How to configure the WiKID Strong Authentication 4.0 using the Quick-setup option
Start by copying the sample file to your directory. I assume you are the root user or have appropriate sudo permissions.
# cp /opt/WiKID/conf/sample-quick-setup.properties wikid.conf
Now edit the file with your preferred editor.
# vim wikid.conf
Now, let's look at each part and what should go there. Note that semi-colons indicate a commented line.
; passphrase for protecting certs --------------------------------------
passphrase=protectme
; *NOTE*: YOU SHOULD REMOVE THIS SETTING AFTER CONFIGURATION FOR SECURITY
This passphrase will be used to protect the server's evaluation certificate. DO NOT LOSE IT! You will need it to start the server (or put it in /etc/WiKID/security). You will need it when you install the permanent certs. Note that the evaluation cert must be updated with the 5 user free license within 30 days.
; name to give the domain ----------------------------------------------
domainname=mydomain
This is the WiKID domain name. It will listed on the WiKID tokens for your users to see. We recommend something fairly generic as you may start out only protecting your VPN, but you may add SSH or Google Apps. So 'Company X Auth' or something similar.
; IP of the server -----------------------------------------------------
domainip=127.0.0.1
The external IP address of the server. Remember: our tokens talk to the WiKID server.
; 0-Padded IP without dots ---------------------------------------------
domaincode=127000000001
The users will enter this domain code when setting up their tokens. It is zero-padded to make it easier to enter. They only enter it once per token. There is no need to keep it secret - the security comes in the registration process, not the token setup.
; full hostname of the server; can be same as cn value ----------------------
hostname=localhost.localdomain
The fully-qualifed domain name of the server.
; information for setting up a RADIUS host
radiushostip=10.1.2.3
radiushostsecret=mysharedsecret
; *NOTE*: YOU SHOULD REMOVE THIS SETTING AFTER CONFIGURATION FOR SECURITY
This configures a RADIUS network client on the WiKID Server. This would be your RADIUS server such as NPS or Freeradius or the service that is authenticating using WiKID - your VPN, webserver, SSH gateway, etc.
; optionally create an extra host cert for wauth; leave blank if not needed
wauthhostip=
If you are creating a client that uses our API, wAuth, then enter its IP address here. If not or you don't know what this is, don't worry it's not required. Just leave it blank. Note that its client p12 file will be protected by the passphrase above.
; cert properties ------------------------------------------------------
; administrative email for this server
[email protected]
; hostname of server
cn=localhost.localdomain
; organization/company name
o=myorganization
; department or other OU
ou=mydepartment
; city
l=mylocation
; full name of state
st=mystate
; 2-letter country code
c=us
This is the information that will be used to generate the server's certificate. It needs to be unique. If you enter valid information, you can convert the evaluation certificate into a production cert quite easily. If not, you will need to recreate your certificate signing request via the WiKIDAdmin Web UI. We respect your privacy and will not sell this information, of course.
Now, save the file and run the quick-setup command:
# wikidctl quick-setup configfile=wikid.conf
As the command runs, you will see output like:
----------------------------------------------
= Checking for valid args ...
= Make sure Pg is running ...
= Checking if DB exists ...NO!
== Setting up new DB ...
log4j:WARN No appenders could be found for logger (com.mchange.v2.log.MLog).
log4j:WARN Please initialize the log4j system properly.
== Got Pg connection ...
= Setting up intermediate CA cert ...
= Submitting intermediate CA CSR ...
= Creating Tomcat cert ...
= Installing intermediate CA cert ...
== Intermediate cert installation completed!
= Setting up cert for localhost ...
== Setting up localhost settings ...
== RADIUS host does not exist!
== Setting up wAuth client ...
= Setting up cert for 10.100.0.112 ...
== Setting up non-localhost settings ...
== Domain exists! 1
== Adding keys ...
Now, start the server:
# wikidctl start
Browse to the WIKIDAdmin interface at https://yourserver.com/WiKIDAdmin/ and you should see your domain created, your radius network client configured and all the required certs completed. All you need to do now is install a WiKID token and register users.
You can download the WiKID Strong Authentication server here.