vector required to implement CBC.

The initialization vector must be specified in hexadecimal format and be 32 characters inlength (16 bytes).

Lock Locks and unlocks the AES settings.

Locking the settings protects them from being changed unintentionally.

Test encryption and decryptionUse the configuration pane to configure the settings in the Test encryption & decryption area.

Option Definition

Value Specifies a value to encrypt or decrypt with the AES key that you configured.

For the test, specify a value that is as long as or longer than the AES key.

Result Clicking Encrypt or Decrypt displays the encryption or decryption result, respectively.



Configure the Embedded HTTP Server OptionsMcAfee OTP includes an embedded HTTP server, which is used for Pledge Enrollment, Web Manager,and other web applications.

Task1 In the select pane, expand the Misc object type, then select Embedded HTTP Server.

2 In the configuration pane, select the Enable Embedded HTTP Server checkbox.


Option Definition

Port number Specifies the port number of the embedded HTTP server.Default: 8080

Enable SSL Selecting this checkbox enables SSL for the HTTP server.Default: Selected

SSL Options ‑ PKCS12 file Selects the P12 certificate file used by the SSL protocol.

SSL Options ‑ PKCS Password Specifies the password that protects the P12 certificate file.

Enable AJP Selecting this checkbox enables the AJP option for the Apache front end.

AJP is an acronym for Apache JServ Protocol.

The embedded HTTP server reads the configuration settings each time it starts. Therefore, McAfeeOTP must be restarted for the new settings to take effect. If McAfee OTP is started manually, andnot as a service, you can restart the embedded HTTP server using the start‑stop button located onthe configuration pane.

Configure the Pledge Enrollment optionsUsing the Pledge Enrollment web application, end users can easily download a Pledge Profile, whichincludes an HOTP key, PIN code settings, and custom GUI settings. Using the web services interfacethat is integrated with the Profile Factory, administrators can customize the PIN code and GUI settings.

Task1 In the select pane, expand the Misc object type, then select Pledge Enrollment.

2 In the configuration pane, select the Enable Pledge Enrollment checkbox.


Tasks• Configuration settings on page 66

Use the configuration pane to configure the settings in the Configuration area.

See also Enable the Pledge Enrollment services on page 82



Configuration settingsUse the configuration pane to configure the settings in the Configuration area.

Option Definition

OATH user databasefor PledgeEnrollment

Specifies the McAfee OTP database where the Pledge Enrollment process enrollsusers.

This McAfee OTP database must be a LDAP or SQL database with OATH enabled.

Pledge Web ServicesUsername

Specifies the web services user name that McAfee OTP uses when logging in to thePledge Profile Factory.

To obtain a Pledge web services user name and password, contact McAfee TechnicalSupport Service Portal.

Pledge Web ServicesPassword

Specifies the web services password that McAfee OTP uses when logging in to thePledge Profile Factory.

To obtain a Pledge web services user name and password, contact McAfee TechnicalSupport Service Portal.

Client NameDetection

Specifies the client name that the Pledge Enrollment web application uses whenconnecting to the McAfee OTP client.

This client name must be added to the enable client name detection settings on theMcAfee OTP client. The McAfee OTP client must be assigned the same McAfee OTPdatabase where the Pledge Enrollment process enrolls users.

Allow user to enrollmultiple profiles

Selecting this checkbox allows end users to enroll for more than one Pledge Profile.If multiple profiles are not allowed, Pledge Enrollment overwrites the existing OATHkey with a new key.

Launch PledgeEnrollment

Clicking this button opens the Pledge Enrollment interface in your web browser.

The Launch button is only available when the administration console is started fromthe McAfee OTP Server monitor. If the Launch Pledge Enrollment button is not available,you can access the Pledge Enrollment application by entering a URL with thefollowing format in your browser’s address bar: https://OTPServeripaddress:8080/PledgeEnrollment

Configure the Web Manager optionsMcAfee OTP includes a tool to manage administrative tasks for users. Using the tool, administratorsand help desk personnel can manage day‑to‑day tasks such as adding and changing PIN codes,assigning and re‑synchronizing tokens, Pledge enrollment, and creating emergency one‑timepasswords.

Self service in McAfee OTP supports only LDAP v3 directories.

Task1 In the select pane, expand the Misc object type, then select Web Manager.

2 In the configuration pane, select the Enable Web Manager checkbox.




http://mysupport.mcafee.com




Tasks• Authentication settings on page 67

Use the configuration pane to configure the settings in the Authentication area.

• Other on page 67Use the configuration pane to configure the settings in the Other area.

Authentication settingsUse the configuration pane to configure the settings in the Authentication area.

Option Definition

Client for authentication Specifies the McAfee OTP client used by the Web Manager to authenticate endusers and administrators.

Enable OTP protection Select this checkbox to require one‑time password authentication.

OtherUse the configuration pane to configure the settings in the Other area.

Option Definition

Mobile attribute Specifies the LDAP attribute that stores the Web Manager mobile phone number.

This setting is required when the LDAP database is an McAfee OTP database with OATHenabled.

PIN codeattribute

Specifies the LDAP attribute that stores the Web Manager PIN code. A PIN code is usedwith a one‑time password to increase the security in the authentication process.

PIN code must be enabled and configured in the database.

Client for OATH Selects the McAfee OTP client used by the Web Manager to re synchronize tokens andverify the identity of users. Select a McAfee OTP client that is connected to an McAfeeOTP database with OATH enabled.

Launch WebManager

Click this button to open the Web Manager interface in your web browser.

The Launch button is only available when the administration console is started from theMcAfee OTP monitor. If the Launch button is not available, you can access the WebManager application by entering a URL with this format in your browser’s address bar:https://OTPServeripaddress:portnumber/webmanager

Web Manager - User GuideMcAfee OTP includes a tool to manage administrative tasks for users. Using the tool, administrators,and help desk personnel can manage day‑to‑day tasks such as adding and changing PIN codes,assigning and re‑synchronizing tokens, Pledge enrollment, and creating emergency one‑timepasswords.

Login page with username and password

https://OTPServeripaddress:8080/webmanager



Option Definition

Manager User view Search for users.To edit a user, double‑click or right‑click a user in the result set.

Available forms whenediting a user

When editing a user, use these options:• General Information

• Change mobile number.

• Disable user from using one‑time passwords.

• Unlock locked accounts.

• Verify whether users have OATH‑tokens and/or PIN code enabled.

User Identity Verification Verifies the identity of a user.

Pledge Enrollment Redirects the user to the Pledge web application.

Manage Tokens Manages hardware tokens for users and tokens out of synch.

Emergency OTP When two‑factor authentication is enabled, the user is asked for a one‑timepassword. If the user forgot or lost their mobile device, they are unable to logon. To log on, an administrator can create an emergency one‑time passwordthat is valid for one use.

PIN Code Generates user PIN codes.

Self Service - Admin GuideMcAfee OTP includes a Self Service tool to let users reset their own password, manage secret questionand answers, and generate a PIN code. Users log on to their accounts using a user name andpassword. If a user forgets their password, they can use a one‑time password, or answer apre‑configured question.

Self Service supports only LDAP v3 directories.

Task1 In the select pane, expand the Misc, then select Self Service.

2 In the configuration pane, select the Enable Self Service checkbox.


Configuration settingsUse the configuration pane to configure the settings in the Configuration area.

Option Definition

LDAP database Selects a configured LDAP database from the drop‑down list. Self Service connects tothis database to collect and/or update attribute information.

Mobile attribute Specifies the LDAP attribute that stores the user’s mobile phone number.

Mail attribute Specifies the LDAP attribute that stores the user’s mail address.

PIN Codeattribute

Specifies the LDAP attribute that stores the user’s PIN code. If the PIN code isconfigured for the LDAP database, but a value is not entered on the configurationpane, the value for the LDAP database will be used. If a PIN code attribute value isnot configured for the LDAP Database, McAfee OTP database, or the Web Managerconfiguration pane, the web form for Self Service does not appear.



