Advanced Authentication™ is a separate Micro Focus product that provides a multi-factor authentication solution to protect your sensitive data by using a chain of authentication methods.
Management and Security Server provides an optional Add-on to use the multi-factor capability. To enable the Advanced Authentication option, you must have both products installed and configured.
In brief, you must
Follow the detailed steps.
You can configure a chain of multiple authentication methods by using Micro Focus Advanced Authentication.
Refer to the Advanced Authentication Documentation to install and configure the product.
When configuring the Advanced Authentication product to work with Management and Security Server, these steps are required.
Install Micro Focus Advanced Authentication Server, noting the server name (or IP address).
Configure the authentication Methods you wish to use for MSS authentication.
Options include LDAP password, Email one-time password (OTP), Time-limited one-time password (TOTP), Smartphone, and more.
Create a Chain.
Add your preferred methods in the order you want the user to encounter them as they log in.
Configure a customized Event and name it MSS.
The event name must match the hard-coded setting in Management and Security Server; thus, the name must be MSS.
A different name will not work.
After you obtain the separate license for Micro Focus download page (where you downloaded Management and Security Server)., go to the
Download the activation file, named activation.advanced_authentication-<version>.jaw.
In the MSS, first upload the activation file, and then establish trust between the Advanced Authentication server and the Management and Security Server.
Upload the activation file:
Log in to.
Open the Administrative Console to.
Browse to and click the activation file you downloaded earlier: activation.advanced_authentication-<version>.jaw.
The file is installed and added to the list ofproducts.
Establish trust between the Advanced Authentication server and the Management and Security Server:
In Management and Security Server, open.
Selectas the authentication method.
If desired, selectas the authorization method.
Import the Advanced Authentication server’s certificate:
Enter the without a protocol. (That is, omit https://.)name or IP address of the Advanced Authentication server, noted earlier,
For example, enter myserver.mycompany.com.
Note: The Advanced Authentication server uses , the default.
Click. A message displays to confirm whether the server is trusted.
NOTE:If you are presented with multiple certificates to import, it is best to choose the CA certificate.
If you see, “Failed to retrieve the certificate chain for the server,” be sure the server name is entered correctly. The host name must match the name in the server certificate.
By default, theoption checks to make sure the host name is matched with the certificate from the Advanced Authentication server.
Note: When present, the SAN (Subject Alternative Name) in the Advanced Authentication server certificate is used, not the common name.
CAUTION:Clearing thecheck box is a security risk. Do not disable this feature unless you understand the risk.
Withchecked, click .
The test is successful when the entry for the Advanced Authentication server is valid, and the server address is in the certificate.
If the test connection fails, troubleshoot as follows:
If you see, Advanced Authentication Failure - The hostname you entered does not match the server certificate, check the certificate in the list.
Then, return toand correct the server name to match the SAN in the certificate.
For instance, a mismatch occurs when you enter the IP address, and the IP address is not in the certificate.
For more information, see trace.0.log. By default, trace.0.log is located in \ProgramData\Micro Focus\MSS\MSSData\log.
Use the Using Log Viewer.utility to view the trace log file. See
Whensucceeds, you are ready to use Advanced Authentication.
NOTE:If the first authentication request from MSS to the Advanced Authentication server fails, restart the MSS server to enable subsequent requests to succeed.