Changes between Initial Version and Version 1 of net.sf.basedb.webauthn/install


Ignore:
Timestamp:
Jun 2, 2022, 1:39:41 PM (3 years ago)
Author:
Nicklas Nordborg
Comment:

Created installation instructions

Legend:

Unmodified
Added
Removed
Modified
  • net.sf.basedb.webauthn/install

    v1 v1  
     1= Installing the !WebAuthn authentication extension =
     2
     3{{{
     4#!html
     5<div style="background-color: #fffff0; border: 2px solid #A0A000; border-radius: 5px; padding: 1em; max-width: 60em;">
     6<b>Important information before installing!</b>
     7<br>
     8To avoid locking everybody out of BASE it is recommended that the <b>Password login form</b> is enabled before starting the installation for the first time. Login to BASE and go to the <b>Administrate ›› Plug-ins & extensions ›› Overview</b> page. Locate the <b>Login form customization</b> extension point to find it. Once it has been verified that WebAuthn login works properly the <b>Password login form</b> can be disabled if desired.
     9</div>
     10}}}
     11
     12
     13== Installation and updating ==
     14
     15 1. Download the latest `webauthn-x.y.tar.gz` file from the [wiki:net.sf.basedb.webauthn WebAuthn main page].
     16 2. Unpack the downloaded file to a directory of your choice.
     17 3. If this is a FIRST-TIME INSTALLATION:
     18    A. Update the BASE database with additional columns in the users table (see below)
     19 4. Make additional configuration settings (see below)
     20 5. Copy the `webauthn.jar` file to your BASE plug-ins directory. Look in your
     21    `base.config` file if you don't know where this is.
     22 6. Log in to BASE as an administrator and go to the '''Administrate ›› Plug-ins & Extensions ›› Overview''' page.
     23 7. If this is a FIRST-TIME INSTALLATION:
     24    A. Verify that the '''Password login form''' is enabled.
     25 8. Run the installation wizard and select to install `webauthn.jar`.
     26 9. Done
     27 
     28
     29----
     30
     31
     32== FIRST-TIME INSTALLATION ==
     33
     34Before installing the !WebAuthn extension for the first time there are a few configuration steps
     35that must be performed. Unless otherwise noted, these steps only need to be done the first time.
     36
     37=== A. Update the BASE database with additional columns in the users table ===
     38
     39 1. Move or copy the `webauthn-extended-properties.xml` file to the `WEB-INF/classes/extended-properties` directory.
     40 2. Shut down the BASE server including any job agents.
     41 3. Run the `updatedb.sh` script shipped with the BASE installation. This should create additional column in the `Users` table that are used to store !WebAuthn-related information.
     42 4. Restart the BASE server and job agents.
     43
     44----
     45
     46== Additional configuration settings ==
     47
     48There are some additional configuration settings that can be made in the `webauthn.properties` file. This step is optional. If you are installing multiple login managers on the same system you probably want to check the value for the `allow-other-authentication` setting. The authentication method published by this extension is named `webauthn`. You may need this when configuring the other login managers.
     49
     50'''Note! Changes to the configuration file are automatically detected and applied. There is no need to re-start the server.'''
     51
     52==== no-webauthn ====
     53Comma- or whitespace- separated list of application ids for which !WebAuthn login should be disabled. For example, if you have installed the [wiki:net.sf.basedb.ftp FTP server] but do not want to use !WebAuthn for that:
     54{{{
     55no-webauthn = net.sf.basedb.clients.ftp
     56}}}
     57
     58==== require-webauthn ====
     59Comma- or whitespace- separated list of application ids for which !WebAuthn login is required. Users without a !WebAuthn Security Key will not be able to use those clients. For example, to force all users of the web client to use !WebAuthn:
     60{{{
     61require-webauthn = net.sf.basedb.clients.web
     62}}}
     63
     64==== allow-other-authentication ====
     65Comma- or whitespace- separated list of other authentication methods that are allowed even if a user has configured a !WebAuthn Security Key. Use `*` as a wildcard for all other authentication methods (including password authentication). Examples:
     66
     67{{{
     68# Also allow password authentication even if a user has a security key
     69allow-other-authentication = password
     70
     71# Allow all other authentication methods
     72allow-other-authentication = *
     73
     74# If the YubiKey and/or OTP login extension is also installed we can
     75# allow users to use either WebAuthn, YubiKey or OTP (with or without password)
     76allow-other-authentication = otp-only otp+password yubikey
     77}}}
     78
     79=== relying-party-id ===
     80
     81This ID is typically the name of the webserver that the browser connects to. This is is typically picked up automatically, but if that doesn't work it is possible to specify the correct name here.
     82
     83=== relying-party-allow-origin-port ===
     84
     85If the port number is not the default https port, this flag need to be enabled.
     86
     87=== relying-party-allow-origin-subdomain ===
     88
     89This flag can be set to allow subdomains to the relying-party-id value.
     90
     91=== relying-party-disable-signature-counter ===
     92
     93If this flag is set, the signature counter is not verified. The counter is intended to prevent replay attacks but not all security keys support it.