Overview

PhenixID Multi Factor Authentication adds an extra security layer to protect your applications. When the user id and password is successfully verified, a “One-Time Password” is sent to the user’s mailbox or mobile phone through SMS (Short Message Services). This “One-Time Password” will be verified and only then will the user be authenticated to the application.

Requirements

• Novell GroupWise Webaccess 2014 R2
• PhenixID Server 2.x
• PhenixID GroupWise Integration Module Files

Integration module content – otp4gw2014.zip

otpwebaccess.jar – The PhenixID OTP login servlet
otpclient.jar – The PhenixID Legacy OTP Client API
login.jsp – Login page
login2.jsp – Response page
login.htt – Modified Webaccess template file
otpwebaccess.properties – Sample properties file
server.xml – Sample tomcat server.xml file
web.xml – Sample web.xml

Configuring PhenixID MFA

Configure Password Self Service senario

Please follow the PPSS scenario in order to prepare the MFA server with some necessary components.

Reconfigure to enable the GroupWise integration

Reconfigure according to your requirements

Example:

{
    "name" : "com.phenixidentity~phenix-neotp",
    "enabled" : "true",
    "config" : {
      "guide_ref" : "defaultpss",
      "guide_id" : "guides.authentication.neotp.pss2"
    },
    "created" : "2017-03-24T12:25:52.567Z",
    "id" : "e0edec97-b68a-4f7c-9e6e-05d149b07c52"
  }

{
    "id" : "defaultNeotpConfig",
    "config" : {
      "host" : "0.0.0.0",
      "port" : "3100"
    },
    "created" : "2017-03-24T12:28:13.725Z"
  }


{
    "id" : "defaultPssNeotpListener",
    "name" : "NeotpListener",
    "config" : {
      "clientIP" : "127.0.0.1",
      "default_client_name" : "gw2014",
      "neotp_debug" : "false",
      "use_encryption" : "false",
      "session_ttl" : "4",
      "alias_ttl" : "3",
      "use_sms" : "true",
      "use_mail" : "false",
      "use_token" : "false",
      "username_as_alias" : "true"
    },
    "created" : "2017-03-24T12:28:16.470Z"
  }

{
    "id" : "gw2014:STORE-DATA",
    "valves" : [ {
      "name" : "StoreDataValve",
      "enabled" : "true",
      "config" : {
        "dest_id" : "gwUser",
        "key" : "data",
        "value" : "{{request.data}}"
      }
    } ]
  }, {
    "id" : "gw2014:REQ-AUTH-OTP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "9e15509b-9e86-4f51-b50f-909905ad3457",
        "base_dn" : "ou=Users,O=PhenixID",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "uid={{request.username}}",
        "attributes" : "mobile"
      }
    }, {
      "name" : "OTPGeneratorValve",
      "config" : {
        "length" : "6",
        "alpha_numeric" : "false",
        "name" : "generated_otp",
        "valid_time_in_seconds" : "120"
      }
    }, {
      "name" : "OTPBySMSValve",
      "config" : {
        "gw_username" : "tempkonto",
        "gw_password" : "{enc}lGiNo8t7CizMDpkSRmtmvtoXKPqw4iN4+3GGsQ4Xlak=",
        "recipient_param_name" : "mobile",
        "generated_otp_name" : "generated_otp",
        "use_flash" : "true"
      }
    } ]
  }, {
    "id" : "gw2014:RESP",
    "valves" : [ {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.Magic}}"
      }
    }, {
      "name" : "OTPValidationValve",
      "config" : {
        "provided_otp_param_name" : "{{request.provided_otp}}",
        "generated_otp_param_name" : "generated_otp"
      }
    } ]
  }

Installing the Integration Module

Install

Unzip the file otp4gw2014.zip

Copy the content of the directory gw to the application server, example:
Linux – /var/opt/novell/tomcat/webapps
Windows – C:\Novell\tomcat8\webapps

In login.jsp and login2.jsp, located in /gw/otp,  there are paths to files in webaccess (sample /gw/webaccess/201512031048/images/favicon.ico). These paths will change depending on the servicepack level of GroupWise. So verify the part of 201512031048 in the example above and change the paths according to your installation.

Copy the otpwebaccess.properties from the sample directory to a directory on the server running the servlet engine (sample
/var/opt/novell/tomcat/conf)

Configure the integration module

web.xml

Edit the web.xml file on the servlet engine, located:
Linux – /var/opt/novell/tomcat/webapps/gw/WEB-INF/web.xml
Windows – C:\Novell\tomcat8\webapps\gw\WEB-INF\web.xml

and add the following at the start of the <web-app> section:

<filter>
        <filter-name>AuthenticationFilter</filter-name>
        <filter-class>se.nordicedge.otp.AuthenticationFilter</filter-class>
        <init-param>
            <param-name>LOGIN_PAGE</param-name>
            <param-value>/otp/login.jsp</param-value>
        </init-param>
        <init-param>
            <param-name>DEBUG</param-name>
            <param-value>ON</param-value> 
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>AuthenticationFilter</filter-name>
        <url-pattern>/webacc</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>OTPWebaccess</servlet-name>
        <servlet-class>se.nordicedge.otp.OTPWebaccess</servlet-class>
        <init-param>
            <param-name>PROPFILE_PATH</param-name>
            <param-value>FULL_PATH_TO_YOUR\otpwebaccess.properties</param-value>
        </init-param>
        <init-param>
            <param-name>DEBUG</param-name>
            <param-value>true</param-value>
        </init-param>
    </servlet>

And add the following at the end of the <webapp> section:

<servlet-mapping>
        <servlet-name>OTPWebaccess</servlet-name>
        <url-pattern>/OTPWebaccess</url-pattern>
    </servlet-mapping>

Note! Make sure that the environment specific params match the current environment. A sample web.xml is provided under the sample directory. In some Tomcat versions the url-pattern have to end with /*, like:
/OTPWebaccess/*

webacc.cfg

Edit the webacc.cfg used by GroupWise Webaccess and change:
Logout.url=/gw/otp/login.jsp?OTPSTATUS=3

The file is located:
Linux – /var/opt/novell/groupwise/webaccess
Windows – C:\Novell\GroupWise\WebAccess

server.xml

Edit the Tomcat server.xml config, located:
Linux – /var/opt/novell/tomcat/conf
Windows – C:\Novell\tomcat8\conf

Open the HTTP connector on port 8080. The section for the connector might not be enabled by default. There is a sample server.xml in the sample directory.

Apache / Reverse proxy

Edit the file gw.conf (sample /etc/opt/novell/httpd/conf.d) and add the following two lines:
ProxyPass /gw/OTPWebaccess ajp://localhost:9009/gw/OTPWebaccess
ProxyPass /gw/otp ajp://localhost:9009/gw/otp

otpwebaccess.properties

A sample otpwebaccess.properties can be found in the sample directory.
Note for Linux:
It’s important that the “file owner” of otpwebaccess.properties on a Linux installation is wwwrun and that the “file group” is www.

Testing

Restart the tomcat service and the PhenixID Server.

Go to http://YourGroupWiseServer/gw and try to authenticate.