diff options
author | mrpa <miruna.paun@enea.com> | 2021-11-23 16:42:37 +0100 |
---|---|---|
committer | mrpa <miruna.paun@enea.com> | 2021-11-23 16:46:57 +0100 |
commit | 3b9e846ec9418b0e6a48c6b6f707f8019c46eca0 (patch) | |
tree | d85943e1cf664eb6249f61d683af9cc0c72a7b27 | |
parent | 4b0de214a8be556955a49c772d2beebbfe9a7ac8 (diff) | |
download | nfv-access-documentation-3b9e846ec9418b0e6a48c6b6f707f8019c46eca0.tar.gz |
Added in the MFA security chapter and its image files.
Change-Id: I5e26d33aba88e84cb8a267b4a4decd2ceafe3994
Signed-off-by: mrpa <miruna.paun@enea.com>
-rw-r--r-- | doc/book-enea-edge-getting-started/doc/book.xml | 2 | ||||
-rw-r--r-- | doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png | bin | 0 -> 42259 bytes | |||
-rw-r--r-- | doc/book-enea-edge-getting-started/doc/images/mfa_login.png | bin | 0 -> 9012 bytes | |||
-rw-r--r-- | doc/book-enea-edge-getting-started/doc/security.xml | 124 | ||||
-rw-r--r-- | doc/eltf_params_updated.xml | 2 |
5 files changed, 127 insertions, 1 deletions
diff --git a/doc/book-enea-edge-getting-started/doc/book.xml b/doc/book-enea-edge-getting-started/doc/book.xml index 4aa2bfe..e0126ba 100644 --- a/doc/book-enea-edge-getting-started/doc/book.xml +++ b/doc/book-enea-edge-getting-started/doc/book.xml | |||
@@ -38,6 +38,8 @@ | |||
38 | 38 | ||
39 | <xi:include href="submaps.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> | 39 | <xi:include href="submaps.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> |
40 | 40 | ||
41 | <xi:include href="security.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> | ||
42 | |||
41 | <xi:include href="whitelabel.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> | 43 | <xi:include href="whitelabel.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> |
42 | 44 | ||
43 | <xi:include href="grafana.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> | 45 | <xi:include href="grafana.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> |
diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png new file mode 100644 index 0000000..c0230f5 --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png | |||
Binary files differ | |||
diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_login.png b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png new file mode 100644 index 0000000..79d9696 --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png | |||
Binary files differ | |||
diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml new file mode 100644 index 0000000..c98014a --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/security.xml | |||
@@ -0,0 +1,124 @@ | |||
1 | <?xml version="1.0" encoding="UTF-8"?> | ||
2 | <chapter id="security"> | ||
3 | <title>Security</title> | ||
4 | |||
5 | <section id="mfa_security"> | ||
6 | <title>Authenticating using Multi-Factor Authentication</title> | ||
7 | |||
8 | <para>Enea Edge Management provides the ability to authenticate using the | ||
9 | MFA authentication method. This is offered as a two-step procedure: first, | ||
10 | the user enters the local user/password credentials. Then the security | ||
11 | token generated by Google Authenticator must be introduced. This is based | ||
12 | on a shared secret between the Enea Edge Management and the Google | ||
13 | Authenticator applications. The shared secret is a 32 character long | ||
14 | string that is presented to the user upon first login as a character | ||
15 | sequence and a QR code.</para> | ||
16 | |||
17 | <note> | ||
18 | <para>Configuring MFA will only be possible using the Web interface, and | ||
19 | not the REST API. Users with MFA enabled will not be able to log in | ||
20 | through the REST API. If attempted, a <literal>401</literal> HTTP code | ||
21 | will be returned, with the <literal>EMS-Error</literal> header | ||
22 | containing the <literal>EMS_UserMFAEnabled</literal> error.</para> | ||
23 | </note> | ||
24 | |||
25 | <section id="config_mfa"> | ||
26 | <title>Configuring User MFA</title> | ||
27 | |||
28 | <para>The administrator must enable MFA authentication for the desired | ||
29 | new user:</para> | ||
30 | |||
31 | <orderedlist> | ||
32 | <listitem> | ||
33 | <para>Access the <emphasis role="bold">Security</emphasis> tab and | ||
34 | choose the <emphasis role="bold">Configuration</emphasis> | ||
35 | menu.</para> | ||
36 | </listitem> | ||
37 | |||
38 | <listitem> | ||
39 | <para>Select the <emphasis role="bold">Add</emphasis> option, enter | ||
40 | the details for the new user and enable the <emphasis | ||
41 | role="bold">Enable MFA Login</emphasis> checkbox.</para> | ||
42 | </listitem> | ||
