Advanced Authentication™ is a separate Micro Focus product that provides a multi-factor authentication solution to protect your sensitive data by using a chain of authentication methods.
Management and Security Server provides an optional Add-on to use the multi-factor capability. To enable the Advanced Authentication option, you must have both products installed and configured.
In brief, you must
Follow the detailed steps.
You can configure a chain of multiple authentication methods by using Micro Focus Advanced Authentication.
Refer to the Advanced Authentication Documentation to install and configure the product.
When configuring the Advanced Authentication product to work with Management and Security Server, these steps are required.
Install Micro Focus Advanced Authentication Server, noting theserver name (or IP address).
Configure the authentication Methods you wish to use for MSS authentication.
Options include LDAP password, Email one-time password (OTP), Time-limited one-time password (TOTP), Smartphone, and more.
Create a Chain.
Add your preferred methods in the order you want the user to encounter them as they log in.
Configure a customized Event and name it MSS.
The event name must match the hard-coded setting in Management and Security Server; thus, the name must be MSS.
A different name will not work.
After you obtain the separate license for Host Access Management and Security Server - Advanced Authentication Add-On, go to the Micro Focus download page (where you downloaded Management and Security Server).
Download the activation file, named activation.advanced_authentication-<version>.jaw.
In the MSS Administrative Console, first upload the activation file, and then establish trust between the Advanced Authentication server and the Management and Security Server.
Upload the activation file:
Log in to Management and Security Server.
Open the Administrative Console to Configure Settings - Product Activation.
Click Activate New.
Browse to and click the activation file you downloaded earlier: activation.advanced_authentication-<version>.jaw.
The file is installed and added to the list of Currently Installed products.
Establish trust between the Advanced Authentication server and the Management and Security Server:
In Management and Security Server, open Configure Settings - Authentication & Authorization.
Select Micro Focus Advanced Authentication as the authentication method.
If desired, select LDAP as the authorization method.
Import the Advanced Authentication server’s certificate:
Enter the Server name or IP address of the Advanced Authentication server, noted earlier, without a protocol. (That is, omit https://.)
For example, enter myserver.mycompany.com.
Note: The Advanced Authentication server uses Port 443, the default.
Click Import Certificate. A message displays to confirm whether the server is trusted.
NOTE:If you are presented with multiple certificates to import, it is best to choose the CA certificate.
If you see, “Failed to retrieve the certificate chain for the server,” be sure the server name is entered correctly. The host name must match the name in the server certificate.
By default, the Verify server identity option checks to make sure the host name is matched with the certificate from the Advanced Authentication server.
Note: When present, the SAN (Subject Alternative Name) in the Advanced Authentication server certificate is used, not the common name.
CAUTION:Clearing the Verify server identity check box is a security risk. Do not disable this feature unless you understand the risk.
With Verify server identity checked, click Test Connection.
The test is successful when the entry for the Advanced Authentication server is valid, and the server address is in the certificate.
If the test connection fails, troubleshoot as follows:
If you see, Advanced Authentication Failure - The hostname you entered does not match the server certificate, check the certificate in the Configure Settings - Trusted Certificates list.
Then, return to Configure Settings - Authentication & Authorization and correct the server name to match the SAN in the certificate.
For instance, a mismatch occurs when you enter the IP address, and the IP address is not in the certificate.
For more information, see trace.0.log. By default, trace.0.log is located in \ProgramData\Micro Focus\MSS\MSSData\log.
Use the LogViewer utility to view the trace log file. See Using Log Viewer.
When Test Connection succeeds, you are ready to use Advanced Authentication.
NOTE:If the first authentication request from MSS to the Advanced Authentication server fails, restart the MSS server to enable subsequent requests to succeed.