3 files changed, 92 insertions, 86 deletions
diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png
new file mode 100644
index 0000000..c0230f5
--- /dev/null
+++ b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png
Binary files differ
diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_login.png b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png
new file mode 100644
index 0000000..79d9696
--- /dev/null
+++ b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png
Binary files differ
diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml
index 9b8ec14..0812a2f 100644
--- a/doc/book-enea-edge-getting-started/doc/security.xml
+++ b/doc/book-enea-edge-getting-started/doc/security.xml
@@ -1,51 +1,62 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml version="1.0" encoding="UTF-8"?>
 <chapter id="security">
  <title>Security</title>
  <section id="mfa_security">
    <title>Authenticating using Multi-Factor Authentication</title>
-    <para>Enea Edge Management provides the ability to authenticate using the MFA
+    <para>Enea Edge Management provides the ability to authenticate using the
-    authentication method. This is offered as a two-step procedure: first, the
+    MFA authentication method. This is offered as a two-step procedure: first,
-    user enters the local user/password credentials. Then the security token generated 
+    the user enters the local user/password credentials. Then the security
-    by Google Authenticator must be introduced. This is based on a shared secret between the 
+    token generated by Google Authenticator must be introduced. This is based
-    Enea Edge Management and the Google Authenticator applications. The shared secret is a 
+    on a shared secret between the Enea Edge Management and the Google
-    32 character long string that is presented to the user upon first login as a character 
+    Authenticator applications. The shared secret is a 32 character long
-    sequence and a QR code.
+    string that is presented to the user upon first login as a character
-    </para>
+    sequence and a QR code.</para>
-    <section id ="config_mfa">
+    <note>
+      <para>Configuring MFA will only be possible using the Web interface, and
+      not the REST API. Users with MFA enabled will not be able to log
+      in through the REST API. If attempted, a <literal>401</literal> HTTP
+      code will be returned, with the <literal>EMS-Error</literal> header
+      containing the <literal>EMS_UserMFAEnabled</literal> error.</para>
+    </note>
+    <section id="config_mfa">
      <title>Configuring User MFA</title>
-      <para>The administrator must enable MFA authentication for the
+      <para>The administrator must enable MFA authentication for the desired
-      desired new user by:</para>
+      new user by:</para>
-      
      <orderedlist>
        <listitem>
-          <para>Accessing the <emphasis role="bold">Security</emphasis> tab.</para>
+          <para>Accessing the <emphasis role="bold">Security</emphasis>
+          tab.</para>
        </listitem>
-          
        <listitem>
-          <para>Accessing the <emphasis role="bold">Configuration</emphasis> menu.</para>
+          <para>Accessing the <emphasis role="bold">Configuration</emphasis>
+          menu.</para>
        </listitem>
-        
        <listitem>
-          <para>Selecting the <emphasis role="bold">Add</emphasis> option, entering the 
+          <para>Selecting the <emphasis role="bold">Add</emphasis> option,
-            details for the new user and then enabling the 
+          entering the details for the new user and then enabling the
-            <emphasis role="bold">Enable MFA Login</emphasis> checkbox.</para>
+          <emphasis role="bold">Enable MFA Login</emphasis> checkbox.</para>
        </listitem>
      </orderedlist>
-      
-      <para>It is also possible to enable/disable MFA for existing users by selecting
-      the user and checking/unchecking the Enable MFA Login checkbox in the
-      right-hand side panel. Disabling MFA for a user will also clear the
-      secret from the database, therefore upon reenabling it the user will be
-      asked to configure a new shared secret. For more details on how to configure
-      a new shared secret, please see the following section.</para>
+      <para>It is also possible to enable/disable MFA for existing users by
+      selecting the user and checking/unchecking the Enable MFA Login checkbox
+      in the right-hand side panel. Disabling MFA for a user will also clear
+      the secret from the database, therefore upon reenabling it the user will
+      be asked to configure a new shared secret. For more details on how to
+      configure a new shared secret, please see the following section.</para>
