You can configure a third-party security platform to authenticate users during multi-factor authentication (MFA) instead of using the MCP EMAIL utility. Using the EMAIL utility for MFA requires that a user enter a one-time passcode (OTP) that is sent to the email address configured for the usercode attempting to authenticate. Configuring a third-party security platform to authenticate users provides more flexibility to how users can authenticate. At the time of publication, Duo Security is the only supported third-party security platform that you can configure for use with your MCP system.
To ensure that your MCP system can be integrated with Duo Security, ensure that you
-
Install and configure MCP Cryptographic Services and its necessary components in the Windows and MCP environments. You should also ensure that the cryptographic keys are installed in the MCP Environment.
Note: For more information on MCP Cryptographic Services and how to install them, see MCP Cryptographic Services and Installing Security Components. To verify that MCP Cryptographic Services are running in your environment, enter the follow command from the ODT or MARC:
NA MCAPI STATUS
Note: For more information on using the NA MCAPI STATUS command, see Configuring the MCAPISUPPORT Library. -
Enable TCP/IP over a Secure Socket Layer (SSL) connection. Enter the following command:
NW TCPIP OPTION + SSL
-
Obtain a Duo Security certificate and install it on the trusted MCP ROOT store.
Note: Ensure that you also install all root and intermediate Certificate Authorities (CAs). -
Install and configure the XML Parser
Ensure that your system meets all of the prerequisites defined in the subtopic, “XML Parser” in Section 1, “Introduction to Application Support” of the WEBAPPSUPPORT Application Programming Guide and do the following:
-
Install the MCPXMLParserx64.msi in the Windows environment of your MCP system.
For information on accessing and installing the MCPXMLParserx64.msi file, see Section 4, “XML Parser Administration” of the WEBAPPSUPPORT Application Programming Guide.
-
Ensure that the configuration of your MCP system matches the configuration defined in the JPMConfig.xml file.
You can find the JPMConfig.xml file in the following location:
C:\ProgramData\Unisys\MCP\XMLJPM\JPM1\Config\JPMConfig.xml
-
From a command prompt with Administrator privileges, enter JPMMODULE.BAT to initiate the Java package manager (JPM).
-
-
Update the MFASupport configuration file
During system installation, the *MFASUPPORT/CONFIGURATION file is copied to DISK. This configuration file enables MCP administrators to enable support for third-party MFA providers (such as Duo Security).
To use Duo Security to authenticate users, you must add specific Duo Security attributes to the *MFASUPPORT/CONFIGURATION file, which can be accessed from www.duo.com under the protected applications that are selected by the Duo Administrator.
Access the following attributes from Duo and add them to the *MFASUPPORT/CONFIGURATION file:
Notes:-
A usercode must have SECADMIN privileges to access the configuration file.
-
As a best practice, Unisys recommends that you enclose the following attributes in quotation marks ( for example, '<attribute>') when you add them to the *MFASUPPORT/CONFIGURATION file.
-
API host name
For example, https://api-MYHOST.duosecurity.com.
-
Integration key
The HTTP Username that is used to authenticate requests.
-
Secret key
The HMAC key that is used to generate the HMAC-SHA1 signature needed for each API request.
For security, MFASUPPORT library checks the *MFASUPPORT/CONFIGURATION file for the SECADMIN and SENSITIVEDATA attributes. Ensure that the SECADMIN and SENSITIVEDATA attributes are set when you modify the configuration file.
You can use file equation if you want to save the configuration file on a different pack than the MFASUPPORT codefile.
-
-
Enable the MFA security option and set the appropriate attributes.
Set the SECOPT MFA option to ENABLED to enable multi-factor authentication. When MFA is ENABLED, the configure the following attributes, as needed:
-
MFAREQUIRED
-
MFAPROTOCOL
Note: The protocols DUOPUSH, DUOPHONE, and DUOPULL are only valid for MFA configurations using the third-party security platform Duo Security. -
MFAUSERNAME
For more information see the subtopics, “Multi-Factor Authentication Required (MFAREQUIRED),” “Multi-Factor Authentication Protocol (MFAPROTOCOL),” and “Multi-Factor Authentication Username (MFAUSERNAME)” in Types of Access Rights.
-
