wiki:net.sf.basedb.otp/install

Version 2 (modified by nicklas, 3 months ago) (diff)

Updated and clarified installation instructions

Installing the OTP login extension

Installation and updating

  1. Download the latest base-otp-x.y.tar.gz file from the OTP login main page.
  2. Unpack the downloaded file to a directory of your choice.
  3. If this is a FIRST-TIME INSTALLATION:
    1. Create a master password used for encrypting OTP secret keys (see below)
    2. Update the BASE database with additional columns in the users table (see below)
  4. Make additional configuration settings (see below)
  5. Copy the base-otp.jar file to your BASE plug-ins directory. Look in your base.config file if you don't know where this is.
  6. Log in to BASE as an administrator and go to the Administrate->Plug-ins & Extensions->Overview page.
  7. Run the installation wizard and select to install base-otp.jar.
  8. Done.


FIRST-TIME INSTALLATION

Before installing the OTP login extension for the first time there are a few configuration steps that must be performed. Unless otherwise noted, these steps only need to be done the first time.

A. Create a master password

The master password is used as an encryption key for encrypting the OTP secret keys that are are assigned to user accounts. Note that all user accounts have their own secret keys for OTP and that they are randomly generated. Once the master password has been set it must not be changed since that will make all existing OTP keys inaccessible¹.

  1. Open the base-otp.properties file.
  2. Change the master-password setting to some other password. The usual recommendations about password length and complexity apply.
  3. Move or copy the base-otp.properties file to the WEB-INF/classes directory of your BASE installation. If you have a copy in some other place, make sure that no other users can read it.

¹) If, for some reason, the master password need to be changed then the Users.otp_secretkey column in the database must be nullified for all user accounts. There is no built-in wizard for this, but it can be done by executing the SQL below. After the reset, all users must then re-configure their OTP setup before they can login again.

// For PostgreSQL, MySQL users should modify as needed
update "Users" set "otp_secretkey"=NULL

B. Update the BASE database with additional columns in the users table

  1. Move or copy the otp-extended-properties.xml file to the WEB-INF/classes/extended-properties directory.
  2. Shut down the BASE server including any job agents.
  3. Run the updatedb.sh script shipped with the BASE installation. This should create additional column in the Users table that are used to store OTP-related information.
  4. Restart the BASE server and job agents.

Additional configuration settings

There are some additional configuration settings that can be made in the yubikey.properties file. This step is optional.

Setting Description Since
login-method Currently not supported
no-otp Comma- or whitespace- separated list of application ids for which OTP login should be disabled.
For example, if you have installed the FTP server but do not want to use OTP for that:
no-otp=net.sf.basedb.clients.ftp
1.0
require-otp Comma- or whitespace- separated list of application ids for which OTP login is required.
Users that has not configured OTP login will not be able to use those clients.
1.0