Option Definition

Display nameattribute

Specifies the LDAP attribute that stores the user’s display name.

Password resetsettings

Specifies these options:• Minimum password length.

• Maximum password length.

• Password policy.

Example: A‑Z:1|a‑z:1|0‑9:1|#@:0This policy generates a password that contains:• At least one character between A–Z

• At least one character between a–z

• At least one digit between 0–9

• Optional characters are # and @

Example: A‑Z:2|0‑9:2|#@:1This policy generates a password that contains:• At least one character between A–Z

• At least one digit between 0–9

• Optional characters are # and @

Secret Question and Answer (Q/A)Use the configuration pane to configure the settings in the Secret Question and Answer (Q/A) area.

Option Definition

Enable Secret Questionand Answer (Q/A)

Select the checkbox to activate this feature. When a user logs on, this featureis manageable in the Manage Q and A web form.

If this feature is disabled, the web form does not appear.

Total number of questions The number of configured questions and answers the question bank holds foreach user.

Prompted number ofquestions

The number of questions a user is prompted if they forget their login password.For example, if a user has configured five questions in the question bank, butconfigured two prompted number of questions, only two random questions arerequired an answer to successfully log on.

Answer all questions Answer all questions checked, the user is prompted to answer only twoquestions, even if the question bank contains five questions.

Allow custom questions Allows the user to create their own questions.

Q/A attribute Holds the question and answer information.

This value is encrypted.



LockoutUse the configuration pane to configure the settings in the Lockout area. If a user attempts to log onand uses an incorrect password for a specified number of times, Self Service locks out the user fromtheir account.

Option Definition

Number of tries Number of user login attempts that are allowed when an incorrect password isused.

Lockout time (minutes) Amount of time a user is locked out of their account.

Lockout attribute Holds the lockout time value.

Launch Self Serviceand Launch ForgotPassword button

Opens the Self Service interface in your web browser.

• Any change to the Self Service configuration page needs McAfee OTPto be restarted.

• The Launch button is only available when the administration console isstarted from the McAfee OTP monitor. If the Launch button is notavailable, you can access the Self Service application by entering aURL with this format in your browser’s address bar:https://OTPServeripaddress:portnumber/selfservicehttps://OTPServeripaddress:portnumber/selfservice/module/selfservice/jsp/forgot.jsp

Information for Self ServiceChange default question of Secret Question and Answers

The default questions are stored in this file system:

drive:\pathtoMcAfeerootfolder\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\classes\module\selfservice

The questions are stored in questionbank.txt. When changes are saved to this file, save the file asUTF‑8 with the same format.

Change PIN Code length

Open DSEditor.properties and search for this parameter:

drive:\pathtoMcAfeerootfolderIM4OTP.PINCODE.LENGTH=4

\McAfee\OTPServer3\im4otp\webapps\selfservice\WEB‑INF\NEIDMgmt

IM4OTP.PINCODE.LENGTH=4

Disable OTP as an option for forgotten password

Open DSEditor.properties and search for this parameter:

drive:\pathtoMcAfeerootfolder


Change this setting to false:

PWDRESET_ALLOW_OTP=true

Enable Help menu



Open DSEditor.properties and look for this parameter:



DISPLAY_HELP_LINK=true

EXTERNAL_HELP_LINK=http://www.mcafee.com

Enable/Disable Language as an option

Open DSEditor.poperties and search for this parameter:



DISPLAY_LANGUAGE=true

Self Service - User GuideMcAfee OTP includes a Self Service tool to let users reset their own password, manage secret questionand answers, and generate a PIN code. Users log on with a user name and password. If a user forgetstheir password, they may use their user name and one‑time password, or answer a preregisteredquestion.

Log on page with username and passwordhttps://OTP_server_name/selfservice/To log on to Self Service, a user must enter a user name and password.

Log on page for forgotten passwordhttps://OTP_server_name/selfservice/module/selfservice/jsp/forgot.jspIf a user needs to log on to their account, and has forgotten their password, they must enter theiruser name and one‑time password.

Management pages for self administrationA user has three forms to choose from, depending on the configuration of their solution.

Form Definition

Personal Information Reset user passwords and verify user information, such as a mobile number ormail address.

These settings are not editable.

Secret Question andAnswers

Allows users to configure their questions and answers.

Displays if the Secret Question and Answers feature is enabled.

PIN Code Generates a PIN code.

If this form does not appear, a value is not configured for the PIN code.



Configure the Yubico optionsTo integrate the Yubico YubiKey Validation Server, which provides McAfee OTP validation andmanagement services through web services APIs, use the configuration pane to configure the Yubicooptions.

Task1 In the select pane, expand the Misc object type, then select Yubico.

2 In the configuration pane, select the Enable Yubico checkbox.




5 Maintenance and use

To maintain and use McAfee OTP, use the options on the monitor.

McAfee OTP monitorTo enable the McAfee OTP monitor, select the Server object type in the select pane. In the Options area inthe configuration pane, select the Enable Monitor checkbox. If this checkbox is selected, the monitoropens when McAfee OTP starts.

The monitor requires GUI support.

Use the following monitor options.

Option Definition

Configuration Clicking this option opens the administration console. Select and configure these objecttypes:• Server • Databases

• RADIUS • Clients

• Logs • Delivery Methods

• Alerts • Misc

• Licenses

Show Details Clicking this option displays the server statistics.

Shutdown Clicking this option shuts down McAfee OTP.

Contents Start or stop McAfee OTP Server statistics

Start or stop McAfee OTPMcAfee OTP supports Microsoft Windows Server 2003, 2008, UNIX, Linux, and Mac OS X operatingsystems.

McAfee recommends that you stop McAfee OTP by clicking Shutdown on the McAfee OTP monitor. For thisoption, the monitor must be enabled.

Contents Start and Stop McAfee OTP on a Windows-based computer Start and stop McAfee OTP on a UNIX, Linux, or Mac OS X-based computer

5


Start and Stop McAfee OTP on a Windows-based computerTo start and stop McAfee OTP on Windows‑based computer, use the following options.

• Start and stop McAfee OTP using Microsoft Windows Services.

• Start McAfee OTP by running the following program file, which is located in the installationdirectory: OTPServer.exe.

• Stop McAfee OTP by clicking Shutdown on the monitor.

Start and stop McAfee OTP on a UNIX, Linux, or Mac OS X-based computerTo start and stop McAfee OTP on a UNIX, Linux, or Mac OS X‑based computer, use the followingoptions.

• Start McAfee OTP by running the OTPServer program file in the background using the followingUNIX command: OTPServer &.

• Stop McAfee OTP by using the UNIX kill command.

• Stop McAfee OTP by clicking Shutdown on the monitor.

Server statisticsTo view the server statistics, click Show Details on the monitor.

Table 5-1 Sending one‑time passwords statistics

Option Definition

Total OTPs Displays the total number of created and sent one‑time passwords.

Table 5-2 One‑time password statistics

Option Definition

Successful OTPs Displays the number of one‑time passwords that the McAfee OTP clients successfullyreturned.

Failed OTPs Displays the number of one‑time passwords that the McAfee OTP clients failed toreturn.

Unfetched OTPs Displays the number of one‑time passwords that the McAfee OTP clients did notretrieve.

Expired OTPs Displays the number of one‑time passwords that expired.

Table 5-3 RADIUS statistics

Option Definition

RADIUS Packets Sent Displays the number of RADIUS packets sent.

RADIUS Packets Received Displays the number of RADIUS packets received.

Table 5-4 Licenses statistics

Option Definition

Nr of Licenses Displays the total number of registered licenses.

RADIUS Packets Received Displays how many registered licenses out of the total are currently in use.

5 Maintenance and useMcAfee OTP monitor


Table 5-5 Connections statistics

Option Definition

Active Connections Displays the number of connections to McAfee OTP Native clients that arecurrently active.

Successful Connections Displays the number of successful connections to McAfee OTP Native clients.

