Micro Focus Advanced Authentication
Advanced Authentication™ is a separate Micro Focus product that provides a multi-factor authentication solution to protect your sensitive data by using a chain of authentication methods.
MSS provides an optional Add-on to use the multi-factor capability with Micro Focus Windows emulation products.
Note
Micro Focus Advanced Authentication is supported only by Micro Focus Windows emulation clients -- Reflection Desktop, InfoConnect Desktop, and Rumba+ Desktop -- with Centralized Management enabled.
The MSS Administrative Console login does not support Advanced Authentication.
Prerequisites
To enable the Advanced Authentication option, these products must be installed:
your Micro Focus Windows emulator: Reflection Desktop, InfoConnect Desktop, or Rumba+ Desktop -- with Centralized Management enabled
MSS
the Micro Focus Advanced Authentication product
the MSS Advanced Authentication Add-on product
In brief, you must
Step 1. Install and configure the Micro Focus Advanced Authentication product.
Step 2. Download the MSS Advanced Authentication Add-on activation file.
Step 3. Configure MSS to use Advanced Authentication.
Detailed steps
Step 1. Install and configure the Micro Focus Advanced Authentication product
You can configure a chain of multiple authentication methods by using Micro Focus Advanced Authentication.
Refer to the Advanced Authentication Documentation to install and configure the product.
When configuring the Advanced Authentication product to work with Management and Security Server, these steps are required.
-
Install Micro Focus Advanced Authentication Server, noting the server name (or IP address).
-
Configure the authentication Methods you wish to use for MSS authentication.
Options include LDAP password, Email one-time password (OTP), Time-limited one-time password (TOTP), Smartphone, and more.
-
Create a Chain.
Add your preferred methods in the order you want the user to encounter them as they log in.
-
Configure a customized Event and name it MSS.
The event name must match the hard-coded setting in Management and Security Server; thus, the name must be MSS.
A different name will not work.
Step 2. Download the MSS Advanced Authentication Add-on activation file
After you obtain the separate license for Host Access Management and Security Server - Advanced Authentication Add-On, go to the Micro Focus download page (where you downloaded Management and Security Server).
Download the activation file, named activation.advanced_authentication-<version>.jaw
.
Step 3. Configure MSS to use Advanced Authentication
In the MSS Administrative Console, first upload the activation file, and then establish trust between the Advanced Authentication server and the Management and Security Server.
Upload the activation file:
-
Log in to Management and Security Server.
-
Open the Administrative Console to Configure Settings - Product Activation.
-
Click ACTIVATE NEW.
-
Browse to and click the activation file you downloaded earlier:
activation.advanced_authentication-<version>.jaw
.The file is installed and added to the list of Currently Installed products.
Establish trust between the Advanced Authentication server and the Management and Security Server:
-
In Management and Security Server, open Configure Settings - Authentication & Authorization.
-
Select Micro Focus Advanced Authentication as the authentication method.
If desired, select LDAP as the authorization method.
-
Import the Advanced Authentication server’s certificate:
a. Enter the Server name or IP address of the Advanced Authentication server, noted earlier, without a protocol. (That is, omit
https://
.)For example, enter
myserver.mycompany.com
.Note
The Advanced Authentication server uses Port 443, the default.
b. Click IMPORT CERTIFICATE. A message displays to confirm whether the server is trusted.
Note
If you are presented with multiple certificates to import, it is best to choose the CA certificate.
If you see, “Failed to retrieve the certificate chain for the server,” be sure the server name is entered correctly. The host name must match the name in the server certificate.
-
By default, the Verify server identity option checks to make sure the host name is matched with the certificate from the Advanced Authentication server.
Note
When present, the SAN (Subject Alternative Name) in the Advanced Authentication server certificate is used, not the common name.
Caution
Clearing the Verify server identity check box is a security risk. Do not disable this feature unless you understand the risk.
-
With Verify server identity checked, click TEST CONNECTION.
The test is successful when the entry for the Advanced Authentication server is valid, and the server address is in the certificate.
-
If the test connection fails, troubleshoot as follows:
If you see, Advanced Authentication Failure The hostname you entered does not match the server certificate, check the certificate in the Configure Settings - Trusted Certificates list.
Then, return to Configure Settings - Authentication & Authorization and correct the server name to match the SAN in the certificate.
For instance, a mismatch occurs when you enter the IP address, and the IP address is not in the certificate.
-
For more information, see
trace.0.log
. By default,trace.0.log
is located in\ProgramData\Micro Focus\MSS\MSSData\log
.
-
-
When TEST CONNECTION succeeds, you are ready to use Advanced Authentication.
Note
If the first authentication request from MSS to the Advanced Authentication server fails, restart the MSS server to enable subsequent requests to succeed.