Get Started!

˂ Return to FAQ

YubiKey MFA – How to Configure in XTAM

If you are already a user of YubiKey Multi-factor or Two-factor authentication and would like to configure XTAM to use YubiKey, then please perform the following steps. Please note that you will need to be able to access and modify files on the XTAM host computer. Contact your XTAM System Administrator for assistance.

Pre-requisite: XTAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers. For YubiKey MFA Integration, download this Federated Sign-in Module and follow the guide linked above for configuration.

Step 1. Register your YubiKey to get Yubico API Keys

1

Open your browser to https://upgrade.yubico.com/getapikey/

2

Enter your email address into the required field.

3

Enter your key’s OTP or touch your YubiKey to populate the YubiKey OTP field.

4

Check the box to accept the Yubico Terms and Conditions.

5

Click the Get API Key button.

YubiKey XTAM MFA Configuration - Get API Key

6

The Yubico website will now display your client identity and client API keys. Save this information to a safe location or do not close your web browser. You will need both the Client ID and Secret key values in the next step.

YubiKey XTAM MFA Configuration - Get API Key

 

Step 2. Configure XTAM Integration with YubiKey

1

Log on to the XTAM host computer.

2

Open the file $XTAM_HOME/web/conf/catalina.properties in a text editor.

3

In this file, scroll down to the section labeled # YubiKey. If you do not have this section, copy and paste the entire section below to the bottom of your file.

# YubiKey
# Get your API clientId and secretKey here: https://upgrade.yubico.com/getapikey/

#cas.authn.mfa.globalProviderId=mfa-yubikey
cas.authn.mfa.yubikey.clientId=clientID
cas.authn.mfa.yubikey.secretKey=SecretKey
cas.authn.mfa.yubikey.name=XTAMYubiKey

cas.authn.mfa.yubikey.jpa.dataSourceName=java:comp/env/jdbc/PamDB
cas.authn.mfa.yubikey.jpa.driverClass=org.apache.derby.jdbc.ClientDriver
cas.authn.mfa.yubikey.jpa.dialect=org.hibernate.dialect.DerbyTenSevenDialect
cas.authn.mfa.yubikey.jpa.dataSourceProxy=true
cas.authn.mfa.yubikey.jpa.ddlAuto=update
4

Uncomment the line:

#cas.authn.mfa.globalProviderId=mfa-yubikey
5

Add your Client ID and Secret Key from Step 1 to the following lines:

cas.authn.mfa.yubikey.clientId=clientID
cas.authn.mfa.yubikey.secretKey=SecretKey
6

If you are using your own Database and not the XTAM internal database, then modify the following lines. If you are using XTAM’s internal database, then skip this step.

cas.authn.mfa.gauth.jpa.database.driverClass=org.apache.derby.jdbc.ClientDriver
cas.authn.mfa.gauth.jpa.database.dialect=org.hibernate.dialect.DerbyTenSevenDialect

You can find the values that need to be replaced in bold above from this same /catalina.properties file in the #PAM Database section. In this example, we would copy the bolded SQL database parameters below and use them to replace those of the Derby database above.

hibernate.dialect=org.hibernate.dialect.SQLServer2012Dialect
hibernate.connection.driver_class=com.microsoft.sqlserver.jdbc.SQLServerDriver
7

When complete, save and close this file.

8

Restart the service PamManagement (Windows) or pammanger (Linux).

This configuration will enable YubiKey as the global MFA provider in XTAM for all user logins. If you wish to configure additional MFA providers or to enable YubiKey only for selected users or groups, then please see our MFA Configuration Guide article for more information.

Once configured, refer to the following FAQ article YubiKey – How to Login as a User for steps on how to use YubiKey MFA with XTAM from an end user’s perspective.

 
 

Copyright © 2019 Xton Technologies, LLC. All rights reserved.