Failed Connections Displays the number of failed connections to McAfee OTP Native clients.

Table 5-6 Encryption statistics

Option Definition

Encrypted Requests Displays the number of encrypted requests from McAfee OTP Native clients toMcAfee OTP.

Unencrypted Requests Displays the number of unencrypted requests from McAfee OTP Native clientsto McAfee OTP.

Rejected Unencrypted Req Displays the number of unencrypted requests from McAfee OTP Native clientsto McAfee OTP that were rejected because they were not encrypted.

To enable this feature, select the Always encryption option in the Encryption area inthe configuration pane.

Table 5-7 User database authentication statistics

Option Definition

Successful Logins Displays the number of times that end users successfully authenticated to LDAP andJDBC/ODBC databases.

Failed Logins Displays the number of times that end users failed to authenticate to LDAP andJDBC/ODBC databases.

Locked Accounts Displays the number of times that McAfee OTP locked user accounts, because thenumber of login attempts to LDAP or JDBC/ODBC databases exceeded the maximumallowed.

Maintenance and useMcAfee OTP monitor 5


5 Maintenance and useMcAfee OTP monitor


A Pledge

Pledge provides a secure, two‑factor authentication method for users to log on to applications.

Contents About Pledge Register for a Pledge Profile Factory account Customize the Pledge Corporate Profile Request a Pledge web service account Configure the Pledge Enrollment database Configure the Pledge Enrollment client Enable the Pledge Enrollment services Pledge Enrollment

About PledgeThe Pledge system consists of these components:


• Pledge Profile Factory — A web service that administrators use to configure and customize PledgeCorporate Profiles, which include logos, background pictures, colors, PIN code settings, and contactinformation. Pledge Corporate Profiles provide the template for Pledge User Profiles used by Pledgeclients.

• Pledge Enrollment — A service that automates the delivery of Pledge User Profiles to end userdevices.

• Pledge Client — Pledge is a mobile client used to generate one‑time passwords based on the OATHalgorithm.

How Pledge works

Reference Definition

1 Using Pledge Enrollment, the end user enrolls in Pledge.

2 Pledge Enrollment sends a request for McAfee OTP to check the user's credentials.

3 McAfee OTP verifies the end user's credentials.

4 Pledge Enrollment sends a web service request to the Pledge Profile Factory.

5 Pledge Profile Factory performs these actions:• Generates a random symmetric key and corresponding counter.

• Packages the Pledge corporate profile into a .zip file.

• Generates a unique Pledge Profile ID.

• Combines the above information into an XML message, and sends to PledgeEnrollment.

6 Pledge Enrollment sends the Open Authentication (OATH) key and counter to McAfeeOTP.

7 McAfee OTP saves the key in the configured database.

A PledgeAbout Pledge


Reference Definition

8 Pledge Enrollment sends the Pledge Profile ID to the end user or administrator. On asupported device, the end user starts the Pledge client application, selects +, and entersthe Pledge Profile ID.

9 To download the Pledge User Profile, which includes the Pledge Corporate Profile, OATHkey, and Pledge Profile ID, the Pledge client application contacts the Pledge ProfileFactory via an HTTPS connection.

10 The Pledge Profile Factory sends the corresponding Pledge User Profile, flags the PledgeProfile ID, and removes the OATH key.

Once end users are enrolled in Pledge, they can use Pledge to sign online requests from a web server,such as purchase transactions, or auction bidding.

Pledge Profile FactoryAdministrators use the Pledge Profile Factory to configure and customize the settings for PledgeCorporate Profiles.

Pledge Corporate Profiles provide the template for Pledge User Profiles used by Pledge clients.

Administrators can also use the Pledge Profile Factory to verify Pledge licensing information.

Pledge EnrollmentPledge Enrollment is a service that automates the delivery of Pledge User Profiles to end user devices.

End users can enroll in Pledge themselves, or through Pledge administrators.

The Pledge Enrollment service is embedded into McAfee OTP, but can also be downloaded and installedseparately into a DMZ solution.

Pledge ClientThe Pledge Client can be installed on most devices and generates one‑time passwords used fortwo‑factor authentication with McAfee OTP or other OATH compliant systems.

The Pledge Client supports multiple Pledge profiles, which is useful for authentication to multipleservices or ISP‑solutions.

Access the Pledge client from all major application stores, or visit Mobile Software Token Pledge.

Register for a Pledge Profile Factory accountTo register for a Pledge Profile Factory account, use the administration tool for Pledge profiles.

Task1 Go to the Pledge Profile Factory.

2 Click Register here.

3 In the Email field, type your email address.

The email address becomes the administrator user name for the Pledge Profile Factory account.

If you are an administrator creating a Pledge Profile Factory account for a customer, use your ownemail address.

PledgeRegister for a Pledge Profile Factory account A


HTTP://NORDICEDGE.COM/PLEDGE

https://services.nordicedge.se/pledge-im/jsp/login.jsp?status=0&target=%2Fpledge-im%2FNEIDMgmt

4 In the Company field, type the name of your company.

Your company name becomes the name of the Pledge Profile Factory account.

If you are an administrator creating a Pledge Profile Factory account for a customer, use your owncompany's name.

5 In the Enter code from captcha field, type the captcha code, then click Register.

a When the Registration successful! message appears, click OK.

b Navigate and open the email sent to the administrator's email address.

c Click on the registration link.

The Pledge Profile Factory registration window appears.

6 In the Email field, type the email address.

7 In the Enter code from captcha field, type the captcha code, then click Log in.

An email is sent to the administrator's email address, which includes the one‑time password.

8 In the Enter OTP (sent via mail) field, type the one‑time password, then click OK.

Customize the Pledge Corporate ProfileUsing the Pledge Profile Factory, administrators can customize a corporate profile with background,logo, icon, button, background color, text color, PIN code length, and Profile TTL.

Changes made in the Pledge Profile Factory do not take effect until the end user is enrolled for a PledgeProfile.

Task1 Click the Design tab, and configure the Profile design options.

2 Click the Settings tab, and configure the following options.

Option Definition

PIN length Enables or disables PIN code protection of Pledge User Profiles. Pledge PIN codeprotection is used to enforce security when devices are not centrally managed andend users are not using a PIN code to protect their device.

To disable this function, set to 0 .

Profile TTL Determines how long a Pledge User Profile XML message will be available fordownload from the Pledge Profile Factory. When an end user or administrator enrollfor a Pledge User Profile, the end user will have 120 minutes to download thePledge User Profile on their device before it expires.

Support info Customizable text message field, which is displayed on Pledge User Profiles. Usethis text box to inform end users about Pledge security policies, where to find help,and how to contact support.

Allow PledgeDesktop

Enable or disable Pledge Desktop clients requests to download Pledge Profiles.

A PledgeCustomize the Pledge Corporate Profile


3 Click Save.

4 Click Logout.

PIN code and support information options must be configured before the end user enrolls for aPledge User Profile.

Request a Pledge web service accountTo enroll in a Pledge web service account, request access from support.

Task1 Send an email to [email protected] with the email address and company name used for

Pledge Profile Factory registration.

2 Receive an email from McAfee support that contains the account name and password.

Configure the Pledge Enrollment databaseThe McAfee OTP database is used by the Pledge Enrollment web application to store Pledge OATHkeys. This database can be any LDAP or SQL database.

Task1 Start McAfee OTP.

Always right‑click and select Run as administrator when starting otpserver.exe on Windows servers.

The monitor appears.

2 Click Configuration.

3 In the select pane, select Databases, then click a database button in the configuration pane.


5 Select the Uses HOTP or TOTP (OATH) checkbox.

6 In the Host Settings area, configure the settings.

7 In the Search Settings area:

a Click the ... button.

The Select BaseDN window appears.

b Select the container where user objects exist, then click OK.

c Click the Sample button, then select Microsoft Active Directory.

d Click OK | Yes.

8 In the Account Settings area:

a Click the ... button.

