UniOTP Management System

From SecuTech Wiki
Jump to: navigation, search


Introduction

The UniOTP Management System is a web-based management system. Administration and maintenance operations concerning dynamic password system configuration such as user information, token information, operator information and log information can be performed with this system. The system employs different levels of privileges for compartmentalization of information and tasks.

Operator Login

On the login page of the UniOTP Management System, input the Operator ID in the OperatorID field and enter the corresponding password in the Password field. Click Submit to log in. The default Operator ID for the Super Operator is "1000000001" with the corresponding default password "123456", both without quotation marks.

UniOTP Management login screen

If Operator login was successful, the administration interface will be accessible on the main page, otherwise an error message will appear if the login credentials are incorrect. From the administration interface, actions to perform can be chosen from the menu on the left or from the shortcut icons in the main panel.

UniOtp Management system main window

Logout

To log out of the system, click Exit System located at the top-right corner of the window, as shown in the screenshot above. For security purposes, please always use this method to log out of the system.

500px

Change Password

From the administration interface, click on Change Password from either under the Operator Management menu on the left or the Change Password shortcut on the main panel.

UniOTP Management changing passwords icon

In the Change Password interface, input the current password in the Old Password field, and enter the new password in both the New Password and Confirm fields, enter the new password. Click Submit to apply changes.

UniOTP Management change password screen

A message will appear indicating if the password change was successful or unsuccessful.

Search User

From the administration interface, click on User Search from either under the User Management menu on the left or the User Search shortcut on the main panel.

UniOTP Management user search icon

Users can be searched by either User ID or Username. Fill either field then click Search.

UniOTP Management user search screen

For example, if searching User ID "US20110127002", without quotation marks.

searching user ID US20110127002

If you enter "t" in the Username field, you will see information about all users whose username contains the character 't', you can choose the user you want to manage, modify or delete.

selecting a user to modify

Add a User

From the administration interface, click on Add User from either under the User Management menu on the left or the User Search shortcut on the main panel.

UniOTP Management add user icon

In the Add User interface, fill in the corresponding fields: username (unique) in Username; user ID (unique) in UserID; contact number in Tel; the serial ID of the corresponding UniOTP device for the user in Serial; email address in Email; the user PIN; and authentication method (OTP+PIN, generated one-time password with the user PIN, is recommended for maximum security). Either username or user ID can be used interchangeably when authenticating.

UniOTP Management adding user window

If an invalid token serial number is entered, the error message below will appear.

'invalid token' message

After inputting valid user information, click Submit.

user fields filled

The notification below will appear if the user has been added successfully.

'user xxx added successfully' message

Change User State

From the administration interface, click on Add User from either under the User Management menu on the left or the User Search shortcut on the main panel.

UniOTP Management change user state icon

Under the Change User State interface, functions such as flagging a token as lost/stolen, unflagging lost/stolen tokens and permanently removing tokens can be performed. Functions are performed on users based on the user's User ID.

UniOTP Management changing user state window

Resynchronize Token

Under certain circumstances, a token may desynchronize with the server. In this case, the token must be resynchronized with the server to be able to authenticate with it. This can be done from the Token Reparation interface. From the administration interface, click on Token Reparation from either under the User Management menu on the left or the Token Reparation shortcut on the main panel.

UniOTP Management token repair icon

To resynchronize the token, the User ID of the user whom the token is assigned under and the token itself is needed. Input the User ID in UserID. Afterwards, generate a one-time password from the token device, then input the generated OTP in First OTP. Generate a second OTP immediately after the previously generated OTP, and input the generated OTP in Second OTP. Two consecutive one-time passwords are needed in order for the the server and the token to be synchronized. When done, click Submit.

UniOTP Management token repair window

The message below will appear if synchronization is successful.

'token repair successful' message

If the two generated one-time passwords are not consecutive with one another, or if the generated OTPs exceeds a certain generation range, synchronization will fail, and an error message similar to the one below will appear.

'token repair failed' message

Add Operator

Under the Add Operator interface, new operators can be added into the system. The user to be added should not be one with a higher privilege level than the operator privilege level, otherwise the operation will be denied. From the administration interface, click on Add Operator from either under the Operator Management menu on the left or the Add Operator shortcut on the main panel.

UniOTP Management add operator icon

In the Add Operator interface, input the Name, Password and Confirm password, and select the privilege level in the Level list, then click Submit.

UniOTP Management add operator window

If the operation is successful, the following message will be returned. The Operator ID of newly added operator will be displayed.

'operator added successfully, operator ID is: ...' message

If the privileges of the new user is higher than the operator's, or that of the current user, the following error message will appear.

'insufficient rights to add new operator' message

Delete Operator

The Delete Operator interface provides removal of an operator from the database. An operator can only be deleted if the privilege level of the current user is higher than the privilege level of the operator to be deleted. From the administration interface, click on Delete Operator from either under the Operator Management menu on the left or the Delete Operator shortcut on the main panel.

UniOTP Management delete operator icon

In the Delete Operator interface, operators can be removed in one of two methods: An individual operator account can be deleted by Operator ID; multiple operator accounts can be deleted by a range of Operator IDs, specifying the starting Operator ID under BeginID and last Operator ID range under EndID. All operators in this specified range, inclusive, will be deleted. Input the corresponding data into either forms, then click Submit or Execute.

UniOTP Management delete operator window

If the current user does not possess sufficient privileges to delete the specified or affected operator, the following error message will be returned.

'insufficient rights to delete this operator' message

If deletion was successful, the following message will be displayed.

'operation succeeded' message

Search Operator

Under the Operator Search interface, information concerning operator accounts can be searched and viewed. Only operator accounts whose privilege level is less than the current user can be searched. From the administration interface, click on Operator Search from either under the Operator Management menu on the left or the Operator Search shortcut on the main panel.

