5.6 Multi-factor Authentication

Sentinel supports MFA by integrating with any identity provider (IDP) software that supports the following:

  • Multi-factor authentication

  • SAML 2.0

For example, if you integrate Sentinel with Advanced Authentication™ in your environment, Advanced Authentication handles authentication while Sentinel handles authorization.

NOTE:Before you continue, ensure that you have read the enablement considerations and met all prerequisites. For more information, see Enablement Considerations and Prerequisites for MFA, Kerberos, and OAuth.

5.6.1 Using Advanced Authentication

This section provides the steps to integrate Sentinel with Advanced Authentication.

NOTE:Ensure that you are using a supported version of Advanced Authentication. For information about which versions of Advanced Authentication are supported, see Sentinel System Requirements.

  1. Log in to the Sentinel server as the novell user.

  2. In the /etc/opt/novell/sentinel/config directory, open the osp-configuration.properties file and add the following properties:

    • com.netiq.sentinel.osp.login.method = saml2

    • com.netiq.sentinel.osp.saml2.enabled = true

    • com.netiq.sentinel.osp.login.saml2.metadata-url = https://IDP_IPAddress/osp/a/TOP/auth/saml2/metadata

      Where IDP_IPAddress is the IP address for the server where Advanced Authentication is installed.

    • com.netiq.sentinel.osp.login.saml2.mapping-attr=mail

    • com.netiq.sentinel.osp.as.duplicate-resolution-naming-attr=mail

  3. Run the following command:

    touch /etc/opt/novell/sentinel/3rdparty/jetty/contexts/osp.xml

  4. To establish a trust relationship between Sentinel and Advanced Authentication, you need to generate a .jks file for the keystore that contains a self-signed certificate for Advanced Authentication.

    NOTE:You cannot use the existing Advanced Authentication certificate because it does not contain a subject alternative name.

    Complete the following steps:

    1. Go to the /opt/novell/sentinel/jdk/jre/bin directory.

    2. Create the .jks file for Advanced Authentication. Use the following command:

      ./keytool -genkey -keyalg RSA -alias AliasName -keystore FileName.jks -storepass Password -validity 360 -keysize 2048 -ext SAN=dns:Domain_Name,dns:IDP_DNS_Name,ip:IDP_IPAddress

      Where:

      • AliasName is the alias you want to assign to the certificate.

      • FileName is the name of the .jks file you want to create.

      • Password is the password to access the Advanced Authentication server.

      • Domain_Name is the domain name of the Advanced Authentication server.

      • IDP_DNS_Name is DNS name of the Advanced Authentication server.

      • IDP_IPAddress is the IP address of the Advanced Authentication server.

      For example:

      ./keytool -genkey -keyalg RSA -alias selfsigned1 -keystore AA.jks -storepass password -validity 360 -keysize 2048 -ext SAN=dns:aff.com,dns:aucore-7941,ip:10.10.10.10

    3. Provide the appropriate answers to the questions the keytool command displays.

  5. To import to the new keystore file to the Advanced Authentication keystore, you must convert it to .pfx format. Complete the following steps:

    1. Go to the /opt/novell/sentinel/jdk/jre/bin directory.

    2. Run the following command:

      ./keytool -importkeystore -srckeystore FileName.jks -srcstoretype JKS -srcstorepass Password -destkeystore FileName1.pfx -deststoretype PKCS12 -deststorepass Password1

      Where:

      • FileName is the name of the file you want to convert.

      • Password is the password to access the JKS keystore.

      • FileName1 is the name of the file you want to create.

      • Password1 is the password you used to create the .jks file.

      For example:

      ./keytool -importkeystore -srckeystore AA.jks -srcstoretype JKS -srcstorepass password -destkeystore test.pfx -deststoretype PKCS12 -deststorepass password1

  6. To export the self-signed certificate from FileName.jks to a .cer file, complete the following steps:

    1. Go to the /opt/novell/sentinel/jdk/jre/bin directory.

    2. Use the following command:

      ./keytool -exportcert -keystore FileName.jks -alias AliasName -file FileName1.cer

      Where:

      • FileName is the name of the file you want to convert.

