Two-Factor Authentication

Function Description

Two-factor authentication is optional function that enhances security for the MM910. Two-factor authentication requires login users to have certain documents (certificates) and information (passwords). Certificates are stored in browsers. After two-factor authentication is enabled, web or Redfish authentication verifies only user documents (certificates) and does not require password input on any page.

NOTE:
  • Before enabling two-factor authentication, ensure that the current chassis is configured as an independent chassis under the Chassis Management menu and at least one super domain administrator with the web or Redfish access permission has been associated with a user certificate.
  • Only super domain administrators can edit the basic settings and CA certificates of two-factor authentication. All administrators can edit user certificates.
  • If a CA certificate or user certificate expires, an alarm is generated on the WebUI.
  • If two-factor authentication is enabled, user logins are not limited by the password validity. That is, users can log in to the WebUI even if the passwords have expired.
Table 1 Parameter description

Section

Description

Basic Configuration

Two-Factor Authentication

  • ON: Enabling two-factor authentication will disable the SSH, SNMP, and LCD interfaces and log out all users who have logged in.
  • OFF: Disabling two-factor authentication will enable the SSH, SNMP, and LCD interfaces. Two-factor authentication is disabled by default.

OCSP

  • ON: Enabling Online Certificate Status Protocol (OCSP) will check whether the user certificates are valid.
NOTE:

Before enabling OCSP, check that the following conditions are met:

  • The OCSP server communicates properly with the MM910. If OCSP is enabled and the OCSP server cannot be connected, the WebUI cannot be accessed.
  • If the OCSP server port is port 80 (default); otherwise, the MM910 cannot connect to the OCSP server.
  • OFF: OCSP is disabled by default.

CA Certificate
  • Import Certificate: A maximum of 64 CA certificates can be imported. The certificate files must be in the .cert, crt, or .pem format and each cannot exceed 10 KB.
  • View: shows certificate details, including the certificate version, serial number, signature algorithm, hash algorithm, issuer, validity period, subject (entity to which the certificate is issued), and public key algorithm.
  • : deletes the certificate. Only super domain administrators can perform the operation. If two-factor authentication is enabled, ensure that the MM910 WebUI has at least one super domain administrator certificate.

User Certificate
  • Import Certificate: A maximum of 64 user certificates can be imported. The certificate files must be in the .cert, crt, or .pem format. Each user certificate must have a corresponding CA certificate; otherwise, the import will fail. Each user can be configured with one certificate.
  • View: shows certificate details, including the certificate version, serial number, signature algorithm, hash algorithm, issuer, validity period, subject (entity to which the certificate is issued), and public key algorithm.
  • : deletes the certificate. Only administrators can perform the operation.

Configuring Two-Factor Authentication

  1. Import a CA certificate.

    1. Choose System Management > Account Management > Two-Factor Authentication.
    2. In the CA Certificate area, click Import Certificate.
    3. In the displayed Import Certificate dialog box, select the CA certificate to be uploaded, enter the password of the current user, and click OK.

    4. Import a user certificate to the browser.
      NOTE:

      This section uses Firefox 50.1.0 as an example. If you use Internet Explorer, ensure that Use SSL 2.0 is deselected (for example, choose > Internet options > Advanced in Internet Explorer 11).

    5. Click at the upper right corner of the browser and select Options.
    6. Choose Advanced > Certificates.
    7. Click View Certificates to import the user certificate, enter the certificate encryption password, and click OK.
      NOTE:

      The imported user certificate must be in the .p12 or .pfx format.

      Enable two-factor authentication.

    8. In the Basic Configuration area, click Edit.
    9. Enable Two-Factor Authentication and click Save.
    10. Refresh the browser and log in. If the login succeeds, the configuration is complete.

  2. Import a user certificate.

    1. In the User Certificate area, click Import Certificate.
    2. In the displayed Import Certificate dialog box, select the user to be associated and the user certificate to be uploaded, enter the password of the current user, and click OK.

  3. Import a user certificate to the browser.

    NOTE:

    This section uses Firefox 50.1.0 as an example. If you use Internet Explorer, ensure that Use SSL 2.0 is deselected (for example, choose > Internet options > Advanced in Internet Explorer 11).

    1. Click at the upper right corner of the browser and select Options.
    2. Choose Advanced > Certificates.
    3. Click View Certificates to import the user certificate, enter the certificate encryption password, and click OK.
      NOTE:

      The imported user certificate must be in the .p12 or .pfx format.

  4. Enable two-factor authentication.

    1. In the Basic Configuration area, click Edit.
    2. Enable Two-Factor Authentication and click Save.
    3. Refresh the browser and log in. If the login succeeds, the configuration is complete.

Parent topic: Account Management