UniOTP Management operator search icon

In the Operator Information Search interface, operators can be searched in one of two methods: An individual operator account can be searched by Operator ID; multiple operator accounts can be searched by a range of Operator IDs, specifying the start Operator ID under BeginID and end Operator ID range under EndID, and, in addition, by name. All found operators in this specified range, inclusive, will be returned. Input the corresponding data into either form, then click Submit or Execute.

UniOTP Management operator information search window

To illustrate, if "1000000001", without quotation marks, as the Operator ID was entered under OperatorID then submitted, information about the operator account whose Operator ID is 1000000001 will be returned. However, as 1000000001 is, by default, the Super Operator ID, only the Super Operator has sufficient privileges to view the specified search criteria, and hence is the only operator who can perform and view this search. Returned operators can be deleted by clicking the icon to the right of the operator in the returned list. Deletion of operators adhere to the requirements in the subsection above, in that operators can only be deleted if the privilege level of the current user is higher the the privilege level of the operator to be deleted. Searching by Operator ID will yield a results page similar to the screenshot below.

operator ID; password; operator index; operator name; domain

Searching operators in a specific range will yield a results page similar to the screenshot below.

multiple operators listed in search results

Batch Import Token/User

The Token/User Batch Import interface allows the service provider to import multiple tokens in the database. It also can import many users bound to a token at once inside the database. Refer to the picture below to enter the corresponding interface.

UniOTP Management token import icon

In order to import Token files, you need to provide decryption keys for those files, there is no decryption key function for user import. The extension for token files and user information files is .unif.

UniOTP Management token/user import window

If there is an error with the secret key or if the file is corrupted, the following message will be displayed.

'bad file' message

The token file part will successfully prompt an error for the token, there is no line in front of the failure of the token serial number corresponding to the record, you can export the information to the service provider to determine the cause of the error (duplicate imports should be excluded due to errors)

'please send information to provider' message

If the token import succeeds, a message will be displayed specifying the number of token imported

'1 line affected' message; one line per token

In the case user import has failed, the following error message, containing the details about the concerned users, will be displayed.

SQL user details; invalid token error being displayed

Search Log

The log search function provides an interface for searching and viewing logs from the UniOTP Management System, including regular operation and user authentication logs. From the administration interface, click on Log Search from either under the Database Management menu on the left or the Log Search shortcut on the main panel.

UniOTP Management search log icon

In the Log Search interface, various search criteria is provided to narrow search of logs. Under LogDomain, Syslog refers to system task logs, and Commonlog refers to user authentication logs. Under Search Mode, logs can be optionally filtered by specific operators by selecting Specific Operator, otherwise all logs from all operators will be returned with All. In the QueryMode field you can choose logs for a specific operator, once you have specified an operator, the logs information displayed are only for the specified operator (If you specify username, the authentication logs information for this user only will be displayed).

Under OperatorID, an Operator ID or username must be entered if Specific Operator was selected in Search Mode. All logs for the specified operator will be returned. Under Begin Date and End Date, logs can be filtered between two time periods. Set the two fields of logs from Begin Date to End Date to return, in order of year, month, day and hour. After specifying search criteria, click Submit.

UniOTP Management search log window

Logs that correlate with specified criteria will be returned, similar to the screen below.

log search results

If no results matching the requested search criteria has been found, the following screen will appear.

'no related info' message

Export Log

Exports logs to a text file. From the administration interface, click on Export Log from either under the Database Management menu on the left or the Export Log shortcut on the main panel.

UniOTP Management export log icon

Under LogDomain, Syslog refers to system task logs, and Commonlog refers to user authentication logs. Under Begin Date and End Date, logs can be filtered between two time periods. Set the two fields of logs from Begin Date to End Date to return, in order of year, month, day and hour. Under Compress, select the type of compression to compress the exported file. After specifying criteria, click Submit to backup the selected logs.

UniOTP Management export log window

Clear Logs

All specified logs can be deleted from the Export Log interface. From the administration interface, click on Empty log records from under the Database Management menu on the left.

UniOTP Management empty log records sidebar selection

In the Empty log records interface, two categories of logs can be cleared. Syslog refers to system task logs, and Commonlog refers to user authentication logs.

UniOTP Management empty log records window

Click Execute to clear selected logs. If deletion of logs was successful, the following message will be displayed.

'operation succeeded' message

Backup Database

The database backup feature is used to restore all needed information.

UniOTP Management backup database sidebar selection

In Backup Mode choose the backup mode. You can choose to backup the whole database, including the table structure and the data contained inside (You can specify which data you want to backup in the Log Backup field). You can also choose to backup only the table structure. In this case, the data contained inside the database will not be backed up.

UniOTP Management backup database window

Statistics

From the Statistics interface, You can see temporal and spatial repartition, make statistics, analyze about authentication strength, repartition and operation repartition.

UniOTP Management statistics icon

In the Statistics interface, two types of analysis can be performed. In Load Analysis, two you can perform load statistics. In Operation statistics, you can perform operation statistics. You can choose a scale for these two parts (Year or month). In the Display Mode field, you can choose the display method, there are three kinds: histograms, line charts, and pie charts.

UniOTP Management statistics window

The picture below shows the histogram of operation type analysis.

histogram of empty log with one authentication

System Information

Click the home icon in the left menu to show system information and the system configuration page, this page displays system information and the current settings list.

UniOTP Management system information sidebar icon

System configuration

Using the system configuration page you can change system settings. Click Config Database to configure the database.

UniOTP Management systems configuration sidebar icon

Once you’ve entered the database settings page, you can change database settings such as database host, database name, port, login username, login password. You can also test the connection to the database, after you have submitted these changes, a new configuration file will be created.

UniOTP Management change database configuration window