The McAfee Schema Selector window appears.

b Select an attribute, then click OK.

PledgeRequest a Pledge web service account A


See also Create an LDAP database on page 29Create an SQL database on page 35

Configure the Pledge Enrollment clientThe Pledge Enrollment service requires McAfee OTP to be configured with a corresponding McAfee OTPNative client.

Pledge Enrollment uses TCP port 3100

Task1 In the select pane, select the Clients object type, then select New Native Client In the configuration

pane.

2 In the Name & Address area:

a In the Client Display name field, specify a unique, meaningful name.

b In the Client IP Address, type 127.0.0.1.

3 From the User Database drop‑down list, select Pledge Enrollment Database.

4 Click the Advanced button.

The Native client name detection window appears.

5 Select the Enable name detection checkbox.

6 In the Client Name field, type a client name, and click OK.

See also Create a Native client on page 44

Enable the Pledge Enrollment servicesEnable the Pledge Enrollment service, and configure it to use the newly created Pledge Enrollmentdatabase and the Web Service account received from support.

Before you beginVerify that both the firewall from server hosting McAfee OTP, and the network firewallsallow TCP connection on port 443 to Pledge Profile Factory address necs.nordicedge.se.

Task1 In the select pane, expand the Misc object type, then select Pledge Enrollment.

2 From the OATH database drop‑down list, select the OATH database.

3 In the Pledge web services username field, type the user name received from McAfee support.

4 In the Pledge web services password field, type the password received from McAfee support.

5 In the Client Name Detection field, type the client name detection name.

A PledgeConfigure the Pledge Enrollment client



To allow users to use Pledge User Profiles on more than one device, select the Allow user to enrollmultiple profiles checkbox.

7 In the select pane, select Embedded HTTP Server.

8 Click the Enable Embedded HTTP Server checkbox, and click Save.

9 Click Start HTTP Service.

To protect Pledge Enrollment service with SSL, select Enable SSL. If the Start HTTP Service button is notvisible, restart McAfee OTP by closing the configuration window, then click Shutdown.

See also Configure the Pledge Enrollment options on page 65

Pledge EnrollmentThe end user installs Pledge once, then downloads one or more shared secrets depending on the sitesor companies they need access.

Contents Requirements Self enrollment Administrator enrollment

RequirementsVerify that the following requirements are met to complete enrollment and successfully use Pledge.

Port connections

• Pledge Client application must have access to services.nordicedge.net on port 443 to downloadprofiles from Pledge Profile Factory.

• Pledge Enrollment server must have access to necs.nordicedge.se on port 443 to make a webservice connection to Pledge Profile Factory.

• Administrator workstation must have access to services.nordicedge.se on port 443 to log on toPledge Profile Factory.

Supported end user devices

• iPhone

• Android

• Microsoft Windows Mobile

• Any mobile phone that supports Java Micro Edition (JME)

PledgePledge Enrollment A


Self enrollmentAn end user uses the following steps to create a Pledge User Profile.

Task1 On a supported device, install the Pledge client application from:

• A website provided by McAfee

• An application store, such as the Apple AppStore or Android Market

2 Go to the Pledge Enrollment service.

3 To receive a Pledge Profile ID, enter the user name and password, then click Enroll.

The Pledge Profile ID number appears.

4 To test the Pledge Enrollment service, click Test Pledge Profile.

5 On the device, start the Pledge client application.

6 To add a profile, select +, and type the Pledge Profile ID.

7 On the Test Pledge OTP Profile page, enter the user name and one‑time password, then click Verify.

Administrator enrollmentAdministrators can enroll a unique Pledge Profile ID for end users.

Task1 Verify the end user has the Pledge Client installed on a supported device.

2 Go to the Pledge Enrollment service page.

a In the User name (admin) field, type the administrator user name.

b In the Password (admin) field, type the administrator password.

c In the Pledge user name field, type the end user's user name.

d Click Enroll.

The Pledge Profile ID appears.

3 Instruct the end user how to add the Pledge Profile ID in the Pledge Client application.

4 To test the profile, ask the end user for the one‑time password.

A PledgePledge Enrollment


https://otpserverip:8080/PledgeEnrollment/enroll.jsp

https://otpserverip:8080/PledgeEnrollment/enroll.jsp

B Microsoft Forefront Threat ManagementGateway integration

To enable strong authentication for web publishing using the Microsoft TMG framework applications,integrate McAfee OTP with Microsoft Forefront Threat Management (Microsoft TMG) .

Contents Installation Configuration Configure McAfee OTP Server for Microsoft TMG

InstallationReview the requirements and install the Microsoft TMG client for use with McAfee OTP.

Contents System requirements Install Microsoft TMG

System requirementsVerify that the following requirements are met to successfully integrate McAfee OTP with MicrosoftTMG.

McAfee OTP

• Version 3 or later

• Must be configured before the filter can be used

Ports

• Access to an AD using LDAP/LDAPS (port 389 or 636).

• LDAP/LDAPS port must be opened from McAfee OTP server to the AD server.

• RADIUS port 1812 must be opened from the Microsoft TMG server to the McAfee OTP server.

• McAfee OTP port 3100 must be opened from Microsoft TMG server to the McAfee OTP server.

See also Configuring McAfee OTP on page 3


Install Microsoft TMGInstall the Microsoft TMG files on your system.

Task1 Unzip the file sin NE_OTP_TMG_ver1.0.zip, which includes these files:

File Definition

otpwebfilter.dll The McAfee TMG web filter

usr_pwd_pcode.htm McAfee OTP login template

nordicedge.js McAfee OTP login javascript

dojo.js AJAX javascript

otp.reg Registry file to set McAfee OTP address

2 Back up the log on page:

<tmg_home>\Templates\CookieAuthTemplates\ISA\HTML\usr_pwd_pcode.htm

Sample:C:\Program Files\Microsoft Forefront Threat Management

Gateway\Templates\CookieAuthTemplates\ISA|HTML\usr_pwd_pcode.htm

3 Copy files:

Copy the content in tmg directory of the NE_OTP_TMG_ver1.0.zip to the TMG server installationdirectory.

Sample:C:\Program Files\Microsoft Forefront Management Gateway

4 Register the McAfee OTP webfilter.

Register otpwebfilter.dll with the command:regsvr32 otpwebfilter.dll

ConfigurationTo use Microsoft TMG with McAfee OTP, configure the options.

Parameters Description

OTPSERVERIP McAfee OTP Serverhost, all McAfee OTP names and ports, syntax"hostname:portnr:hostname2:portnr2"

This value must match the order in the RADIUS TMG configuration.

Task1 Edit the otp.reg, and replace the IP address with the current IP address of the McAfee OTP.

2 Run the .reg file on the TMG server.

Tasks• Microsoft TMG configuration on page 87

Configure the settings for the Microsoft TMG Server Management tool.

• Configure advanced options on page 88Configure the advanced options in the Microsoft TMG Server Management tool.

B Microsoft Forefront Threat Management Gateway integrationConfiguration


Microsoft TMG configurationConfigure the settings for the Microsoft TMG Server Management tool.Administration

Task1 Start the Microsoft TMG Server Management tool.

2 Open the web listener you want protected.

3 Click the Authentication tab.

4 Enable HTML Form Authentication.

5 Enable Collect additional delegation credentials in the form.

6 Click Configure Validation Server.

7 Add a McAfee OTP server.

If you are using multiple McAfee OTP servers, add each server individually, and ensure that theorder of the servers matches the order configured in otp.reg.

a Click Add.

b Type the DNS name or IP address of McAfee OTP, and the server description.

c Type the shared secret.

• The shared secret must match the shared secret in McAfee OTP.

• If using multiple McAfee OTP servers for fail over, set down the timeout todecrease the wait time during a fail over.

Sample value set to three will have the TMG server try three times, and wait three seconds eachtime, resulting in a wait time of nine seconds for the end user.

d Click OK.

