HP-UX AAA Server A.08.00.01 Administrator's Guide
IMPORTANT NOTES:
• After using the sample reference implementation and before deploying your
implementation in a production environment, you must change the default
passwords for database user, test user, and the shared secret of the test user.
• If the shared secret provided by the token vendor is in ASCII format, edit the
/etc/opt/aaa/sqlaccess.config file to change the following entry in the
RetrieveUserAndToken SQL action:
DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
to
DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.
If you are using the RetrieveToken SQL action, then the following entry must
be modified as follows:
DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
to
DBC(shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.
In addition, the RAD_USERS_TABLE is extended with the following entries:
RAD_USERS_TABLE
security_question
security_answer
mailing_address
mailing_city
mailing_state
mailing_pin
mailing_country
email_id
work_phone
mobile_phone
Sample Policy Files
This section describes the sample policy files that are used for configuring OTP
authentication. This section addresses the following topics:
• “The oath-request-ingress.grp Sample File.”
• “The oath-reply-egress.grp Sample File” (page 216)
• “The oath-proxy-egress.grp Sample File” (page 217)
Configuring OTP Authentication on the HP-UX AAA Server 215