43 | </orderedlist> | ||
44 | |||
45 | <para>It is also possible to enable/disable MFA for existing users by | ||
46 | selecting the user and checking/unchecking the Enable MFA Login checkbox | ||
47 | in the right-hand side panel. Disabling MFA for a user will also clear | ||
48 | the secret from the database, therefore upon reenabling it the user will | ||
49 | be asked to configure a new shared secret. For more details on how to | ||
50 | configure a new shared secret, please see the following section.</para> | ||
51 | |||
52 | <para>All MFA information for enabled users will be preserved upon | ||
53 | upgrading or restoring the Enea Edge Management application.</para> | ||
54 | </section> | ||
55 | |||
56 | <section id="security_authentication"> | ||
57 | <title>Security Authentication</title> | ||
58 | |||
59 | <para>The user will enter his credentials (username and password) as in | ||
60 | a typical local authentication. He will then be redirected to a second | ||
61 | page that presents the secret as a QR code, that he must scan using the | ||
62 | Google Authenticator application. The secret is also presented in clear | ||
63 | text ready for copying and manual entry, in case scanning the QR code | ||
64 | does not work.</para> | ||
65 | |||
66 | <figure> | ||
67 | <title>Initial setup for Multi-Factor login</title> | ||
68 | |||
69 | <mediaobject> | ||
70 | <imageobject> | ||
71 | <imagedata align="center" | ||
72 | fileref="images/mfa_first_time_setup.png" scale="60" /> | ||
73 | </imageobject> | ||
74 | </mediaobject> | ||
75 | </figure> | ||
76 | |||
77 | <para>Once the scanning or manual entry is completed successfully, the | ||
78 | Edge Management and Google Authenticator applications have the same | ||
79 | secret configured. The Authenticator application will then offer a | ||
80 | security token as a six digit number that the user must enter on the | ||
81 | same page, in the Enea Edge Management application. If the token is | ||
82 | correct, authentication is successful. The six digit token is available | ||
83 | for a maximum of 30 seconds.</para> | ||
84 | |||
85 | <para>Subsequent logins will still be done using a two-step method. The | ||
86 | user will provide first his credentials, and on the second page the | ||
87 | token as generated by Google Authenticator.</para> | ||
88 | |||
89 | <figure> | ||
90 | <title>Second login</title> | ||
91 | |||
92 | <mediaobject> | ||
93 | <imageobject> | ||
94 | <imagedata align="center" fileref="images/mfa_login.png" | ||
95 | scale="80" /> | ||
96 | </imageobject> | ||
97 | </mediaobject> | ||
98 | </figure> | ||
99 | |||
100 | <note> | ||
101 | <para>If the shared secret is lost, it can be regenerated by the | ||
102 | administrator by disabling and re-enabling the MFA Login for the selected | ||
103 | user. For more information, please see <olink targetdoc="book_enea_edge_getting_started" | ||
104 | targetptr="config_mfa">Configuring User MFA in the <ns:include | ||
105 | href="../../s_docbuild/olinkdb/pardoc-names.xml" | ||
106 | xmlns:ns="http://www.w3.org/2001/XInclude" | ||
107 | xpointer="element(book_enea_edge_getting_started/1)" /></olink> Manual. When the | ||
108 | MFA Login is disabled, the secret is also erased from the | ||
109 | database.</para> | ||
110 | </note> | ||
111 | </section> | ||
112 | |||
113 | <section id="token_generators"> | ||
114 | <title>Supported Token Generators</title> | ||
115 | |||
116 | <para>Multi Factor Authentication in the Enea Edge Management | ||
117 | application is supported only for Google Authenticator.</para> | ||
118 | |||
119 | <para>The time on the server hosting the Enea Edge Management | ||
120 | application and the device holding the Authenticatior application must | ||
121 | be synchronized, within an error margin of 30 seconds.</para> | ||
122 | </section> | ||
123 | </section> | ||
124 | </chapter> \ No newline at end of file | ||
diff --git a/doc/eltf_params_updated.xml b/doc/eltf_params_updated.xml index 39755ef..593582d 100644 --- a/doc/eltf_params_updated.xml +++ b/doc/eltf_params_updated.xml | |||
@@ -11,7 +11,7 @@ | |||
11 | correct also compared to the "previous" REL VER in pardoc-distro.xml | 11 | correct also compared to the "previous" REL VER in pardoc-distro.xml |
12 | "prev_baseline".</bridgehead> | 12 | "prev_baseline".</bridgehead> |
13 | 13 | ||
14 | <para id="EneaEdge_REL_VER"><phrase>2.5.0</phrase></para> | 14 | <para id="EneaEdge_REL_VER"><phrase>2.6.0</phrase></para> |
15 | 15 | ||
16 | <para id="ENA_BUILD_VER"><phrase>1</phrase></para> | 16 | <para id="ENA_BUILD_VER"><phrase>1</phrase></para> |
17 | 17 | ||