Posts

, ,

Migrate LinOTP to privacyIDEA

The authentication system LinOTP 2 has been around since 2010. privacyIDEA is a fork that was introduced in 2014 which features a more modern architecture.

This post explains to you, how you can easily migrate all your authentication tokens and user settings to privacyIDEA. This is done by installing privacyIDEA with a copy of all your productive data. The LinOTP installation is not modified. This way you can test the migration and switch machines, when everything is fine.

If you want to migrate another, proprietary OTP solution, please read this post.

Backup LinOTP data

Under the hood privacyIDEA dropped the single-table configuration and uses database tables for logical structures like the resolver and realm definition. So I recommend to backup your data and work with the backed up data.

First dump your LinOTP database to a file:

mysqldump -u linotp2 -p LinOTP2 > linotp2.sql

You can find the password of the database user “linotp2” in the file /etc/linotp2/linotp.ini.

Also copy the encryption key /etc/linotp2/encKey.

Install privacyIDEA

Perform a clean installation of privacyIDEA. You can follow any installation procedure in the online documentation.

Copy the encryption file to /etc/privacyidea/enckey. Note that privacyIDEA by default does not use the uppercase “K” anymore.

Checkout and remember the database URI SQLALCHEMY_DATABASE_URI in /etc/privacyidea/pi.cfg.

 

Create a local copy of LinOTP database

On the privacyIDEA server you can now create a copy of the LinOTP database.

# mysql -u root -p
mysql> create database linotpdump;
mysql> grant all privileges on linotpdump.* to "linotp"@"localhost" identified by "topSecret";

 

You now can use the database URI mysql://linotp:topSecret@localhost/linotpdump.

Migrate the data

Download the migration script from github. In newer versions, this script might also already be packed with the privacyIDEA server.

In the script you need to adapt the lines

LINOTP_URI = "mysql://linotp2:testtest@localhost/LinOTP2"
PRIVACYIDEA_URI = "mysql://pi:pi@localhost/pi"

accordingly.

Now you can run the script

python privacyidea-migrate-linotp.py

As privacyIDEA uses internal token administrators, you should setup your first administrator

pi-manage admin add superuser

Now you can login to the WebUI as superuser and checkout all tokens.

What data is migrated?

The migration script migrates the resolver definitions, the realm definitions and all token data with all user assignments. The resolvers and realms are stored in the new privacyIDEA style. The additional tokeninfo is stored in the new extra privacyIDEA tokeninfo table.

Audit, System Config and Polcies are not migrated. We recommned creating the policies in privacyIDEA anew.

Note: At the moment only LDAP-Resolvers are migrated. Please ask us for automatic migration of any other resolver type.

,

Lasting Two Factor Authentication with privacyIDEA

You may have read about the NIST, lately. NIST is updating its Digital Authentication Guideline.

NIST

NIST is the National Institute of Standards and Technologies. It is part of the Department of Commerce of the United States and works on standards which are met by several governmental institutions and and also companies. It is a physical laboratory and also deals with topics like earth quakes and fire protection. But also with standards in information technology. E.g., NIST played it’s role in defining the encryption protocols DES and AES.

Digital Authentication Guideline

Die Verwendung von SMS für Authentifizierung wird von NIST als veraltet eingestuft.

Die Verwendung von SMS für Authentifizierung wird von NIST als überholt eingestuft.

NIST now released a draft of its Digital Authentication Guideline. This guideline describes how to evaluate risks in authentication processes and also gives dedicated countermeasures and advices. Two factor authentication plays an important role.

The interesting and new part is, that the draft SP800-63B explicitly points out the risks of Out-Of-Band authentication using SMS (text messages). In section 5.1.3.2 the usage of SMS is event denoted as deprecated!

OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.

No authentication technology lasts forever

We do not want to start bashing SMS. But we should be very well aware, that no authentication technology is built for eternity or will withstand hackers forever. Technologies and processes we are using today may work very well – today. But tomorrow things may have changed and these technologies and processes may be easily bypassed by hackers.

The common conclusion should be: The used authentication technology or authentication process must be replacable. We should not rely on a product, that only implements one authentication process – in this case SMS. Because the effort if changing to another authentication process would mean changing the complete software. The complete backend. The vendor. Get a complete new solution.

Ever-lasting authentication with privacyIDEA

Due to this NetKnights relies on privacyIDEA. privacyIDEA is an authentication system, that supports a broad variety of tokens, authentication devices and thus authentication technologies and processes. Of course privacyIDEA supports one time passwords via SMS and Email. But it also supports one time passwords by smartphone apps, challenge response mechanisms, many different kind of OTP hardware devices, Yubikeys and also X.509 certificates and SSH keys.

A company which uses privacyIDEA has no problem with the NIST guideline. They can just enroll new token types for their users and smoothly change SMS tokens to smartphone apps, hardware tokens or Yubikeys. No software needs to be evaluated and replaced. No vendor needs to be contacted and no processes need to be changed.