-      <note><para>All MFA information for enabled users will be preserved upon upgrading the
+      <note>
-        Enea Edge Management application.</para></note>
+        <para>All MFA information for enabled users will be preserved upon
+        upgrading the Enea Edge Management application.</para>
+      </note>
    </section>
    <section id="security_authentication">
@@ -53,19 +64,30 @@
      <para>Before the user logs in, there is no secret set in the Enea Edge
      Management database. Initially, the user will enter his credentials as
-      in a normal, local authentication. He will then be redirected to a 
+      in a normal, local authentication. He will then be redirected to a
-        second page that presents the secret as a QR code, that he must scan
+      second page that presents the secret as a QR code, that he must scan
      using the Google Authenticator application. The secret is also presented
-      in clear text ready for copying and manual entry, in case scanning 
+      in clear text ready for copying and manual entry, in case scanning the
-        the QR code does not work.</para>
+      QR code does not work.</para>
-      
-      <para>Once the scanning or manual entry is completed successfully, the 
+      <figure>
-        Edge Management and Google Authenticator applications have the same 
+        <title>Initial setup for Multi-Factor login</title>
-        secret configured. The Authenticator application will then offer a security
-      token as a six digit number that the user must enter on the same page,
+        <mediaobject>
-      in the Enea Edge Management application. If the token is correct, 
+          <imageobject>
-        authentication is successful. The six digit token is available for a maximum of 
+            <imagedata align="center" scale="60"
-      30 seconds.</para>
+                       fileref="images/mfa_first_time_setup.png" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+      <para>Once the scanning or manual entry is completed successfully, the
+      Edge Management and Google Authenticator applications have the same
+      secret configured. The Authenticator application will then offer a
+      security token as a six digit number that the user must enter on the
+      same page, in the Enea Edge Management application. If the token is
+      correct, authentication is successful. The six digit token is available
+      for a maximum of 30 seconds.</para>
      <para>Once the initial login succeeds and the secret is saved in the
      database, subsequent logins will still be done using a two-step method.
@@ -74,56 +96,40 @@
      Authenticator, this time, however, the secret will no longer be
      displayed.</para>
+      <figure>
+        <title>Second login</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata align="center" scale="80"
+                       fileref="images/mfa_login.png" />
+          </imageobject>
+        </mediaobject>
+      </figure>
      <note>
-        <para>If the shared secret is ever lost, it can always be regenerated, but
+        <para>If the shared secret is ever lost, it can always be regenerated,
-          only upon request to the administrator. It is done by accessing 
+        but only upon request to the administrator. It is done by accessing
-          the <emphasis role="bold">Security</emphasis> tab, selecting 
+        the <emphasis role="bold">Security</emphasis> tab, selecting the
-          the <emphasis role="bold">Configuration</emphasis> menu and choosing 
+        <emphasis role="bold">Configuration</emphasis> menu and choosing the
-          the user, and on the right-hand side panel unchecking the
+        user, and on the right-hand side panel unchecking the <emphasis
-          <emphasis role="bold">Enable MFA Login</emphasis> checkbox. Then 
+        role="bold">Enable MFA Login</emphasis> checkbox. Then pressing the
-          pressing the <emphasis role="bold">Apply</emphasis> button, checking it 
+        <emphasis role="bold">Apply</emphasis> button, checking it again, and
-          again, and clicking <emphasis role="bold">Apply</emphasis> one final time. When 
+        clicking <emphasis role="bold">Apply</emphasis> one final time. When
-          the MFA Login is disabled, the secret is also erased from the database.
+        the MFA Login is disabled, the secret is also erased from the
-        </para>
+        database.</para>
-       </note>
+      </note>
    </section>
    <section id="token_generators">
      <title>Supported Token Generators</title>
-      <para>Multi Factor Authentication in the Enea Edge Management application is 
+      <para>Multi Factor Authentication in the Enea Edge Management
-        supported only for Google Authenticator.
