The tool supports interface of Foresight Analytics Platform 9 or earlier.

In this article:

Linking a Client Certificate to User

Setting Up Web Service Connection

Changing Two-Factor Authentication Application

Setting Up Two-Factor Authentication

Two-factor authentication is intended to enhance information security using a user authentication verification on logon. As the first factor, any available authentication type is used. The second factor is a client certificate fingerprint saved in Foresight Analytics Platform.

The client certificate is a part of security certificate, which includes a set of generated certificates:

By default, if user authentication is successful, the linked client certificate for system logon is requested.

To set up two-factor authentication:

  1. Generate and install security certificate using specific crypto software, for example, OpenSSL.

  2. Link client certificate to user.

NOTE. In the desktop application it is sufficient to link certificate to the user to use two-factor authentication with default settings, if standard configuration of Foresight Analytics Platform is used.

  1. Set up web service connection, if one of configurations of Foresight Analytics Platform is used:

  2. If required, change two-factor authentication application. By default, two-factor authentication is used for the users with a linked client certificate.

After executing the operations, the result of two-factor authentication depends on the specified application. If two-factor authorization application was not changed then linked client certificate will be requested for system logon if the user authentication is successful.

Linking a Client Certificate to User

The client certificate must be linked to each user individually.

To link certificate to user:

  1. Execute one of the operations in the Users section:

After executing one of the operations the Properties side panel opens in the web application and the User Properties dialog box opens in the desktop application.

  1. Click the Add button next to the Certificate box on the General Properties tab and select the client certificate option in the button's drop-down menu:

NOTE. The web application only allows for adding a certificate from file.

After executing the operations, the Certificate box will contain a fingerprint of the selected client certificate.

  1. Click the Save button in the web application or click the OK button in the desktop application.

After executing the operations, the client certificate will be linked to the selected user.

NOTE. In the desktop application it is sufficient to link a client certificate to the user to use two-factor authentication with default settings.

Setting Up Web Service Connection

Web service connection settings depend on operating system and configuration of Foresight Analytics Platform is used:

To set up web service connection in Windows OS:

  1. Set up web application work via HTTPS.

  2. Activate SSL parameters for the web application. Open a SSL settings setup page in the IIS service manager by clicking the SSL Settings button. After that the SSL Settings page opens. Select the Require SSL checkbox and the Require radio button for client certificates.

To set up web service connection in Linux OS:

  1. Set up web application work via HTTPS.

  2. Apply settings in Linux OS:

    • For Debian-based distributions:

      1. Enable the mod_ssl module for Apache2:

sudo a2enmod ssl
sudo a2ensite default-ssl

      1. Create the /etc/apache2/ssl directory to store certificates and keys:

sudo mkdir /etc/apache2/ssl

      1. Copy created certificate files and server certificate key: ca.cer, server.cer, server.key.

      2. Set access permissions to the directory:

sudo chmod 0600 /etc/apache2/ssl
sudo chown -R www-data:www-data /etc/apache2/ssl

export PATH_TO_WEB=/opt/foresight/fp10.x-biserver
export PP_SOM_HTTPS=https://hostname.domain.ru/fpBI_App_v10.x/axis2/services/PP.SOM.Som

        • Edit /etc/apache2/sites-enabled/default-ssl file and add the following values to the <VirtualHost _default_:443> tag (by replacing hostname.domain.ru with server address):

ServerName hostname.domain.ru
Alias /fp10.x/app/ ${PATH_TO_WEB}/app/
Alias /fp10.x/build/ ${PATH_TO_WEB}/build/
Alias /fp10.x/dashboard/ ${PATH_TO_WEB}/dashboard/
Alias /fp10.x/resources/ ${PATH_TO_WEB}/resources/
Alias /fp10.x/index.html ${PATH_TO_WEB}/index.html
Alias /fp10.x/libs/ ${PATH_TO_WEB}/libs/
Alias /fp10.x/ ${PATH_TO_WEB}/
ProxyPass /fp10.x/app/PPService.axd ${PP_SOM_HTTPS} retry=1 acquire=3000 timeout=6000
Keepalive=On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
ProxyPassReverse /fp10.x/app/PPService.axd ${PP_SOM_HTTPS}