      • AliasName is the alias name you assigned to the certificate.

      • FileName1 is the name of the file you want to create.

      For example:

      ./keytool -exportcert -keystore AA.jks -alias selfsigned1 -file myAA.cer

  7. To import the new certificate file to the Sentinel server keystore, complete the following steps.

    1. Go to the /opt/novell/sentinel/jdk/jre/bin directory.

    2. Use the following command:

      ./keytool -importcert -file FileName.cer -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -alias AliasName

      Where:

      • FileName is the name of the certificate file you want to import.

      • AliasName is the new alias name you want to assign to the certificate in the Sentinel keystore.

      For example:

      ./keytool -importcert -file myAA.cer -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -alias myAA

  8. Log in to Advanced Authentication and complete the following steps:

    1. Navigate to Server Options.

    2. Upload the .pfx file you created previously, using the password you used for creating the .jks file.

    3. (Conditional) For Advanced Authentication 5.6 or prior, enable WebAuth.

      You do not have to enable WebAuth in Advanced Authentication 6.0 or later because it is enabled by default.

  9. On the Sentinel server, run the following command:

    touch /etc/opt/novell/sentinel/3rdparty/jetty/contexts/osp.xml

  10. To retrieve the SAML metadata from Sentinel, complete the following steps:

    1. In the /etc/opt/novell/sentinel/osp/WEB-INF/conf/current/siem/services directory, open the authcfg.xml file and modify the following property:

      failOnError="false"

    2. In your web browser, go to the following URL:

      https://DNS_Sentinel_server:Port/osp/a/siem/auth/saml2/spmetadata

      Where DNS_Sentinel_server is the FQDN of the Sentinel server and Port is the port Sentinel uses (typically 8443).

    3. Copy the SAML metadata and save it in a new sentinel.xml file.

  11. In Advanced Authentication, complete the following steps:

    1. Navigate to Events.

    2. Create a new event named SAML and upload the sentinel.xml file.

    3. (Optional) Create a new chain of authentication factors to replace the default Password only chain.

    4. Specify the IP address of the Advanced Authentication server in one of the following ways:

      • For Advanced Authentication 5.6 or prior versions:

        1. Navigate to Policies.

        2. Edit the SAML 2.0 policy.

        3. Specify the IP address of the Advanced Authentication server.

      • For Advanced Authentication 6.0 and later:

        1. Navigate to Policies.

        2. Edit the Web Authentication policy.

        3. Specify the IP address of the Advanced Authentication server.

      Navigate to Policies and edit the SAML 2.0 policy and specify the IP address of the Advanced Authentication server.

    5. Navigate to Repositories and add the LDAP repository.

  12. (Conditional) Ensure that you add any additional authenticators that are required for the authentication chain. The default authentication chain includes the Email, OTP, LDAP password, Mobile ID, and RADIUS authentication methods. For more information, see the Advanced Authentication Administration Guide.

  13. (Conditional) If your authentication chain includes any authentication methods other than the default methods, have all users go to the Advanced Authentication Self-Service Portal (https://IDP_IP/account, where IDP_IP is the IP address of the Advanced Authentication server) and enroll in the additional authenticator methods, as defined in the authentication chain. For example, finger prints, retinal scans, or security questions. For more information, see the Advanced Authentication User Guide.

  14. (Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v

5.6.2 Configuring Sentinel in FIPS Mode to use Advanced Authentication

  1. Log in to the Sentinel server.

  2. Browse to the Sentinel bin directory.

  3. To import the Advanced Authentication certificate to the NSS database, complete the following steps:

    1. Copy the Advanced Authentication certificate to the Sentinel server.

    2. Import the Advanced Authentication certificate to the Sentinel server. Use the following command:

      ./convert_to_fips.sh -i /<location to certificate/certificate_file>

      For example:

      ./convert_to_fips.sh -i /opt/aaf.crt

  4. Run the following script:

    ./create_mfa_fips_keys.sh <nss_password/password_file>

    Where nss_password is the password for the NSS database and password_file is the file that stores the NSS password. Specify only one of these.