+      application is supported only for Google Authenticator.</para>
-      </para>
-      <para>The time on the server hosting the Enea Edge Management application 
-        and the device holding the Authenticatior application must be synchronized, 
-        within an error margin of 30 seconds.</para>
-    </section>
-    <section id="mfa_limitations">
-      <title>MFA Limitations</title>
-      
-      <para>The following is a brief list of the limitations currently affecting 
-        MF Authentication:</para>
-      <itemizedlist>
+      <para>The time on the server hosting the Enea Edge Management
-        <listitem>
+      application and the device holding the Authenticatior application must
-          <para>Configuring MFA will only be possible using the Web interface,
+      be synchronized, within an error margin of 30 seconds.</para>
-          and not the REST API.</para>
-        </listitem>
-        <listitem>
-          <para>Users with MFA enabled will not be able to log in using the
-          REST API. In this case, a <literal>401</literal> HTTP code will be
-          returned, with the <literal>EMS-Error</literal> header containing
-          the <literal>EMS_UserMFAEnabled</literal> error.</para>
-        </listitem>
-        <listitem>
-          <para>MFA authentication will not be supported using the RADIUS or
-          LDAP AAA methods.</para>
-        </listitem>
-      </itemizedlist>
    </section>
  </section>
-</chapter>
+</chapter>
+\ No newline at end of file

diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png new file mode 100644 index 0000000..c0230f5 --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/images/mfa_first_time_setup.png
Binary files differ


diff --git a/doc/book-enea-edge-getting-started/doc/images/mfa_login.png b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png new file mode 100644 index 0000000..79d9696 --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/images/mfa_login.png
Binary files differ


diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml index 9b8ec14..0812a2f 100644 --- a/doc/book-enea-edge-getting-started/doc/security.xml +++ b/doc/book-enea-edge-getting-started/doc/security.xml
@@ -1,51 +1,62 @@
1	<?xml version="1.0" encoding="ISO-8859-1"?>	1	<?xml version="1.0" encoding="UTF-8"?>
2	<chapter id="security">	2	<chapter id="security">
3	<title>Security</title>	3	<title>Security</title>
4		4
5	<section id="mfa_security">	5	<section id="mfa_security">
6	<title>Authenticating using Multi-Factor Authentication</title>	6	<title>Authenticating using Multi-Factor Authentication</title>
7		7
8	<para>Enea Edge Management provides the ability to authenticate using the MFA	8	<para>Enea Edge Management provides the ability to authenticate using the
9	authentication method. This is offered as a two-step procedure: first, the	9	MFA authentication method. This is offered as a two-step procedure: first,
10	user enters the local user/password credentials. Then the security token generated	10	the user enters the local user/password credentials. Then the security
11	by Google Authenticator must be introduced. This is based on a shared secret between the	11	token generated by Google Authenticator must be introduced. This is based
12	Enea Edge Management and the Google Authenticator applications. The shared secret is a	12	on a shared secret between the Enea Edge Management and the Google
13	32 character long string that is presented to the user upon first login as a character	13	Authenticator applications. The shared secret is a 32 character long
14	sequence and a QR code.	14	string that is presented to the user upon first login as a character
15	</para>	15	sequence and a QR code.</para>
16		16
17	<section id ="config_mfa">	17	<note>
		18	<para>Configuring MFA will only be possible using the Web interface, and
		19	not the REST API. Users with MFA enabled will not be able to log
		20	in through the REST API. If attempted, a <literal>401</literal> HTTP
		21	code will be returned, with the <literal>EMS-Error</literal> header
		22	containing the <literal>EMS_UserMFAEnabled</literal> error.</para>
		23	</note>
		24
		25	<section id="config_mfa">
18	<title>Configuring User MFA</title>	26	<title>Configuring User MFA</title>
19		27
20	<para>The administrator must enable MFA authentication for the	28	<para>The administrator must enable MFA authentication for the desired
21	desired new user by:</para>	29	new user by:</para>
22		30
23	<orderedlist>	31	<orderedlist>
24	<listitem>	32	<listitem>
