Micro Focus Advanced Authentication

Advanced Authentication™ is a separate Micro Focus product that provides a multi-factor authentication solution to protect your sensitive data by using a chain of authentication methods.

MSS provides an optional Add-on to use the multi-factor capability with Micro Focus Windows emulation products.

Prerequisites

To enable the Advanced Authentication option, these products must be installed:

MSS

the Micro Focus Advanced Authentication product

the MSS Advanced Authentication Add-on product

Note

When using Micro Focus Windows emulation clients -- Reflection Desktop, InfoConnect Desktop, and Rumba+ Desktop -- Centralized Management must be enabled

In brief, you must

Step 1. Install and configure the Micro Focus Advanced Authentication product.

Step 2. Download the MSS Advanced Authentication Add-on activation file.

Step 3. Configure MSS to use Advanced Authentication.

Step 4. Trust the MSS endpoint on the Advanced Authentication server.

Detailed steps

Step 1. Install and configure the Micro Focus Advanced Authentication product

You can configure a chain of multiple authentication methods by using Micro Focus Advanced Authentication.

Refer to the Advanced Authentication Documentation to install and configure the product.

When configuring the Advanced Authentication product to work with Management and Security Server, these steps are required.

Install Micro Focus Advanced Authentication Server, noting the server name (or IP address).
Configure the authentication Methods you wish to use for MSS authentication.

Options include LDAP password, Email one-time password (OTP), Time-limited one-time password (TOTP), Smartphone, and more.
Create a Chain.

Add your preferred methods in the order you want the user to encounter them as they log in.
Configure a customized Event and name it MSS.

The event name must match the hard-coded setting in Management and Security Server; thus, the name must be MSS.

A different name will not work.

Step 2. Download the MSS Advanced Authentication Add-on activation file

After you obtain the separate license for Host Access Management and Security Server - Advanced Authentication Add-On, go to the Micro Focus download page (where you downloaded Management and Security Server).

Download the activation file, named activation.advanced_authentication-<version>.jaw.

Step 3. Configure MSS to use Advanced Authentication

Enable Advanced Authentication

Log in to Management and Security Server (MSS).
Enable OAuth.
Open the Administrative Console to Configure Settings - Product Activation.
Click ACTIVATE NEW.
Browse to and click the activation file you downloaded earlier: activation.advanced_authentication-<version>.jaw.

The file is installed and added to the list of Currently Installed products.

Configure Micro Focus Advanced Authentication

In MSS, open Configure Settings - Authentication & Authorization.
Select Micro Focus Advanced Authentication as the authentication method.

If desired, select LDAP as the authorization method.
Enter the Server name or IP address of the Advanced Authentication server without a protocol. (That is, omit https://.)

For example, enter myserver.mycompany.com.
Enter the Port (443 by default).
Specify the Search Repositories, separated by commas, to use on the Advanced Authentication server.

Users are defined in the search repositories.
Click IMPORT CERTIFICATE. A message displays to confirm whether the server is trusted.
- Even if the server is trusted, you need to confirm that the MFAA server identity certificate is imported into the MSS truststore. To see the list of certificates in the MSS truststore, go to Trusted Certificates > Management and Security Server.
  
  If the MFAA certificate is not in the list, add it by clicking Import on the Trusted Certificates page.
- Import all certificates that are presented to you.
Note

If you see, “Failed to retrieve the certificate chain for the server,” be sure the server name is entered correctly. The host name must match the name in the server certificate.
By default, the Verify server identity option checks to make sure the host name is matched with the certificate from the Advanced Authentication server.

Note

When present, the SAN (Subject Alternative Name) in the Advanced Authentication server certificate is used, not the common name.

Caution

Clearing the Verify server identity check box is a security risk. Do not disable this feature unless you understand the risk.
With Verify server identity checked, click TEST CONNECTION.

The test is successful when the entry for the Advanced Authentication server is valid, and the server address is in the certificate.
- If the test connection fails, troubleshoot as follows:
  
  If you see, Advanced Authentication Failure The hostname you entered does not match the server certificate, check the certificate in the Configure Settings - Trusted Certificates list.
  
  Then, return to Configure Settings - Authentication & Authorization and correct the server name to match the SAN in the certificate.
  
  For instance, a mismatch occurs when you enter the IP address, and the IP address is not in the certificate.
- For more information, see trace.0.log. By default, trace.0.log is located in \ProgramData\Micro Focus\MSS\MSSData\log.
When TEST CONNECTION succeeds, click Apply to save the changes.

Note

If the first authentication request from MSS to the Advanced Authentication server fails, restart the MSS server to enable subsequent requests to succeed.

If Cluster DNS Name is updated after Micro Focus Advanced Authentication is configured, configuation will need to be re-applied.

Step 4. Trust the MSS endpoint on the Advanced Authentication server

Log into the Advanced Authentication server Admin Console.
Select Endpoints on the left menu.
Select the MSS endpoint created for your server.
Toggle "Is trusted" from OFF to ON.
Click Save.
Log in to the MSS Admin Console.
Go to Cluster Management.
Select Services and redeploy mss-auth-service.