Using Multi-factor Authentication with TSM/ISP

This HowTo only covers the use of the IBM Security Verify app and respectively for the required QR code the generator from FreeOTP, other TOTP apps and QR generators will work similarly.

Preparation

Creating a QR code using FreeOTP.github.io

  • Adjust the necessary inputs:
    • Issuer (optional) ⇒ GWDG / TSM (or whatever).
    • Account ⇒ name of the admin account in TSM, e.g. tbnachtw
    • change algorithm SHA256 to SHA1
    • Change selection counter to timeout
  • Keep the already correct settings
    • Digits remains at 6
    • timeout of 30s remains
    • no check at Lock
  • The QR code changes :-)

Create admin accounts with MFA / enable MFA for admin accountsr

Use the base32string next to the Random button as Shared Secret when creating / changing the TSM admin account:

REGister Admin <NAME> <password> [other options] MFARequired=Yes SHAREDSecret=<base32string> 

respectively

UPDate Admin <Name> MFARequired=Yes SHAREDSecret=<base32string> 

setting up the TOTP app

  • Create a profile in the TOTP app (e.g. using IBM Security Verify as an example)
    • import QR code into TOTP app

Logon with MFA

When logging in as admin, the admin CLI still asks for username and password, but with MFA the latter consists of two parts: the admin password + the 6-number TOTP token, so e.g. for the combination of

  • user name Admin,
  • password Admin4TSM and
  • on time MFA token 238 291

the ont-time MFA password is Admin4TSM238291

Acknowledgment

Thanks to Bruno Friess / Exstor for his introduction to the topic at GSE meetings and at the GWDG TSM JourFixe.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies