Securing Powertech Multi-Factor Authentication Connections
Powertech Multi-Factor Authentication supports TLS (Transport Layer Security/Secure Sockets Layer) communications to and from the Authentication Manager for both HelpSystems Insite and the IBM i Agent. The instructions in this topic describe how to configure these connections.
Users who have already configured the Desktop Agent will need to update their Insite Server Address (to the new HTTPS address with the new port) after the HelpSystems Insite connection has been secured. See step 4c under User Setup Procedure.
Securing the IBM i Agent
Upon installation of the IBM i Agent software, Powertech Multi-Factor Authentication is registered as a Client Application within the IBM Digital Certificate Manager (DCM). A valid certificate must be imported into the IBM DCM to ensure the appropriate protection is used.
The following values are used during the registration process:
- Application ID: PTECHMULTIFACTORAUTH
- Application description: Powertech Multi-Factor Authentication
Once your Certificate Authority has been configured in the IBM DCM, no additional steps are required to configure the IBM i Agent connection. If the Powertech Multi-Factor Authentication Client Application is removed from the DCM, it can be restored using the program PMA3501. Use the following command to call this program (requires profile with QSECOFR authority):
call ptmalib/pma3501
Securing the Authentication Manager
The procedure for securing the Authentication Manager is almost identical to the procedure for securing HelpSystems Insite.
- If you haven't yet installed the Powertech Multi-Factor Authentication Authentication Manager, do so now. See Installing the Authentication Manager and Data Services.
- Stop the Access Authentication Manager service. On Windows, run services.msc to open the Services Manager. Right-click Help Systems Powertech Multi-Factor Authentication Manager and choose Stop.
- Copy your Certificate Authority file to the Authentication Manager server. Do not store the Certificate Authority file within the Powertech Multi-Factor Authentication folder (as files within Powertech Multi-Factor Authentication folders are deleted and replaced while installing upgrades).
- Open the "server.xml" file located at C:\Program Files\Help Systems\Access Authenticator\AuthenticationManager\conf and edit it as follows: NOTE: You can edit the server.xml file with any text editor. Be sure to create a backup a copy of the original file before editing. If you are not familiar with the XML format, we recommend using an XML-aware editor such as XML Notepad or Notepad++.
- Comment out the code block for protocol="HTTP/1.1":
Connector SSLEnabled="false" compression="force" connectionTimeout="20000" port="3040" protocol="HTTP/1.1" scheme="http" secure="false"/
-
Add the following code block, replacing the italicized text with information specific to your configuration:
Connector SSLEnabled="true" clientAuth="false" compression="force" keystoreFile="your-ca-path/filename keystorePass=your-ca-password keystoreType="your-keystore-type" maxHttpHeaderSize="32768" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" /
- Comment out the code block for protocol="HTTP/1.1":
- Save your changes to server.xml.
- Restart the Authentication Manager service.
- In Insite, navigate to the Powertech Multi-Factor Authentication Managers screen.
- Choose the Authentication Manager instance you have just configured and click Edit.
- Set the Port to 8443.
- Set UseSSL to On.
- Click Save to update the Authentication Manager settings.