Store OTP secret data in an encrypted format

September 21, 2020

Contributed by:

S C

Starting from Citrix ADC release 12.1 build 54.13, the OTP secret data can be stored in an encrypted format instead of plain text.

Previously, the Citrix ADC appliance stored OTP secret as a plain text in AD. Storing OTP secret in plain text poses a security threat as a malicious attacker or an admin might exploit the data by viewing the shared secret of other users.

The encryption parameter enables encryption of OTP secret in AD. When you register a new device with Citrix ADC version 12.1 build 54.13, and enable the encryption parameter, the OTP secret is stored in an encrypted format, by default. However, if the encryption parameter is disabled, the OTP secret is stored in plain text format.

For devices registered prior to 12.1 build 54.13, you must perform the following as a best practice:

Upgrade the 12.1 Citrix ADC appliance to 12.1 build 54.13.
Enable the encryption parameter on the appliance.
Use the OTP secret migration tool to migrate OTP secret data from plain text format to encrypted format.

For details about the OTP secret migration tool, see OTP encryption tool.

Important

Citrix recommends you as an admin to ensure the following criteria is met:

A new certificate must be configured to encrypt OTP secrets if you are not using KBA as part of self-service password reset feature.

To bind the certificate to VPN global, you can use the following command:
bind vpn global -userDataEncryptionKey c1

If you are already using a certificate to encrypt KBA, you can use the same certificate to encrypt OTP secrets.

通过使用CLI启用OTP加密数据

At the command prompt, type:

set aaa otpparameter [-encryption ( ON | OFF )]

Example

set aaa otpparameter -encryption ON

配置OTP encryption by using the GUI

Navigate toSecurity > AAA – Application Trafficand clickChange authentication AAA OTP Parameterunder身份验证设置section.
On theConfigure AAA OTP Parameterpage, selectOTP Secret encryption.
Click OK.

Configuring the number of end-user devices for receiving OTP notifications

Administrators can now configure the number of devices that an end user can register to receive OTP notification or authentication.

配置number of devices in OTP by using the CLI

At the command prompt, type:

set aaa otpparameter [-maxOTPDevices ]

Example

set aaa otpparameter -maxOTPDevices 4

配置number of devices by using the GUI

Navigate toSecurity > AAA – Application Traffic, clickChange authentication AAA OTP Parameterunder身份验证设置section.
On theConfigure AAA OTP Parameterpage, enter the value forMax OTP device Configured.
ClickOK.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Store OTP secret data in an encrypted format

September 21, 2020

Contributed by:

S C

September 21, 2020

Contributed by:

S C

Store OTP secret data in an encrypted format

通过使用CLI启用OTP加密数据

配置OTP encryption by using the GUI

Configuring the number of end-user devices for receiving OTP notifications

配置number of devices in OTP by using the CLI

配置number of devices by using the GUI

In this article