Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Multifactor Authentication for CTE GuardPoints

Remote Authentication for Multifactor Authentication

search

Please Note:

Remote Authentication for Multifactor Authentication

By default, CipherTrust Transparent Encryption works with a local Multifactor Authentication login. In CipherTrust Transparent Encryption v7.6 and subsequent versions, you can configure remote authentication for Multifactor Authentication. This allows a user to log into Multifactor Authentication through a machine other than a CTE client. This allows you to enable authentication from remote endpoints accessing CIFS shares, exported by a CTE agent.

Note

  • Your Windows remote access system logon account name, and your Multifactor Authentication account name, MUST be the same.

  • The MFA username, including the domain-name, in the format domain\username or username@hostname, must exist on the MFA provider.

Remote Authentication configuration requires a non-encrypted private key and certificate. The CipherTrust Transparent Encryption OIDC service uses the key and certificate for TLS communication. CTE stores encrypted keys and certificates internally.

Prerequisites

  • Create a firewall rule on a CTE agent to allow all incoming TCP traffic on the Multifactor Authentication login port.

  • Generate a private key and certificate. You must know the name and location of these files.

  • In the Keycloak setup, set the redirect-url parameter for OIDC configuration using the following format: https://<cte-hostname>:<mfa login port>/auth/callback.

    Note

    • The Administrator can choose to use a wildcard ( '*' ), if the same configuration is reused across many CTE agents.

  • You must have administrator access so that you can restart secfsd service:

    1. To stop secfsd service, type:

      net stop secfsd

    2. To start secfsd service, type:

      net start secfsd

Starting Remote Authentication for Multifactor Authentication

To configure remote authentication:

  1. In a command line, type:

    voradmin mfa remote-config set [<privateKeyFile> <certificateFile>]

    Example

    voradmin mfa remote-config set private-key.pem cert.pem

    Response

    voradmin mfa remote-config set
Restart secfsd service to affect changes.

  2. Restart the secfsd service.

Disabling Remote Authentication for Multifactor Authentication

To disable remote authentication:

  1. In a command line, type:

    voradmin mfa remote-config unset

    Response

    Restart secfsd service to affect changes.

  2. Restart the secfsd service.

Validating Certificate and Private files information

To validate the two certificates:

  • In a command line, type:

    voradmin mfa remote-config get [<privateKeyFile> <certificateFile>]

    Example

    voradmin mfa remote-config get private-key.pem cert.pem

    Response

    sha256 of key file:
dcb8eXXXXa92ac5dff34aXXXXab3811245aXXXXc204733bbead43f4846274674

sha256 of certificate file:
3e2eec5bXXd357d14f5c0047d36aXXXXXXXfc87f2a74ca3b5c2c2627XXXe6db4

certificate:
-----BEGIN CERTIFICATE-----
MIIFuTCCA6GgAwIBAgIUR+Gh3z7J8TzQr6buZGDcK9h/8MQwDQYJKoZIhvcNAQEL
BQAwbDELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQswCQYDVQQHDAJOTzEMMAoG
A1UECgwDQ1BMMQwwCgYDVQQLDANESVMxCzAJBgNVBAMMAlRIMRowGAYJKoZIhvcN
.
.
.
/31kjs/Kms582KTKFKFqzuZHJ4L6odL6JBOmbvv4UZGB2t99ah0R9BAutivru/0M
ZFvotV9Xsxs49PtOgj1vkWFdlWUR7VtcdfOtiIoSvuXhMjCvTq8KtPIXiJJjFFkN
3xD4ZmG7M14u1hzmaXqHfZ02YZOISFltq2PUWqQ=
-----END CERTIFICATE-----

Using Remote Authentication for Multifactor Authentication

To login and use Multifactor Authentication from a remote endpoint:

  • User must open a browser and enter a valid URL with the format: https://<cte-hostname>:<mfa login port>/login.

Note

When launched from the Etray application on a CTE agent, the browser is launched with the required URL automatically in the URL field.

On this page