8 Click Advanced.

9 Verify that Require all users to authenticate is enabled.

10 Click OK twice.

11 Select Configuration | Add‑ins.

12 Click Web Filters.

13 Verify that OTP authentication filter is listed, and placed before all other authentication filters.

14 Click Apply.

15 Restart the Microsoft Forefront TMG Firewall service.

Microsoft Forefront Threat Management Gateway integrationConfiguration B


Configure advanced optionsConfigure the advanced options in the Microsoft TMG Server Management tool.

Task1 Click Advanced.

2 Verify that the Require all users to authenticate checkbox is selected.

3 Click OK twice.

4 Select Configuration | Add‑ins | Web Filters.

5 Click Apply.

6 Verify that OTP authentication filter is listed, and is prioritized before all other filters.

7 Restart Microsoft Forefront TMG Firewall.

Configure McAfee OTP Server for Microsoft TMGTo configure the settings for Microsoft TMG, use the McAfee OTP administration console.

Before you beginConfigure at least one delivery method if not using an software or hardware token OATHsolution.

Task1 In the select pane, select Clients | RADIUS.

2 In the configuration pane, verify that the port number is 1812.

Tasks• Configure the Microsoft TMG client on page 88

Add the Microsoft TMG client for use with McAfee OTP.

• Configure a new database on page 89Configure a new database for Microsoft TMG.

Configure the Microsoft TMG clientAdd the Microsoft TMG client for use with McAfee OTP.

Task1 To create the Microsoft TMG client type, use one of these options:

• In the select pane, right‑click the Clients object type, then select New Client from the context menu.

• In the select pane, select the Clients object type, then select New Client in the configuration pane.

2 In the Client Display Name field, type a unique, meaningful name.

B Microsoft Forefront Threat Management Gateway integrationConfigure McAfee OTP Server for Microsoft TMG


3 In the Client IP Address field, type the IP address of the Microsoft TMG server.


• You can specify multiple IP addresses by using a wildcard character.


See also Configure the Clients object type on page 40

RADIUS OptionsUse the configuration pane to configure the settings for the RADIUS Client.

Option Definition

Shared Secret Specifies the RADIUS client shared secret.The RADIUS client and the RADIUS client application must have the sameshared secret.

This must match the shared secret configured in the TMG server RADIUSconfiguration.

Supports RADIUSAccess‑Challenge

Deselect this checkbox.

Allow multiple user requests Allows an end user to request one‑time passwords from multiple RADIUSendpoints. This setting is useful when single users request onetimepasswords from redundant VPN servers.


Auth. Server IP Address Specifies the IP address of the Microsoft TMG server.

Configure a new databaseConfigure a new database for Microsoft TMG.

Task1 Select the new database type by using one of these methods:

• In the select pane, right‑click the Databases object type, then select the type of database from thecontext menu.

• In the select pane, select the Databases object type, then select the type of database in theconfiguration pane.



4 Click OK twice.



Microsoft Forefront Threat Management Gateway integrationConfigure McAfee OTP Server for Microsoft TMG B


B Microsoft Forefront Threat Management Gateway integrationConfigure McAfee OTP Server for Microsoft TMG


C Configuring a cluster

Configure McAfee OTP in a cluster.

Contents Requirements McAfee OTP redundancy Configure McAfee OTP redundancy Configure the VPN Gateway or application with multiple McAfee OTP servers Test the McAfee OTP cluster McAfee OTP cluster configuration

RequirementsTo configure a cluster, the following minimum requirements must be met.

• Two configured McAfee OTP servers

• McAfee OTP configured with SMS and/or Pledge


McAfee OTP redundancyMcAfee OTP supports full active‑active clusters to allow users to log on with two‑factor authenticationto any of the McAfee OTP servers within the same cluster.

For example, when a user authenticates with a user name and password with McAfee OTP server 1,then the end user receives and enters the one‑time password to the McAfee OTP server 2 forverification.

Figure C-1 McAfee OTP redundancy

Configure McAfee OTP redundancyTo configure a cluster, each McAfee OTP server must point to all other McAfee OTP servers.

For this example:

• McAfee OTP server 1 points to McAfee OTP server 2.

• McAfee OTP server 2 points to McAfee OTP server 1.

Task1 Configure McAfee OTP server 1.

a Open and edit C:\Program Files\NordicEdge\OTPServer3\hazelcast.xml.

If using UNIX/Linux, open and edit /opt/NordicEdge/OTPServer3/hazelcast.xml.

b Change tcp‑ip enabled to true.

c Change interface to the IP address of McAfee OTP server 2.

In this case 192.168.92.183.

d Save and close the file.

e Restart McAfee OTP server 1.

C Configuring a clusterMcAfee OTP redundancy


2 Configure McAfee OTP server 2.

a Open and edit C:\Program Files\NordicEdge\OTPServer3\hazelcast.xml.

If using UNIX/Linux, open and edit /opt/NordicEdge/OTPServer3/hazelcast.xml.

b Change tcp‑ip enabled to true.

c Change interface to the IP address of McAfee OTP server 2.

In this case 192.168.92.238.

d Save and close the file.

e Restart McAfee OTP server 2.

For more information about cluster configuration, go to the Hazelcast webpage.

McAfee OTP server 1 and 2 appear as a cluster.

Configure the VPN Gateway or application with multiple McAfeeOTP servers

Configure the VPN Gateway or application to the McAfee OTP cluster.

In the following scenario, the McAfee OTP web test application is used to demonstrate how toconfigure two McAfee OTP servers with redundancy.

Task1 Open the configuration for McAfee OTP web test application: C:\inetpub\wwwroot

\OTPServerWebTestApp\Web.config

2 Type the IP addresses to McAfee OTP server 1 and 2.

In this case 192.168.92.238:3100;192.168.92.183:3100

3 Save and close the file.

4 Restart the IIS server.

Test the McAfee OTP clusterTest and verify the active‑active cluster configuration.

Task1 Go to the OTP Web Test App.

2 Type the user name and password.

3 Select SMS or Pledge, then click Login.

The OTPServer.exe window appears.

4 Shutdown McAfee OTP server 1.

Configuring a clusterConfigure the VPN Gateway or application with multiple McAfee OTP servers C


http://www.hazelcast.com

5 On the OTP Web Test App ‑ Custom Login page, type the one‑time password, then click Verify.

The Welcome to the OTP Protected Web Test App Site message and OTPServer.exe window appear.

6 Verify that the McAfee OTP server 2 successfully verified the one‑time password.

McAfee OTP cluster configuration The group name and password option can be used to create separate clusters.

For example, McAfee OTP server production and McAfee OTP server test.

<group>

<name>ne‑otp‑prod</name>

<password>SecretPassword</password>

</group>

With the tcp‑ip option, you can configure one or many McAfee OTP servers, specific ports or if a rangeof IP addresses for McAfee OTP in the cluster.

<tcp‑ip enabled="true">

<hostname>otpserver1.domainlocal</hostname>

<hostname>otpserver2.domainlocal</hostname>

<hostname>otpserver3.domainlocal:1980</hostname>

<interface>192.168.1.21</interface>

<interface>192.168.1.0‑7</interface>

</tcp‑ip>

C Configuring a clusterMcAfee OTP cluster configuration


D Web Service Client API (SOAP)

McAfee OTP exposes client functionality, corresponding to the McAfee OTP Native client API, such asSOAP services.

Contents Setup Integration SOAP operations Commands Client code examples

SetupSetup a Web Service SOAP Client to use the Web Service API.

Before you begin• A working knowledge of Web Services and the WSDL format.

• A client capable of communicating with a SOAP server.

• McAfee OTP version 3.1

Task1 Select Misc | Embedded HTTP Server.

2 Verify that the embedded HTTP server is accordingly started and configured.

3 Configure a WS Client Name and WS Client Password for each Web Service client.

The WS Client Name and WS Client Password are used by the API to validate incoming requests.

IntegrationIntegrate with the API using the following information.