This way privacyIDEA helps to reduce administrative costs and also reduces the TCO. NetKnights provides different level of service level agreemets for privacyIDEA. We also help with the integration of privacyIDEA into the company network and deliver the appropriate tokens.

Just ask us.

 

,

privacyIDEA 2.11 with RADIUS Migration on Univention Corporate Server

privacyIDEA on Univention Corporate Server

privacyIDEA 2.11 is now available on the Univention Corporate Server. Using authentication policies privacyIDEA can conditionally forward authentication requests to external RADIUS servers. This way you can setup easy migration scenarios of old, EOL OTP systems.Logo_UCS_certified

You can find more on the RADIUS forwarding in the release notes.

SLA and Subscription

Already for a while privacyIDEA is available in the AppCenter of the Univention Corporate Server. This plattform provides an easy installation, maintenance and update. For running privacyIDEA on the Univention Corporate Server you need a valid service level aggreement. You may get your personal test subscription here.

privacyIDEA 2.11 released for easy migration

Today privacyIDEA 2.11 was released. This new version allows easy migration if you are running an old, proprietary 3rd party OTP solution.

Read more about easy OTP system migration with privacyIDEA.

If you are entitled with a valid support contract, please do not hesitate to contact us in case of any question.

Migrate your OTP system

Dear reader,
please join an upcoming web cast about an exiting new feature of privacyIDEA. During the last week privacyIDEA received two awards for being an innovative open source product.

Webcast: Migrate your old OTP-System

On March 30th we will conduct a webcast in English language to show you the new feature of upcomping privacyIDEA 2.11 for easy OTP system migration. privacyIDEA 2.11 will come with a new policy that eases migration drastically! Please sign up for the web cast. If you prefer a webcast in German language, you can sign up here.

privacyIDEA rewarded with THOMAS-KRENN Award.

The THOMAS-KRENN Award is a German award for innovative Open Source solutions. This weekend privacyIDEA received the 2nd place of this award, winning honour, fame and 2000 Euros of server hardware.

privacyIDEA BEST OF 20016

privacyIDEA is within the “BEST OF 2016” in IT Security Software in a German innovation price.

,

Webcast: Easy migration of your old OTP system to privacyIDEA

Using privacyIDEA 2.11 it is extremely easy to migrate your exsting, old OTP system to privacyIDEA. privacyIDEA is the Open Source two factor authentication system.

Webcast

On March, 30th at 5:30 PM (CET) you will learn how to do this.

Alternative German webcast

There is also a webcast in German language. To register with the German webcast, please change the language at the top of this webpage.

Register

,

Migrating a proprietary OTP / two factor solution

Easy migration of an existing OTP system to privacyIDEA

Often customers decide to switch their existing, proprietary OTP / two factor authentication system. They do it for several reasons. The existing system is to old and they get no useful updates anymore. Often the existing system is not flexible enough. The tokens, which run with this system, do not comply with the todays requirements. Companies merge and each company comes with its own proprietary authentication system. Sometimes the existing system is simply to expensive. And sometimes the customer prefers to use a transparent open source solution due to the increasing problems in trust and survailance.

These are reasons, why customers decide to use privacyIDEA.

Today privacyIDEA provides several possibilities to perform such a smooth migration. E.g. the RADIUS token. But starting with privacyIDEA version 2.11 there will be an even simpler migration scenario. privacyIDEA 2.11 will be released on March, 18th. If you want to stay tuned, please subscribe to our newsletter.

Centrally defined RADIUS servers

With privacyIDEA 2.11 you get the possibility to centrally define RADIUS servers. This is similar to the possibility to define SMTP servers centrally, which was introduced in privacyIDEA 2.10.

Centrally defined RADIUS server "RSA SecurID"

Centrally defined RADIUS server “RSA SecurID”

These RADIUS server definitions now can be used within RADIUS tokens or policies!

Up to privacyIDEA 2.10 each user had to get his own RADIUS token. Such a RADIUS token points to the RADIUS server of the obsolete OTP system. As long as the user has no real OTP token within privacyIDEA, the user will be authenticated against the obsolete OTP system.

One policy for all users

Starting with version 2.11 you now can define a privacyIDEA policy based on this centrally defined RADIUS server.

radius-passthru-en

The centrally defined RADIUS server “RSA SecurID” is used in the passthru-policy.

To do this, the existing passthru-policy was enhanced. The passthru policy fires, if a user has no token assigned within privacyIDEA. With the passthru-policy the authentication request is forwarded to the LDAP or AD or — new in version 2.11 — to a centrally defined RADIUS server.

This means, that you only need to define one single policy to start a smooth migration from your old OTP system to privacyIDEA. You can then enroll new tokens to the users within privacyIDEA step by step without a hurry or without doing a hard switch!

Migrate!

The scenario described in this post works flawlessly with all systems, that use a RADIUS server. Including systems like Kobil, RSA SecurID, SafeNet, Vasco (in alphabetical order).

Just ask us!