Added in the MFA security chapter and its image files.

Change-Id: I5e26d33aba88e84cb8a267b4a4decd2ceafe3994
Signed-off-by: mrpa <miruna.paun@enea.com>

5 files changed, 127 insertions, 1 deletions

diff --git a/doc/book-enea-edge-getting-started/doc/book.xml b/doc/book-enea-edge-getting-started/doc/book.xml
index 4aa2bfe..e0126ba 100644
--- a/doc/book-enea-edge-getting-started/doc/book.xml
+++ b/doc/book-enea-edge-getting-started/doc/book.xml
@@ -38,6 +38,8 @@
 
   <xi:include href="submaps.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
 
+  <xi:include href="security.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+
   <xi:include href="whitelabel.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />  
 
   <xi:include href="grafana.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png
new file mode 100644
index 0000000..c0230f5
--- /dev/null
+++ b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png
diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_login.png b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png
new file mode 100644
index 0000000..79d9696
--- /dev/null
+++ b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png
diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml
new file mode 100644
index 0000000..c98014a
--- /dev/null
+++ b/doc/book-enea-edge-getting-started/doc/security.xml
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<chapter id="security">
+  <title>Security</title>
+
+  <section id="mfa_security">
+    <title>Authenticating using Multi-Factor Authentication</title>
+
+    <para>Enea Edge Management provides the ability to authenticate using the
+    MFA authentication method. This is offered as a two-step procedure: first,
+    the user enters the local user/password credentials. Then the security
+    token generated by Google Authenticator must be introduced. This is based
+    on a shared secret between the Enea Edge Management and the Google
+    Authenticator applications. The shared secret is a 32 character long
+    string that is presented to the user upon first login as a character
+    sequence and a QR code.</para>
+
+    <note>
+      <para>Configuring MFA will only be possible using the Web interface, and
+      not the REST API. Users with MFA enabled will not be able to log in
+      through the REST API. If attempted, a <literal>401</literal> HTTP code
+      will be returned, with the <literal>EMS-Error</literal> header
+      containing the <literal>EMS_UserMFAEnabled</literal> error.</para>
+    </note>
+
+    <section id="config_mfa">
+      <title>Configuring User MFA</title>
+
+      <para>The administrator must enable MFA authentication for the desired
+      new user:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Access the <emphasis role="bold">Security</emphasis> tab and
+          choose the <emphasis role="bold">Configuration</emphasis>
+          menu.</para>
+        </listitem>
+
+        <listitem>
+          <para>Select the <emphasis role="bold">Add</emphasis> option, enter
+          the details for the new user and enable the <emphasis
+          role="bold">Enable MFA Login</emphasis> checkbox.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>It is also possible to enable/disable MFA for existing users by
+      selecting the user and checking/unchecking the Enable MFA Login checkbox
+      in the right-hand side panel. Disabling MFA for a user will also clear
+      the secret from the database, therefore upon reenabling it the user will
+      be asked to configure a new shared secret. For more details on how to
+      configure a new shared secret, please see the following section.</para>
+
+      <para>All MFA information for enabled users will be preserved upon
+      upgrading or restoring the Enea Edge Management application.</para>
+    </section>
+
+    <section id="security_authentication">
+      <title>Security Authentication</title>
+
+      <para>The user will enter his credentials (username and password) as in
+      a typical local authentication. He will then be redirected to a second
+      page that presents the secret as a QR code, that he must scan using the
+      Google Authenticator application. The secret is also presented in clear
+      text ready for copying and manual entry, in case scanning the QR code
+      does not work.</para>
+
+      <figure>
+        <title>Initial setup for Multi-Factor login</title>
+
+        <mediaobject>
+          <imageobject>
+            <imagedata align="center"
+                       fileref="images/mfa_first_time_setup.png" scale="60" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Once the scanning or manual entry is completed successfully, the
+      Edge Management and Google Authenticator applications have the same
+      secret configured. The Authenticator application will then offer a
+      security token as a six digit number that the user must enter on the
+      same page, in the Enea Edge Management application. If the token is
+      correct, authentication is successful. The six digit token is available
+      for a maximum of 30 seconds.</para>
+
+      <para>Subsequent logins will still be done using a two-step method. The
+      user will provide first his credentials, and on the second page the
+      token as generated by Google Authenticator.</para>
+
+      <figure>
+        <title>Second login</title>
+
+        <mediaobject>
+          <imageobject>
+            <imagedata align="center" fileref="images/mfa_login.png"
+                       scale="80" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <note>
+        <para>If the shared secret is lost, it can be regenerated by the
+        administrator by disabling and re-enabling the MFA Login for the selected
+        user. For more information, please see <olink targetdoc="book_enea_edge_getting_started"
+    targetptr="config_mfa">Configuring User MFA in the <ns:include
+    href="../../s_docbuild/olinkdb/pardoc-names.xml"
+    xmlns:ns="http://www.w3.org/2001/XInclude"
+    xpointer="element(book_enea_edge_getting_started/1)" /></olink> Manual. When the
+        MFA Login is disabled, the secret is also erased from the
+        database.</para>
+      </note>
+    </section>
+
+    <section id="token_generators">
+      <title>Supported Token Generators</title>
+
+      <para>Multi Factor Authentication in the Enea Edge Management
+      application is supported only for Google Authenticator.</para>
+
+      <para>The time on the server hosting the Enea Edge Management
+      application and the device holding the Authenticatior application must
+      be synchronized, within an error margin of 30 seconds.</para>
+    </section>
+  </section>
+</chapter>
\ No newline at end of file
diff --git a/doc/eltf_params_updated.xml b/doc/eltf_params_updated.xml
index 39755ef..593582d 100644
--- a/doc/eltf_params_updated.xml
+++ b/doc/eltf_params_updated.xml
@@ -11,7 +11,7 @@
     correct also compared to the "previous" REL VER in pardoc-distro.xml
     "prev_baseline".</bridgehead>
 
-    <para id="EneaEdge_REL_VER"><phrase>2.5.0</phrase></para>
+    <para id="EneaEdge_REL_VER"><phrase>2.6.0</phrase></para>
 
     <para id="ENA_BUILD_VER"><phrase>1</phrase></para>