  5. Update the /etc/hosts file with the hostname of the Advanced Authentication server.

  6. In the /etc/opt/novell/sentinel/config directory, open the osp-configuration.properties file and modify the following property:

    com.netiq.sentinel.osp.login.saml2.metadata-url=https\://<IDP_Hostname>/osp/a/TOP/auth/saml2/metadata

    Where <IDP_Hostname> is the host name for the Advanced Authentication server.

  7. Restart the Sentinel server:

    rcsentinel restart
  8. (Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v

5.6.3 Using Other SAML 2.0 IDP Software

This section provides the steps to integrate Sentinel with any other SAML 2.0 IDP software.

  1. Log in to the Sentinel server as the novell user.

  2. In the /etc/opt/novell/sentinel/config directory, open the osp-configuration.properties file and add the following new properties:

    • com.netiq.sentinel.osp.login.method = saml2

    • com.netiq.sentinel.osp.saml2.enabled = true

    • com.netiq.sentinel.osp.login.saml2.metadata-url = https://IDP_IPAddress

      Where IDP_IPAddress is the IP address for the server where your IDP software is installed.

    • com.netiq.sentinel.osp.login.saml2.mapping-attr = mail

    • com.netiq.sentinel.osp.as.duplicate-resolution-naming-attr = mail

    • com.netiq.sentinel.osp.logout.saml2.landing-page=internal

  3. On the Sentinel server, run the following command:

    touch /etc/opt/novell/sentinel/3rdparty/jetty/contexts/osp.xml

  4. To retrieve the SAML metadata from Sentinel, go to the following URL:

    https://Sentinel_IP:Port/osp/a/siem/auth/saml2/spmetadata

    Where Sentinel_IP is the IP address of the Sentinel server and Port is the port Sentinel uses (typically 8443).

  5. Use the metadata to configure your IDP. For detailed instructions, see the documentation for your IDP software.

  6. To establish a trust relationship between Sentinel and your IDP software, you need to create self-signed certificates for both Sentinel and your IDP software. For detailed instructions about creating and importing certificates in your IDP software, see the documentation for your IDP software.

  7. On the Sentinel server, go to the /opt/novell/sentinel/jdk/jre/bin directory.

  8. Import the new certificate file to the Sentinel server keystore. Use the following command:

    ./keytool -importcert -file FileName.cer -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -alias AliasName

    Where:

    • FileName is the name of the certificate file you want to import.

    • AliasName is the new alias name you want to assign to the certificate in the Sentinel keystore.

  9. (Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v

5.6.4 Configuring Sentinel in FIPS Mode to use SAML 2.0 IDP

  1. Log in to the Sentinel server.

  2. Browse to the Sentinel bin directory.

  3. Run the following script:

    create_mfa_fips_keys.sh <nss_password/password_file>

    Where nss_password is the password for the NSS database and password_file is the file that stores the NSS password. Specify only one of these.

  4. Update the /etc/hosts file with the hostname of your IDP server.

  5. In the /etc/opt/novell/sentinel/config directory, open the osp-configuration.properties file and modify the following property:

    com.netiq.sentinel.osp.login.saml2.metadata-url=https\://<IDP_Hostname>/osp/a/TOP/auth/saml2/metadata

    Where <IDP_Hostname> is the host name for your IDP server.

  6. To import the IDP server certificate to the NSS database, complete the following steps:

    1. Copy the IDP server certificate to the Sentinel server.

    2. Import the IDP server certificate to the Sentinel server. Use the following command:

      /usr/bin/certutil -A -d sql:/etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n SAMLIDP -i /<location to certificate>/FileName.crt

      For example:

      /usr/bin/certutil -A -d sql:/etc/opt/novell/sentinel/3rdparty/nss -t "CT,CT,CT" -n SAMLIDP -i /root/SAMLIDP.crt

  7. Run the following command:

    touch /etc/opt/novell/sentinel/3rdparty/jetty/contexts/osp.xml

  8. (Conditional) If you are using Sentinel in High Availability (HA) mode, log in to the active node of the HA cluster and run the following command:

    csync2 -x -v