Configuring an OATH Application with ActivID Authentication Server

Note: In the current version of ActivID CMS, version 8.3 of the ActivID Authentication Server is required when configuring an OATH Open Authentication-HOTP HMAC-based One-time Password application.

  1. Go to the Device Policy - Creation page.

  2. In the Action column, next to OATH, click Add, and then click Configure.

    The Device Policy - Set Application Information page appears:

  3. Friendly Name—Enter a name that easily identifies the type of application you have selected for the device policy.

  4. Provider drop-down list—Select ActivID Authentication Server.

  5. Authentication Server drop-down list—Select the name of the ActivID Authentication Server that will manage the credentials for this application. This server must have been declared in ActivID CMS previously.

  6. Template drop-down list—Select the template for this application.

    Note: In the current version of ActivID CMS, only the OATH HOTP Credential Profile Template can be used for YubiKey devices.

  7. Click Submit.

  1. Enter the desired Authentication Policy and Administration Group parameters. These parameters must have been previously configured in ActivID Authentication Server. The read-only values are configured by default in ActivID Authentication Server or ActivID Appliance.

  2. Update the Device Validity Period, Credential Validity Period, and OTP Length parameters, if necessary.

    3. Note: The OTP Length parameter must be configured with the same value as configured in the ActivID Authentication Server. For YubiKey profiles, the OATH application only supports an OTP Length set to 6 or 8.

  3. Click Set.

  1. Enter the desired Authentication Policy and Administration Group parameters. These parameters must have been previously configured in ActivID Authentication Server or ActivID Appliance. The read-only values are configured by default in ActivID Authentication Server or ActivID Appliance.

  2. Update the Device Validity Period, Credential Validity Period, and OTP Length parameters, if necessary.

    3. Note: The OTP Length parameter must be configured with the same value as configured in the ActivID Authentication Server.

  3. Choose the desired HMAC type from the drop-down list.

  4. If necessary, update the Time step (set to 30 seconds by default).

  5. Click Set.

  1. Enter the desired Authentication Policy and Administration Group parameters. These parameters must have been previously configured in ActivID Authentication Server or ActivID Appliance. The read-only values are configured by default in ActivID Authentication Server or ActivID Appliance.

  2. Update the Device Validity Period, Credential Validity Period, and OCRA Suite parameters, if necessary.

    3. Note: The OCRA Suite parameter must be configured with the same value as configured in the ActivID Authentication Server.

  3. Click Set.

About ActivID Authentication Server Configuration for OCRA

The ActivID Authentication Server configuration must be kept in sync with the ActivID CMS configuration. The following points may need special attention:

  • Credential Type: CT_CMS_OA

    The OCRA Suite (with counter or timestamp, depending on the desired behavior) parameters in ActivID Authentication Server must match the ones configured in ActivID CMS; otherwise ActivID Authentication Server may be unable to authenticate the devices issued with ActivID CMS.

  • Device Type: DT_CMS_OA

    The Asynchronous authentication code length and the Challenge length parameter values in ActivID Authentication Server must match the values in the OCRA Suite parameters in both ActivID CMS and in ActivID Authentication Server.