From 3b9e846ec9418b0e6a48c6b6f707f8019c46eca0 Mon Sep 17 00:00:00 2001 From: mrpa Date: Tue, 23 Nov 2021 16:42:37 +0100 Subject: Added in the MFA security chapter and its image files. Change-Id: I5e26d33aba88e84cb8a267b4a4decd2ceafe3994 Signed-off-by: mrpa --- doc/book-enea-edge-getting-started/doc/book.xml | 2 + .../doc/images/mfa_first_time_setup.png | Bin 0 -> 42259 bytes .../doc/images/mfa_login.png | Bin 0 -> 9012 bytes .../doc/security.xml | 124 +++++++++++++++++++++ doc/eltf_params_updated.xml | 2 +- 5 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png create mode 100644 doc/book-enea-edge-getting-started/doc/images/mfa_login.png create mode 100644 doc/book-enea-edge-getting-started/doc/security.xml diff --git a/doc/book-enea-edge-getting-started/doc/book.xml b/doc/book-enea-edge-getting-started/doc/book.xml index 4aa2bfe..e0126ba 100644 --- a/doc/book-enea-edge-getting-started/doc/book.xml +++ b/doc/book-enea-edge-getting-started/doc/book.xml @@ -38,6 +38,8 @@ + + diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png new file mode 100644 index 0000000..c0230f5 Binary files /dev/null and b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png differ diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_login.png b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png new file mode 100644 index 0000000..79d9696 Binary files /dev/null and b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png differ diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml new file mode 100644 index 0000000..c98014a --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/security.xml @@ -0,0 +1,124 @@ + + + Security + +
+ Authenticating using Multi-Factor Authentication + + Enea Edge Management provides the ability to authenticate using the + MFA authentication method. This is offered as a two-step procedure: first, + the user enters the local user/password credentials. Then the security + token generated by Google Authenticator must be introduced. This is based + on a shared secret between the Enea Edge Management and the Google + Authenticator applications. The shared secret is a 32 character long + string that is presented to the user upon first login as a character + sequence and a QR code. + + + Configuring MFA will only be possible using the Web interface, and + not the REST API. Users with MFA enabled will not be able to log in + through the REST API. If attempted, a 401 HTTP code + will be returned, with the EMS-Error header + containing the EMS_UserMFAEnabled error. + + +
+ Configuring User MFA + + The administrator must enable MFA authentication for the desired + new user: + + + + Access the Security tab and + choose the Configuration + menu. + + + + Select the Add option, enter + the details for the new user and enable the Enable MFA Login checkbox. + + + + It is also possible to enable/disable MFA for existing users by + selecting the user and checking/unchecking the Enable MFA Login checkbox + in the right-hand side panel. Disabling MFA for a user will also clear + the secret from the database, therefore upon reenabling it the user will + be asked to configure a new shared secret. For more details on how to + configure a new shared secret, please see the following section. + + All MFA information for enabled users will be preserved upon + upgrading or restoring the Enea Edge Management application. +
+ +
+ Security Authentication + + The user will enter his credentials (username and password) as in + a typical local authentication. He will then be redirected to a second + page that presents the secret as a QR code, that he must scan using the + Google Authenticator application. The secret is also presented in clear + text ready for copying and manual entry, in case scanning the QR code + does not work. + +
+ Initial setup for Multi-Factor login + + + + + + +
+ + Once the scanning or manual entry is completed successfully, the + Edge Management and Google Authenticator applications have the same + secret configured. The Authenticator application will then offer a + security token as a six digit number that the user must enter on the + same page, in the Enea Edge Management application. If the token is + correct, authentication is successful. The six digit token is available + for a maximum of 30 seconds. + + Subsequent logins will still be done using a two-step method. The + user will provide first his credentials, and on the second page the + token as generated by Google Authenticator. + +
+ Second login + + + + + + +
+ + + If the shared secret is lost, it can be regenerated by the + administrator by disabling and re-enabling the MFA Login for the selected + user. For more information, please see Configuring User MFA in the Manual. When the + MFA Login is disabled, the secret is also erased from the + database. + +
+ +
+ Supported Token Generators + + Multi Factor Authentication in the Enea Edge Management + application is supported only for Google Authenticator. + + The time on the server hosting the Enea Edge Management + application and the device holding the Authenticatior application must + be synchronized, within an error margin of 30 seconds. +
+
+ \ No newline at end of file diff --git a/doc/eltf_params_updated.xml b/doc/eltf_params_updated.xml index 39755ef..593582d 100644 --- a/doc/eltf_params_updated.xml +++ b/doc/eltf_params_updated.xml @@ -11,7 +11,7 @@ correct also compared to the "previous" REL VER in pardoc-distro.xml "prev_baseline". - 2.5.0 + 2.6.0 1 -- cgit v1.2.3-54-g00ecf