Symantec Validation and ID Protection Service is a leading cloud-based strong authentication service that enables enterprises to secure access to networks and applications while preventing access by malicious unauthorized attackers. A unified solution providing both two-factor and risk-based token-less authentication, VIP is based on open standards and can easily integrate into enterprise applications.

For more information about Symantec VIP click here.

Symantec VIP offers different types of integration solutions.

  1. Radius server based integration
    • Authentication method 1 Username + password + Security code
    • Authentication method 2 Username + security code
  2. Webservices based integration
    • User services
    • Manager (admin)services
  3. Saml based integration
    • Self service portal SSO
    • VIP Manager SSO

Setup Details Using RADIUS

Symantec VIP Enterprise Gateway setup

  1. Install and Configure VIP enterprise gateway
    Install and configure VIP Enterprise Gateway then add the RADIUS validation server.

    • More information refer to the VIP Enterprise Gateway Installation and Configuration Guide.
  2. Add validation server in one of the following modes
    1. Username + password + secure code
    2. Username + secure code

NetIQ Access Manager Identity Server setup details

a) Create Userstore or use configured default user store based on one’s requirement

b) Create a class using Radius Class from the dropdown

c) On step 2 of configuring radius class Enter required details

  1. Port – enter VIP radius validation server (configured in above steps) default 1812
  2. Shared secret – enter VIP radius validation server shared secret
  3. Remaining can be left as default values, for customized login page configure JSP refer to NAM documentation
  4. Require password can be checked for the Username + password + secure code mode of VIP radius validation server, otherwise leave it unchecked when VIP radius validation in Usname + securecode mode
  5. Configure a authentication method using radius class create above and select OK
  6. Configure a contract using created method above and select OK
  7. Select Update IDP and wait for IDP health turns current with green.

Testing the configuration

a) Install Symantec VIP credentials into mobile or on Desktop

b) Access radius contract and Enter user name secure code generated by VIP credentials client and password ( password text box shows if required password is enabled in NAM configuration)

c) Submit form

Setup Details Using User webservices

NetIQ Access Manager Identity Server setup details

  1. Download VIP_UserServicesWSDL and extract archive
  2. Download certificate from VIP Manager and save it as vip_cert.p12
  3. Download Axis2 (check symantec documentation for version) tested using 1.6.2
  4. Download apache ant package and extract locally.
  5. Open DOS prompt and set AXIS2_HOME to extracted Axis2 directory in windows “set AXIS_HOME=<<dir>>”, for linux open putty and do “export AXIS2_HOME <<dir>>”
  6. Add ANT_HOME environmental variable to extracted apache ant directory in windows “set ANT_HOME=<<dir>>”, for linux open putty and do “export ANT_HOME <<dir>>”
  7. Add axis2 and ant package bin directory to path, in windows “set PATH=%PATH%;%ANT_HOME%\bin;%AXIS2_HOME\bin” in linux “export PATH=$PATH:$ANT_HOME/bin:$AXIS2_HOME/bin”
  8. Change directory to VIP_UserServicesWSDL folder where wsdl file exits
  9. Execute following commands to generate stubs for given wsdl “wsdl2java -uri vipuserservices-auth-1.1.wsdl -p -o gen-src-auth”
  10. Execute following command to compile and create lib file or copy the generated to source to eclipse java project and add Axis2 libraries in class path and build project for binary code of generated source “ant -Dname=vipuserservices”
  11. Create sample working code verification using Symantec VIP sample code. (sample verification method added at end of this article)
  12. Write custom authentication class using above sample. Follow the custom authentication class implementation sdk and documentation, similar authentication class can be referred
  13. Create token form JSP refer to cool solution above how to define the JSP.
  14. Copy downloaded vip_cert.p12 file to one of the folder of IDP
  15. Copy the custom authentication class jar file to “/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib”
  16. Restart IDP using command “/etc/init.d/novell-idp restart”
  17. Wait for IDP to complete its start successfully.
  18. Create Userstore or use configured default user store based on one’s requirement
  19. Create a class using custom authentication class, select Other from the dropdown
  20. Type classname with package structure
  21. Select Next and finish
  22. Create authentication method using above created authenticated class
  23. Create contract using above created method.
  24. Update IDP and wait for IDP health turn to current and green

Testing the configuration:

a) Install Symantec VIP credentials into mobile or on desktop

b) Access new contract created and Enter user name password and when asked for token enter secure code generated by VIP credentials

c) Submit form

Example TOTP verification code:

public static void validateUser() throws RemoteException
		String pathToP12File = "/tmp/vip_cert.p12";
		String password = "password"; // password given while downloading cert
		System.setProperty("", "pkcs12");
		System.setProperty("", pathToP12File);
		System.setProperty("", password);
		AuthenticationServiceStub authServiceStub = new AuthenticationServiceStub(
				""); uReq = new; otpReqType = new;
		uReq.setCheckOtpRequest(otpReqType); requestIdType = new;
		requestIdType.setRequestIdType("rqstId" + System.currentTimeMillis()); userType = new;
		userType.setUserIdType("testuser1"); otp = new;
		otp.setOtpType("770379"); otpType = new;
		  CheckOtpResponse checkOtpResponse = authServiceStub.checkOtp(uReq);
		 CheckOtpResponseType checkOtpResponseType = checkOtpResponse
		System.out.println("Status : " + checkOtpResponseType.getStatus());
		System.out.println("Status message : "
				+ checkOtpResponseType.getStatusMessage());
		System.out.println("Server detail message : "
				+ checkOtpResponseType.getDetailMessage());
2 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 5 (2 votes, average: 4.50 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: cstumula
May 22, 2014
4:35 pm