Code Generation from WSDL file

Many Web Services platforms include support for automatically generating complete clientfunctionality or stub versions of the SOAP messages described in the WSDL file. For the Java platform,please see either the AXIS project at the Apache Foundation, or JAX‑WS RI, for examples of suchimplementations.


The provided WSDL file (the WSDL that the Web Service will generate) is in the document/literalwrapped syntax. This is currently the interoperability leader and is supported by the majority WebServices clients such as Metro, AXIS, gSoap, Websphere, and .NET.

The WSDL for these services may be downloaded from the following URL:

https://yourhost.yourdomain/neotp/otpws?wsdl

Integrating with the API with xml dataAPI

If no code generation is possible, integrate with the API at a lower level, and send the SOAP messagedirectly over HTTP.

Programming Language

When describing the functionality from a developers view, this document focuses on the Java platform.

The Web Service itself is language agnostic. SOAP message examples are added when appropriate.

SOAP operationsThe McAfee OTP Web Service API has two operations:

• getCommands

• getOTPObject

For more information about the API, please see the Java documentation.

Contents getCommands Operation getOTPObject

getCommands OperationGet available commands for the McAfee OTP Web Service API.

Returns: Array of strings containing available commands to send to the McAfee OTP WS API.

The SOAP request message for the getCommands operation:<?xml version="1.0" ?>

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">

<S:Body>

<ns2:getCommands xmlns:ns2="http://ws.nordicedge.se/">

</S:Body>

</S:Envelope>

The SOAP response message for the getCommands operation:<?xml version="1.0" ?>

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">

<S:Body>

D Web Service Client API (SOAP)SOAP operations


http://download.nordicedge.se/download/otpserver/javadoc_wsapi/

<ns2:getCommandsResponse xmlns:ns2="http://ws.nordicedge.se/">

<command>requestAuthAndOTP</command>

<command>requestOTP</command>

<command>verifyOTP</command>

<command>AuthenticateUser</command>

<command>requestAuth</command>

<command>getErrorDescription</command>

<command>storeData</command>

<command>fetchData</command>

<command>removeData</command>

<command>verifyOATHOTP</command>

<command>requestPrefetchedOTP</command>

<command>requestAdminPrefetchedOTP</command>

<command>getAvailableUserAttributes</command>

<command>getUserAttributeValue</command>

<command>requestUserOATHKey</command>

<command>updateOATHKey</command>

<command>reloadServerConfiguration</command>

<command>resyncOTPMobileCounter</command>

<command>setConfiguration</command>

<command>getConfiguration</command>

<command>getCharset</command>

<command>setCharset</command>

<command>getWSVersion</command>

<command>getClientVersion</command>

<command>getServerVersion</command>

</ns2:getCommandsResponse>

</S:Body>

</S:Envelope>

getOTPObjectgetOTPObject is the main operation of the API, and is used for all interactions with McAfee OTP.

For more information about the getOTPObject method, please see the Java documentation.

Web Service Client API (SOAP)SOAP operations D



Table D-1 Java: getOTPObject

Parameter Type Description

obj OTPWsRequest An object containing all information needed for a specific command.

Returns: Object of type OtpWsResponse.

Example of a SOAP request message1. <?xml version="1.0" ?>

2. <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">

3. <S:Body>

4. <ns2:getOTPObject xmlns:ns2="http://ws.nordicedge.se/">

5. <otpWsRequest>

6. <clientName>webServiceClientName</clientName>

7. <clientPassword>webServiceClientPassword</clientPassword>

8. <command>requestAuthAndOTP</command>

9. <keyValueParameter>

10. <key>userName</key>

11. <value>ddarrell</value>

12. </keyValueParameter>


14. <key>password</key>

15. <value>secret</value>



18. <key>message</key>

19. <value>Your OTP : $$OTP$$</value>


21. </otpWsRequest>

22. </ns2:getOTPObject>

23. </S:Body>

24. </S:Envelope>

As seen in row 8, the command for McAfee OTP is requestAuthAndOTP, this command requiresparameters such as userName and password. Refer to the java documentation for further details.

Example of a SOAP response message1. <?xml version="1.0" ?>




3. <S:Body>

4. <ns2:getOTPObjectResponse xmlns:ns2="http://ws.nordicedge.se/">

5. <otpWsRequest>

6. <magicNr>HP1c8z</magicNr>

7. <errorCode></errorCode>

8. <errorDescription></errorDescription>

9. <message></message>

10. <status></status>

11. </otpWsRequest>

12. </ns2:getOTPObjectResponse>

13. </S:Body>

14. </S:Envelope>

As seen in row 6, the magicNr is the only value returned for the requestAuthAndOTP command. Seethe java documentation for further details.

OtpWsRequest objectThe OtpWsRequest object is the request object for the getOTPObject operation/method.

Table D-2 Fields of OtpWsRequest object

Field Type Description

clientName String Web Service client name.

clientPassword String Web Service client password.

command String The command to be executed in McAfee OTP.

keyValueParameter:• key

• value

KeyValuePair [ ]• String

• String

Contains the necessary information needed by the requestedcommand.

Example: OtpWsRequest object described in xml <otpWsRequest>

<clientName>webServiceClientName</clientName>

<clientPassword>webServiceClientPassword</clientPassword>

<command>requestAuthAndOTP</command>

<keyValueParameter>

<key>userName</key>

<value>ddarrell</value>

</keyValueParameter>

Web Service Client API (SOAP)SOAP operations D


<keyValueParameter>

<key>password</key>

<value>secret</value>


...

</otpWsRequest>

OtpWsResponse objectThe OtpWsResponse object is the response object for the getOTPObject operation/method.

Table D-3 Fields of OtpWsResponse object


magicNr String The magic number used to verify McAfee OTP.

errorCode String Numerical error code.

errorDescription String Error description in plain text.

message String General message sent from McAfee OTP.

status String Status message sent from McAfee OTP.

keyValueParameter:• key

• value

KeyValuePair [ ]• String

• String

Contains the information sent back to McAfee OTP.

Example: OtpWsResponse object described in xml

<otpWsRequest>

<magicNr></magicNr>

<errorCode></errorCode>

<errorDescription></errorDescription>

<message></message>

<status></status>

<keyValueParameter>

<key>result</key>

<value>UTF‑8</value>


...

</otpWsRequest>



CommandsA selection of commands are used for the getOTPOjbect operation.

For more information about the API, please see the Java documentation.

Required fields / xml elementsFor all requests to the Web Service, three fields are required.

Table D-4 Required fields for all commands


clientName String Web Service client name.

clientPassword String Web Service client password.

command String Command to be executed on the McAfee OTP server.

The keyValueParameter field is optional.

requestAuthAndOTPRequest authentication and issuing a one‑time password from McAfee OTP.

To use this command, use one of these methods:

• Send the userName and password.

• Send the userName, password, and attribName.

• Send the userName, password, and message.

Returns: the magic number.

Table D-5 KeyValuePair / xml elements

Name (key) Optional Type Description

userName No String The userName, as KeyValue object with key userName.

password No String The user password, as KeyValue object with key password.

attribName Yes String The attribute name that holds the user's challenge value, asKeyValue object with key attribName.

message Yes String The message to send to the client.Use $$OTP$$ to insert the one‑time password, as KeyValue objectwith key message.

Returns: The magic number as seen in 5.2.3 row 6.

Example of the SOAP request message with userName and password:

1. <?xml version="1.0" ?>


3. <S:Body>


5. <otpWsRequest>


Web Service Client API (SOAP)Commands D













21. </otpWsRequest>


23. </S:Body>

24. </S:Envelope>

Example of the SOAP response message:



3. <S:Body>


5. <otpWsRequest>

6. <magicNr>HP1c8z</magicNr>





11. </otpWsRequest>


13. </S:Body>

14. </S:Envelope>

verifyOTPVerify if a one‑time password is correct.

To use this command, use one of these methods:

D Web Service Client API (SOAP)Commands


• Send the magicNr, otp, and userName.

