This section is applicable for Debian 8 Jessie. The procedure may differ for other distributives.
This sections explains how to configure web server to use the FIDO U2F authentication in NetIQ Access Manager for the OAuth 2.0 event.
According to the FIDO U2F specification, both enrollment and authentication must be performed for one domain name. As NetIQ Access Manager and Advanced Authentication appliance are located on different servers, you must configure web server to enable performing the following actions:
Port forwarding to Advanced Authentication appliance for the FIDO U2F method enrollment
Port forwarding to NetIQ Access Manager for further authentication using FIDO U2F tokens
Perform the following actions to configure a web server to use the FIDO U2F authentication.
You must install the Nginx web server for URL forwarding.To install Nginx, add the following two lines to the /etc/apt/sources.list file:
deb http://packages.dotdeb.org jessie all deb-src http://packages.dotdeb.org jessie all
Run the following commands:
mkdir –p /etc/nginx/ssl openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/proxy.key -out /etc/nginx/ssl/proxy.crt
Add the following to the /etc/nginx/sites-available/proxy file:
server { listen 443 ssl; error_log /var/log/nginx/proxy.error.log info; server_name nam.company.local; ssl_certificate /etc/nginx/ssl/proxy.crt; ssl_certificate_key /etc/nginx/ssl/proxy.key; location ~ ^/account { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://<appliance_IP>$uri?$args; } location ~ ^/static { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://<appliance_IP>$uri?$args; } location ~ ^/admin { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://<appliance_IP>$uri?$args; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_read_timeout 300; proxy_pass https://<NAM_IP>; } }
Create a link and restart the nginx service running the following commands:
ln -s /etc/nginx/sites-available/proxy /etc/nginx/sites-enabled/proxy service nginx reload