4.2 Configuring Optional Settings

The following table describes the optional settings that you can configure for Linux Client:

Setting

Description

tenant_name

If you use Multitenancy, you must point Linux Client to a specific tenant. For more information, see Configuration Settings for Multitenancy.

event_name: <CustomEventName>

If you want to use both domain-joined and non-domain machines, you can use a custom event for the specific machines. For more information, see Selecting an Event.

card.timeout: X

To change a default Card waiting timeout. For more information, see Configuring Timeout for Card Waiting.

u2f.timeout: X

To configure the timeout for authentication with the U2F token, see Configuring Timeout for the U2F Authentication.

logEnabled: true

Enable the logs of Linux Client for debugging. For more information, see Enabling Logs on Linux Client.

verifyServerCertificate

To configure the verification of server certificates for LDAP connection. For more information, see Configuring Verification of Server Certificates.

authentication_agent_enabled

Enables the Authentication Agent chain in Linux Client. For more information, see Enabling the Authentication Agent Chain.

forceCachedLogon

To enforce the cached login for unlocking the Client. For more information, see Configuring the Enforced Cached Login.

default_repo

NOTE:A separator between the setting and its value can be either equal (=) or colon (:).

4.2.1 Configuration Settings for Multitenancy

If the Multitenancy option is enabled, you must add the parameter tenant_name with a tenant name as the value in the pam_aucore.conf file.

To configure a specific tenant name, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify tenant_name: <name of tenant>

    For example, tenant_name: TOP for the TOP tenant.

    If the configuration file does not exist, create a new file.

  3. Save the changes.

  4. Restart the system.

NOTE:If you do not add the parameter tenant_name, an error message Tenant not found might be displayed.

Creating a Linux Endpoint When the Tenant Name Matches the Domain

In the Multitenancy mode, by default a new endpoint gets mapped to the tenant name that has the same name as the domain name. You can also add an endpoint to a preferred tenant that does not have the same name as the domain.

To add an endpoint to specific tenant in the Multitenancy mode, perform the following steps:

  1. Install the PAM Client.

  2. Edit the configuration file pam_aucore.conf, set the tenant_name parameter with the preferred tenant name.

    For example, TOP.

  3. Run an activation script for the domain mode.

  4. Save the changes.

  5. Restart the system.

4.2.2 Selecting an Event

By default, Linux Client uses the Linux logon event for authentication. However, in some scenarios you must create a separate custom event.

For example, when the predefined event is used for DNS based workstations, you can create a custom event with the type as Generic for the non-DNS joined workstations.

To configure custom event for Linux Client, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify event_name: <CustomEventName>

    If the configuration file does not exist, create a new file.

  3. Save the changes.

  4. Restart the system.

4.2.3 Configuring Timeout for Card Waiting

You can configure the time for which the card waiting dialog is displayed, when the user authenticates using the Card method. If the user does not present the card for the specified timeout period, the Hardware timeout message is displayed and the card waiting dialog is closed. Subsequently, the user login selection screen is displayed.

To configure the timeout for card waiting, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify card.timeout: X.

    x is the timeout value in seconds. The card timeout value is set to 60 seconds, by default.

    If the configuration file does not exist, create a new file.

  3. Save the changes.

  4. Restart the system.

4.2.4 Configuring Timeout for the U2F Authentication

You can configure the timeout for which the authentication fails when the U2F token is not touched for authentication. The default value for the timeout is 60 seconds after which the authentication fails.

To configure the timeout for U2F authentication, perform the following steps:

  1. Open the configuration file opt/pam_aucore/etc/pam_aucore.conf.

    If the file does not exist, create a new file.

  2. Specify u2f.timeout: X in the aucore.conf file. X is the timeout value in seconds.

  3. Save the configuration file.

  4. Restart the operating system.

4.2.5 Enabling Logs on Linux Client

You can enable the logs of Linux Client to view the logs for debugging.

To enable the logs of Linux Client, perform the following steps:

  1. Run the following command to edit the configuration file:

    sudo vi /opt/pam_aucore/etc/pam_aucore.conf

  2. Specify logEnabled:true.

    If the configuration file does not exist, create a new file.

  3. Save the changes.

  4. Restart the system.

The logs are generated in the path /opt/pam_aucore/var/log/.

4.2.6 Configuring Verification of Server Certificates

You can secure the connection between Linux Client and the Advanced Authentication servers with a valid SSL certificate. This prevents any attacks on the connection and ensures safe authentication.

You can enable verification of a server certificate on Linux platforms in the following ways:

NOTE:You must upload the SSL certificate in the Administration portal > Server Options. The SSL certificate provides high level of encryption, security, and trust. For more information about how to upload the SSL certificate, see Uploading the SSL Certificate.

Using PAM Certificate Path

To enable verification of a server certificate in the PAM certificate path on any Linux platform, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify verifyServerCertificate:true.

    If the configuration file does not exist, create a new file.

  3. Place the trusted certificates in the path /opt/pam_aucore/certs.

    If the certificates are not available in /opt/pam_aucore/certs, the PAM module searches for an OS specific certificate directory.

    NOTE:Ensure that the server certificates are in .cert or .crt format.

  4. Run the command sudo chmod 644 to set permission for certificates.

  5. Restart the system.

Using Operating System Specific Certificate Paths

To enable verification of a server certificate in the operating system (OS) specific certificate path, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc and open the pam_aucore.conf file.

  2. Specify verifyServerCertificate:true.

    If the configuration file does not exist, create a new file.

  3. Place the trusted certificates in the OS specific path of the respective Linux platform. Following are the OS specific paths of the Linux platforms:

    • CentOS 7.x, Red Hat - /etc/pki/ca-trust/source/anchors

    • SUSE 11.x - /etc/ssl/certs

    • SUSE 12.x - /etc/pki/trust/anchors

    • Ubuntu 16.x, Debian 8.x - usr/local/share/ca-certificates

  4. Run the command sudo chmod 644 to set the permission for the certificates.

  5. Run the command specific to the platform to update the certificates:

    • CentOS 7.x, Red Hat - sudo update-ca-trust

    • SUSE 11.x - sudo c_rehash /etc/ssl/certs

    • SUSE 12.x - sudo update-ca-certificates

    • Ubuntu 16.x, Debian 8.x - sudo update-ca-certificates

  6. Restart the system.

4.2.7 Enabling the Authentication Agent Chain

You can enable the Authentication Agent chain in the Linux Client to allow users to authenticate with the Authentication Agent on a Windows system and get seamless access to the Linux Client that does not support the external devices. To perform such authentication, users must select the Authentication Agent chain from the Chains list of Linux Client to initiate the authentication process on the Windows system where the Authentication Agent is installed.

To enable the Authentication Agent chain in the Linux Client, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify authentication_agent_enabled: true.

    If the configuration file does not exist, create a new file.

  3. Save the changes.

  4. Restart the system.

4.2.8 Configuring the Enforced Cached Login

When the network connection is slow or unstable, the Client logon or unlock process might take several minutes. A solution to this is to enforce the cached logon. The Client connects to the Advanced Authentication server to validate the credentials in the background after the cached login. By default, the enforced cached logon is disabled and the Client will always try to connect to Advanced Authentication Server to validate the credentials.

To enforce cached login for Linux Client, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify forceCachedLogon: true.

    If the configuration file does not exist, create a new file.

  3. Save the changes.

  4. Restart the system.