• Send the magicNr and otp. If no userName was sent in the previous request, see command:requestOTP.



magicNr No String The magic number received from the requestAuthAndOTP.

otp No String The one‑time password received by the user.

userName Yes String The userName for the user.

Returns: true is successful, false if unsuccessful. In the example of the SOAP response message, seerow 13.

Example of the SOAP request message with userName, magicNr, and otp:1. <?xml version="1.0" ?>


3. <S:Body>


5. <otpWsRequest>



8. <command>verifyOTP</command>






14. <key>magicNr</key>

15. <value>HP1c8z</value>



14. <key>otp</key>

15. <value>7256</value>


21. </otpWsRequest>


23. </S:Body>



24. </S:Envelope>




3. <S:Body>


5. <otpWsRequest>

6. <magicNr></magicNr>






15. <key>result</key>

15. <value>true</value>


11. </otpWsRequest>


13. </S:Body>

14. </S:Envelope>

authenticateUserAuthenticates user name and password.



userName No String The userName for the user.

password No String The password.

Returns: String ok if the user is authenticated, otherwise the errorCode and errorDescription.

In the example of the SOAP response message with result: ok, see row 13.

In the example of the SOAP response message with errorCode and errorDescription, see rows 7 and 8.

Example of the SOAP request message with userName and password:





3. <S:Body>


5. <otpWsRequest>



8. <command>authenticateUser</command>









21. </otpWsRequest>


23. </S:Body>

24. </S:Envelope>

Example of the SOAP response message with result: ok:



3. <S:Body>


5. <otpWsRequest>








15. <value>ok</value>




11. </otpWsRequest>


13. </S:Body>

14. </S:Envelope>

Example of the SOAP response message with errorCode and errorDescription:1. <?xml version="1.0" ?>


3. <S:Body>


5. <otpWsRequest>


7. <errorCode>3</errorCode>

8. <errorDescription>User failed authentication</errorDescription>



11. </otpWsRequest>


13. </S:Body>

14. </S:Envelope>

getUserAttributeValueGet an attribute value from a user.




attributeName No String The attribute name.

Returns: If available, the user attribute value., otherwise an empty string. In the example of theSOAP response message, see row 13.

Example of the SOAP request message with userName and attributeName:1. <?xml version="1.0" ?>


3. <S:Body>




5. <otpWsRequest>









14. <key>attributeName</key>

15. <value>mail</value>


21. </otpWsRequest>


23. </S:Body>

24. </S:Envelope>




3. <S:Body>


5. <otpWsRequest>


7. <errorCode>3</errorCode>






15. <value>[email protected]</value>


11. </otpWsRequest>




13. </S:Body>

14. </S:Envelope>

storeDataStore data in McAfee OTP.




data No String The data to store.

persistant No String Specifies if the data should be stored persistently.

Returns: the magic number, 0 if failure. In the example of the SOAP response message, see row 6.

Example of the SOAP request message:1. <?xml version="1.0" ?>


3. <S:Body>


5. <otpWsRequest>



8. <command>storeData</command>






14. <key>data</key>

15. <value>Some data to be stored</value>



14. <key>persistant</key>

15. <value>true</value>


21. </otpWsRequest>




23. </S:Body>

24. </S:Envelope>

Example of the SOAP response message:1. <?xml version="1.0" ?>


3. <S:Body>


5. <otpWsRequest>






11. </otpWsRequest>


13. </S:Body>

14. </S:Envelope>

fetchDataFetch stored data from McAfee OTP.




magicNr No String The magic number.

Returns: The data, an empty string if failure. In the example of the SOAP response message, see row13.

Example of the SOAP request message:1. <?xml version="1.0" ?>


3. <S:Body>


5. <otpWsRequest>





8. <command>fetchData</command>






14. <key>magicNr</key>

15. <value>7Xs4PW</value>


21. </otpWsRequest>


23. </S:Body>

24. </S:Envelope>




3. <S:Body>


5. <otpWsRequest>








15. <value>Some data to be stored</value>


11. </otpWsRequest>


13. </S:Body>



14. </S:Envelope>

Client code examplesUse the basic client code examples when you use Java and C#.

The output will be different depending on what Web Service engine you use to create the code stubs.

Java example for the requestAuthAndOTP command

The stubs used in this example are generated with the java wsimport tool.

C# example for the requestAuthAndOTP command

The stubs used in this example are generated with Visual Studio 2010.

Web Service Client API (SOAP)Client code examples D


Ruby client using the SOAP abstraction library Savon example for therequestAuthAndOTP command

The ruby client is using the SOAP abstraction library Savon.

For more information on Savon, go to the Savon website.

