Table of Contents
Using Multi-factor Authentication with TSM/ISP
This HowTo only covers the use of the IBM Security Verify app and respectively for the required QR code the generator from FreeOTP, other TOTP apps and QR generators will work similarly.
Preparation
Creating a QR code using FreeOTP.github.io
- Go to the URL https://freeotp.github.io/qrcode.html
- Adjust the necessary inputs:
- Issuer (optional) ⇒ GWDG / TSM (or whatever).
- Account ⇒ name of the admin account in TSM, e.g. tbnachtw
- change algorithm SHA256 to SHA1
- Change selection counter to timeout
- Keep the already correct settings
- Digits remains at 6
- timeout of 30s remains
- no check at Lock
- The QR code changes
Create admin accounts with MFA / enable MFA for admin accountsr
Use the base32string next to the Random button as Shared Secret when creating / changing the TSM admin account:
REGister Admin <NAME> <password> [other options] MFARequired=Yes SHAREDSecret=<base32string>
respectively
UPDate Admin <Name> MFARequired=Yes SHAREDSecret=<base32string>
setting up the TOTP app
- Create a profile in the TOTP app (e.g. using IBM Security Verify as an example)
- import QR code into TOTP app
Logon with MFA
When logging in as admin, the admin CLI still asks for username and password, but with MFA the latter consists of two parts: the admin password + the 6-number TOTP token, so e.g. for the combination of
- user name
Admin
, - password
Admin4TSM
and - on time MFA token
238 291
the ont-time MFA password is Admin4TSM238291
Acknowledgment
Thanks to Bruno Friess / Exstor for his introduction to the topic at GSE meetings and at the GWDG TSM JourFixe.