Wednesday, 23 June 2010

MobileID Android Version

Deepnet Security hasn’t published the official document for how to use one of their products, MobileID Android version. Probably they assume you have an android phone and are familiar with the android OS, thus you can figure it out by yourself. Actually yes, as you will see, it is quite straightforward to use this app.

Download

The app can be downloaded with your phone’s browser at this link. Surely you can use other ways to install this app to your mobile phone.
Once installed, it looks like,



“Not token yet”, you can’t do anything! Don’t panic. If you think about it from a common sense perspective, you will try the “menu” button which each android phone is supposed to have.



Press it, you can see 4 menu items on the screen.
Add Token

Touch it to bring you another activity.
You can install a token with two different approaches. With the approach “By Download”, you need to input Service URL, Token Serial Number and Activation Code, get them from your deepnet service provider(DSP).



If your service provider doesn’t expose the service URL, then try the other approach “Install Locally”. This time you have to get Token Seed, Token Serial Number from your DSP, however you can name the “Token Name” of your own will.



Once your click “OK” button, a new token will be added to your MobileID store, assume you have entered the correct data.

Now, touch the button “Generate OTP”, the OTP(s) will be generated and shown on the LCD area.



There are two buttons along with the bar which shows the current token’s name. The left one is an info button which shows the token information once you click it.

The right one is a sync button, it will synchronize the current token with Deepnet Authentication Server on the condition that this token is installed by download(it has a service URL).



Do you notice a task bar at the bottom of the screen which shows the text “OTP Mode”? Hold it more than one second, a context menu will be shown, you can alter the mode among the three, OTP, Sign and Challenge.



Are you a VIP? Do you have many tokens to access different applications? If yes, you may ask such a question, how to easily switch the active token? Well, this app provides you a convenient feature: fling/swipe the area of current token, it will shift to the adjacent one based on your fling direction.

Management Token

This activity lists all the tokens you have installed. Select a token by long click, it will pop up a context menu which allows you to delete a token, change the token name, view the token details and make the selected token as the primary(active) one(stated with the sign *).




Change PIN

Want more privacy? You can add a PIN to protect this app. There is no OK or Cancel button on this activity, you have to click the “Back” button to go back the main activity.



Now if you rerun the app(exit first), it presents the PIN page first, you have to enter the correct PIN so that you can access the normal OTP activity. Try with a wrong PIN, the app will show you a warning dialog saying how many times you can still try. If it reaches zero, sorry, the app will remove all tokens for security reason.



Exit

No statistic about how much battery power this app will consume during the idle. If you are concerned about this issue, press the menu item “Exit” for a fully quit to ease your mind.

It is said that all android phone with OS 1.5 or later can benefit from this app.

Friday, 18 June 2010

DualShield Radius Server Installation on Linux

A console installation of DualShield Radius Server is quite similar to the installation of DualShield.




Specify the installation path, here we use /opt/dualradius, you can use other folder, but be sure not the folder we have used to install the DualShield Server.



Set the administration, authentication, accounting ports, and radius server FQDN



This step produces some agent data which you need to pass it to the DualShield administrator.



The administrator uses the agent data to register a RADIUS server agent.



After registration, he can download the agent configuration file(*.dsc) and pass it back to you.



This step asks you where the agent configuration file is, so make sure you have copied the file to the server where DualRadius is being installed and given the correct path.



Now, the installer will do the real jobs – copy files and configure services etc. If you see the following output, then congratulations! You have installed DualRadius successfully.





If you still doubt, then try to list the processes by

ps aux | grep jsvc

You should see the similar ones like the following



Sometime you may need to reinstall this product, I strong recommend you should remove the existing one first. You can find the shell script “removedualradius.sh” in the sub folder “tools”, check the details for what it tries to do.

Dualshield Installation on Linux System

Deepnet Security Ltd officially provides the installation guides. If you decide to install DualShield by GUI with X Window, please look at them. The user experience is almost identical.

Here I am going to tell you how to install DualShiled by console installation, which is quite common in linux, as some linux servers(especially appliances) don’t install X11.

The linux installation package is supposed to work on the popular Linux distributions. We have tested it on Fedora 10, Ubuntu 9.04, Ubuntu JEOS, CentOS 5.2.

After downloading the package onto your linux system, the first thing you need to do is to change the file attribute to make it executable,

chmod a+x setupdualshield.bin
chmod a+x setupdualradius.bin




The installer needs to be run under the root privileges. On some system you can use sudo command, here I just use root account.

Look at the full command, it is
./setupdualshield.bin -- -console
If you only type ./setupdualshield.bin (without any arguments), it will be run as GUI mode installation



First it shows a simple welcome text, then asks you to “press 1 to accept, 2 to reject, 3 to redisplay”.

Next, it will show you the license agreement. Fancy about the terms and conditions? read them carefully, otherwise, just press a couple of enter keys to reach the end.

The default installation destination is “/usr/local/dualshield” , if you are happy with the default setting, just press enter. I usually install the software to /opt/dualshield folder.
Now you are going to define the settings for management server. The most important one in this step is the FQDN.



This step is to give some information for SSO server. Along with the management server FQDN, the SSO server FQDN will be used later in HOSTS file or on DNS server. Without them, your browser on LAN won’t know where to access them.



Check the official document for the meanings and purposes of these ports defined in this step. Leave them alone and just take the default ones if you decide to learn them later.



You’d better adjust the JVM switches based on the free memory of your machine to optimize the system performance.



Currently, the beta version only supports software encryption.



Install a copy of MySQL. Alternatively, you can connect to an existing SQL server. Here you basically need to specify server address, port, also a database for storing the DualShield data. Apart from MySQL, it is believed that Dualshield at least support Microsoft SQL server, Oracle.




That is all. After that, the installer no longer accept any user input, it will copy files and configure the services etc according to your previous settings.
You should see the following output if everything goes well.




Double check if the installation is successful with the command

ps aux | grep mysqld

Under normal circumstances, you would expect the following result







Also the jsvc processes

ps aux | grep jsvc



Don’t forget to modify the firewall(if iptables service is running) to allow the tcp ports for management console and SSO server, they are 8443 and 9443 assume you choose the default settings. For testing purpose or you are lazy like me, just stop the iptables service.




Now you can access the DualShield Management Console by typing the following URL in your browser

https://dualshield.nanoart.local:8443

Assume you are using the same FQDN and port as mine

Mind you, don’t use IP in this URL, also make sure your machine on where your browser is running can resolve the FQDN correctly. Based on your own taste, you can add it into your HOSTS file or DNS server.

At this stage, I strong recommend you to read the official “Quick Start Guide” for further information.

Finally, you might want to remove this product from your machine, then check the details of the shell script file “removedualshield.sh” provided in the sub folder “tools”.