D Web Service Client API (SOAP)Client code examples


http://www.savonrb.com

Web Service Client API (SOAP)Client code examples D


D Web Service Client API (SOAP)Client code examples


Index

Aadministration console 19

mouse functions 20

AES Encryption options 63, 64

Advanced Settings 63

General Settings 63

Test encryption and decryption 64

AES Encryption options, Misc object type 63

Advanced Settings 63

General Settings 63

Test encryption and decryption 64

Alerts object type 26

Alert Configuration 27

APIprogram 16

CCIMD2 delivery method 58

CIMD2 delivery method, Delivery Method object type 58

Client Software Development Kit (SDK) 9client, Pledge Enrollment

configure 82

Clients object type 40–47

create 40

delete 40

duplicate 41

RADIUS client 41

clusteractive-active 92

configuration requirements 91

configure 91, 94

redundancy 92

redundancy configuration 92, 93

test configuration 93

two-factor authentication 92

commands, Web Service SOAP clientauthenticateUser 104

fetchData 109

getUserAttributeValue 106

requestAuthAndOTP 101

required fields / xml elements 101

storeData 108

verifyOTP 102

Concurrent Sender delivery method 56

Concurrent Sender delivery method, Delivery Method objecttype 56

configurationadministration console 19

select pane 19

configure, Alerts object typeAlert Configuration 27

configure, Clients object type 40

create 40

delete 40

duplicate 41

Native client 44–46

RADIUS client 41–44

Web services client 46, 47

configure, Databases object typecreate 28

Database group 39

delete 28

duplicate 29

LDAP 30–35

RADIUS Forward database 39

SQL 35–39

configure, Delivery Method object type 47

CIMD2 delivery method 58

Concurrent Sender delivery method 56

enable 48

Extended HTTP delivery method 51, 52

HTTP delivery method 49, 50

Instant Messaging delivery method 56, 57

Netsize delivery method 54–56

Prefetch Detection delivery method 59

SMPP delivery method 58

SMS Gateway delivery method 48–51

SMTP delivery method 53, 54

UCP File delivery method 58

configure, Licenses object typeLicense Information 28

configure, Logs object typeLog Files 25

Other Settings 26

configure, McAfee OTP 19

administration console 19

Alerts object type 26, 27


configure, McAfee OTP 19 (continued)Clients object type 40–47

Databases object type 28–39

Delivery Method object type 47–59

Licenses object type 27, 28

Logs object type 25, 26

Misc object type 59–72

RADIUS object type 24

select pane 19

Server object type 20–23

configure, Misc object type 59

Admin Guide 68

AES Encryption options 63, 64

Embedded HTTP Server Options 65

Expired Password Notification settings 59, 60

Oath settings 60, 61

OATH settings 60, 62

Pledge Enrollment options 65, 66

Prefetch OTP options 62

Self Service 68–71

Unlock User Accounts options 62

User Guide 67, 71

Web Manager options 66, 67

Yubico options 72

configure, RADIUS object type 24

Additional Ports 24

RADIUS Server Settings 24

configure, Server object typeClient Settings 22

Encryption 22

Mobile Numbers 21

Onetime Password Options 21

Options 23

create, Databases object typeLDAP 29

DDatabase group 39

database, Microsoft TMGconfigure 89

database, Pledge Enrollmentconfigure 81

Databases object type 28

create 28

delete 28

duplicate 29

Databases object type, Database group 39

Databases object type, LDAPAccount Settings (HOTP/TOTP Disabled) 32

Account Settings (HOTP/TOTP Enabled) 32

Advanced options 35

create 29

Host Settings 30

Onetime Password Prefetch 33

Databases object type, LDAP (continued)PIN Code 34

Search Settings 31

Databases object type, RADIUS Forward database 39

Databases object type, SQL 35

Advanced options 39

JDBC/ODBC Settings 36


PIN code 38

SQL Queries (HOTP/TOTP Disabled) 37

SQL Queries (HOTP/TOTP Enabled) 38

Delivery Method object type 47–59

enable 48

EEmbedded HTTP Server Options 65

Embedded HTTP Server Options, Misc object type 65

Expired Password Notification settings 59, 60

Expired Password Notification 60

Expired Password Notification settings, Misc object type 59

Expired Password Notification 60

Extended HTTP delivery method 51, 52

Authentication and Proxy 52

Headers or Template File 51

Other Settings 52

Extended HTTP delivery method, Delivery Method object type51

Authentication and Proxy 52

Headers or Template File 51

Other Settings 52

Ffeatures, McAfee One Time Password 10

HHTTP delivery method 49, 50

Authentication 50

Headers or Template file 50

HTTP delivery method, Delivery Method object type 49

Authentication 50

Headers or Template file 50

Iinstall, McAfee OTP 17

requirements 17

Windows-based computer 18

Instant Messaging delivery method 56, 57

Jabber 57

Microsoft Live 57

Skype 57

User Prefix 57

Instant Messaging delivery method, Delivery Method objecttype 56

Jabber 57

Index


Instant Messaging delivery method, Delivery Method objecttype 56 (continued)

Microsoft Live 57

Skype 57

User Prefix 57

integration modules 15

integration modules, McAfee OTP 15

LLDAP database 29

Account Settings (HOTP/TOTP Disabled) 32

Account Settings (HOTP/TOTP Enabled) 32

Advanced options 35

Host Settings 30


PIN Code 34

Search Settings 31

Licenses object type 27

License Information 28

Logs object type 25

Log Files 25

Other Settings 26

Mmaintenance, McAfee OTP

McAfee OTP monitor 73

server statistics 74

McAfee OTPconfigure 19

configure to use with Microsoft TMG 88

install on a Windows-based computer 18

installation 17

installation requirements 17

start 73

start on a Linux-based computer 74

start on a Mac OS X-based computer 74

start on a UNIX-based computer 74

start on a Windows-based computer 74

stop 73

stop on a Linux-based computer 74

stop on a Mac OS X-based computer 74

stop on a UNIX-based computer 74

stop on a Windows-based computer 74

McAfee OTP monitor 74

Microsoft Forefront Threat Management Gateway 85

Microsoft TMG 85

configure with McAfee OTP 86

install 86

installation 85

system requirements 85

Microsoft TMG clientconfigure 88

RADIUS options 89

Microsoft TMG Server Management tool, Microsoft TMGadvanced options 88

configure 87

Misc object type 59–72

NNative client 44–46

Advanced — Native Client Name Detection 45

Options 45

Other options 46

User Database 45

Native client, Clients object type 44

Advanced — Native Client Name Detection 45

Options 45

Other options 46

User Database 45

Netsize delivery method 54–56

Authentication 55

Communication 55

Endpoint Settings 55

Message 55

Options 56

Netsize delivery method, Delivery Method object type 54

Authentication 55

Communication 55

Endpoint Settings 55

Message 55

Options 56

OOath settings 60, 61

Automatic OATH Enrollment 61

General OATH Settings 61

HOTP 60

TOTP 61

OATH settings 60, 62

Advanced automatic OATH enrollment 62

OATH settings, Misc object type 60

Advanced automatic OATH enrollment 62

Oath, Misc object typeAutomatic OATH Enrollment 61

General OATH Settings 61

HOTP 60

TOTP 61

operations, Web Service SOAP client 96

getCommands 96

getOTPObject 97

OtpWsRequest 99

OtpWsResponse 100

PPledge 77

about 77

Pledge Client 79

Index


Pledge 77 (continued)Pledge Enrollment 79

Pledge Profile Factory 79

Pledge Corporate Profilecustomize 80

Pledge Enrollment 83

administrator 84

enable 82

requirements 83

user 84

Pledge Enrollment options 65–67

Configuration settings 66

Pledge Enrollment options, Misc object type 65


Pledge Profile Factoryaccount registration 79

Pledge web service accountrequest 81

Prefetch Detection delivery method 59

Prefetch Detection delivery method, Delivery Method objecttype 59

Prefetch OTP options 62

Prefetch OTP options, Misc object type 62

RRADIUS

access 16

RADIUS client 41–44

Advanced settings 41

Encoding 42

Listen on RADIUS Ports 42

Other options 44

Prefetch OTP Options 43

RADIUS Client Attribute Detection 41

RADIUS Options 43

RADIUS Reject Error Messages 42

User Database 44

RADIUS client, Clients object typeAdvanced settings 41

Encoding 42

Listen on RADIUS Ports 42

Other options 44

Prefetch OTP Options 43

RADIUS Client Attribute Detection 41

RADIUS Options 43

RADIUS Reject Error Messages 42

User Database 44

RADIUS Forward database 39

RADIUS object type 24

Additional Ports 24

RADIUS Server Settings 24

Sselect pane 19

Self Service 68–71


Information) 70

Lockout) 70

Log on page for forgotten password 71

Log on page with username and password) 71

Management pages for self administration 71

Secret Question and Answer (Q/A) 69

Self Service, Misc object type 68, 71

Admin Guide 68


Information) 70

Lockout) 70

Log on page for forgotten password 71

Log on page with username and password) 71

Management pages for self administration 71

Secret Question and Answer (Q/A) 69

User Guide 71

Server object type 20

Client Settings 22

Encryption 22

Global Options 23

Mobile Numbers 21

Onetime Password Options 21

Options 23

Server Settings 21

SMPP delivery method 58

SMPP delivery method, Delivery Method object type 58

SMS Gateway delivery method 48–51

Advanceds 49

Configuration and Status 49

General Settings and Proxy 48

Location 49

Other Settings 51

Proxy 50

SMS Gateway delivery method, Delivery Method object type 48

Advanced 49

Configuration and Status 49

General Settings and Proxy 48

Location 49

Other Settings 51

Proxy 50

SMTP delivery method 53, 54

Authentication 53

SMTP Host 53

SMTP Options 54

SMTP delivery method, Delivery Method object type 53

Authentication 53

SMTP Host 53

SMTP Options 54

SQL database 35

Advanced options 39

JDBC/ODBC Settings 36

Onetime Password Prefetche 38

PIN code 38

Index


SQL database 35 (continued)SQL Queries (HOTP/TOTP Disabled) 37

SQL Queries (HOTP/TOTP Enabled) 38

supported operating systems 8supported protocols 9supported user databases 9

UUCP File delivery method 58

UCP File Options 58

UCP File delivery method, Delivery Method object type 58

UCP File Options 58

Unlock User Accounts options 62

Unlock User Accounts options, Misc object type 62

VVPN

access 16

WWeb Manager 67

Web Manager options 66, 67

Authentication settings 67

Other settings 67

Web Manager options, Misc object type 66

Authentication settings 67

Web Manager options, Misc object type 66 (continued)Other settings 67

Web Manager, Misc object type 67

User Guide 67

Web service client, Clients object typeOptions 46

Other Options 47

User Database 47

Web Service SOAP clientclient code examples 111

commands 101

integration 95

setup 95

Web services client 46, 47

Options 46

Other Options 47

User Database 47

Web services client, Clients object type 46

YYubico 72

Yubico options, Misc object type 72

Index


McAfee One Time Password 3 · McAfee One Time Password 3.5 ... combining user name and password...

Documents

Transcript of McAfee One Time Password 3 · McAfee One Time Password 3.5 ... combining user name and password...