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/ssl/ca.cer

      1. Restart Apache2 web server:

sudo service apache2 restart

    • For RedHat-based distribution files:

      1. Enable the mod_ssl module for httpd:

sudo yum -y install mod_ssl

The configuration file /etc/httpd/conf.d/ssl.conf is created with module connection string:

LoadModule ssl_module modules/mod_ssl.so

NOTE. The 443 TCP port is opened for HTTPS connections, mod_ssl uses the openssl package, and support of the SSLv2 protocol is disabled by default.

      1. Create the /etc/httpd/ssl directory to store certificates and keys:

sudo mkdir /etc/httpd/ssl

      1. Copy created certificate files and server certificate key: ca.cer, server.cer, server.key.

      2. Set access permissions to the directory:

sudo chmod 0600 /etc/httpd/ssl
sudo chown -R apache:apache /etc/httpd/ssl

      1. Set up web application server:

        • Add a variable for the HTTPS protocol in the /etc/sysconfig/httpd file:

export PATH_TO_WEB=/opt/foresight/fp10.x-biserver
export PP_SOM_HTTPS=https://hostname.domain.ru/fpBI_App_v10.x/axis2/services/PP.SOM.Som

        • Edit the /etc/httpd/conf.d/ssl.conf file and add the following values to the <VirtualHost _default_:443> tag (by replacing hostname.domain.ru with server address):

ServerName hostname.domain.ru
Alias /fp10.x/app/ ${PATH_TO_WEB}/app/
Alias /fp10.x/build/ ${PATH_TO_WEB}/build/
Alias /fp10.x/dashboard/ ${PATH_TO_WEB}/dashboard/
Alias /fp10.x/resources/ ${PATH_TO_WEB}/resources/
Alias /fp10.x/index.html ${PATH_TO_WEB}/index.html
Alias /fp10.x/libs/ ${PATH_TO_WEB}/libs/
Alias /fp10.x/ ${PATH_TO_WEB}/
ProxyPass /fp10.x/app/PPService.axd ${PP_SOM_HTTPS} retry=1 acquire=3000 timeout=6000 Keepalive=On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
ProxyPassReverse /fp10.x/app/PPService.axd ${PP_SOM_HTTPS}

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/ssl/ca.cer

      1. Restart httpd web server:

sudo service httpd restart

After executing the operations on two-factor authentication, the HTTPS protocol will be used for web service connection. User authorization will be executed by client certificates.

Changing Two-Factor Authentication Application

By default, two-factor authentication is used for the users with a linked client certificate.

Methods for changing application of two-factor authentication in the web application and in the desktop application differ.

In the web application create the Strategy_check string parameter and set its value in the settings.xml file:

<...>
    <Key Name="Manager">
        <Certificate Strategy_check="Always"/>
    </Key>
</...>

Available parameter values:

  • User. Default. Two-factor authentication is used if the user has a linked client certificate.

  • Always. Two-factor authentication is used for all users. The users who do not have a linked client certificate are denied access.

  • Never. Two-factor authentication is not used if the user has a linked client certificate.

In the desktop application create the Strategy_check string parameter and set its value in the registry key HKEY_LOCAL_MACHINE\Software\Foresight\Foresight Analytics Platform\10.0\Manager\Certificate on local computers of all users.

Available parameter values:

  • User. Default. Two-factor authentication is used if the user has a linked client certificate.

  • Always. Two-factor authentication is used for all users. The users who do not have a linked client certificate are denied access.

  • Never. Two-factor authentication is not used if the user has a linked client certificate.

See also:

Selecting Access Control Methods and Their Setup