25	<para>Accessing the <emphasis role="bold">Security</emphasis> tab.</para>	33	<para>Accessing the <emphasis role="bold">Security</emphasis>
		34	tab.</para>
26	</listitem>	35	</listitem>
27		36
28	<listitem>	37	<listitem>
29	<para>Accessing the <emphasis role="bold">Configuration</emphasis> menu.</para>	38	<para>Accessing the <emphasis role="bold">Configuration</emphasis>
		39	menu.</para>
30	</listitem>	40	</listitem>
31		41
32	<listitem>	42	<listitem>
33	<para>Selecting the <emphasis role="bold">Add</emphasis> option, entering the	43	<para>Selecting the <emphasis role="bold">Add</emphasis> option,
34	details for the new user and then enabling the	44	entering the details for the new user and then enabling the
35	<emphasis role="bold">Enable MFA Login</emphasis> checkbox.</para>	45	<emphasis role="bold">Enable MFA Login</emphasis> checkbox.</para>
36	</listitem>	46	</listitem>
37	</orderedlist>	47	</orderedlist>
38
39	<para>It is also possible to enable/disable MFA for existing users by selecting
40	the user and checking/unchecking the Enable MFA Login checkbox in the
41	right-hand side panel. Disabling MFA for a user will also clear the
42	secret from the database, therefore upon reenabling it the user will be
43	asked to configure a new shared secret. For more details on how to configure
44	a new shared secret, please see the following section.</para>
45		48
		49	<para>It is also possible to enable/disable MFA for existing users by
		50	selecting the user and checking/unchecking the Enable MFA Login checkbox
		51	in the right-hand side panel. Disabling MFA for a user will also clear
		52	the secret from the database, therefore upon reenabling it the user will
		53	be asked to configure a new shared secret. For more details on how to
		54	configure a new shared secret, please see the following section.</para>
46		55
47	<note><para>All MFA information for enabled users will be preserved upon upgrading the	56	<note>
48	Enea Edge Management application.</para></note>	57	<para>All MFA information for enabled users will be preserved upon
		58	upgrading the Enea Edge Management application.</para>
		59	</note>
49	</section>	60	</section>
50		61
51	<section id="security_authentication">	62	<section id="security_authentication">
@@ -53,19 +64,30 @@
53		64
54	<para>Before the user logs in, there is no secret set in the Enea Edge	65	<para>Before the user logs in, there is no secret set in the Enea Edge
55	Management database. Initially, the user will enter his credentials as	66	Management database. Initially, the user will enter his credentials as
56	in a normal, local authentication. He will then be redirected to a	67	in a normal, local authentication. He will then be redirected to a
57	second page that presents the secret as a QR code, that he must scan	68	second page that presents the secret as a QR code, that he must scan
58	using the Google Authenticator application. The secret is also presented	69	using the Google Authenticator application. The secret is also presented
59	in clear text ready for copying and manual entry, in case scanning	70	in clear text ready for copying and manual entry, in case scanning the
60	the QR code does not work.</para>	71	QR code does not work.</para>
61		72
62	<para>Once the scanning or manual entry is completed successfully, the	73	<figure>
63	Edge Management and Google Authenticator applications have the same	74	<title>Initial setup for Multi-Factor login</title>
64	secret configured. The Authenticator application will then offer a security	75
65	token as a six digit number that the user must enter on the same page,	76	<mediaobject>
66	in the Enea Edge Management application. If the token is correct,	77	<imageobject>
67	authentication is successful. The six digit token is available for a maximum of	78	<imagedata align="center" scale="60"
68	30 seconds.</para>	79	fileref="images/mfa_first_time_setup.png" />
		80	</imageobject>
		81	</mediaobject>
		82	</figure>
		83
		84	<para>Once the scanning or manual entry is completed successfully, the
		85	Edge Management and Google Authenticator applications have the same
		86	secret configured. The Authenticator application will then offer a
		87	security token as a six digit number that the user must enter on the
		88	same page, in the Enea Edge Management application. If the token is
		89	correct, authentication is successful. The six digit token is available
		90	for a maximum of 30 seconds.</para>
69		91
70	<para>Once the initial login succeeds and the secret is saved in the	92	<para>Once the initial login succeeds and the secret is saved in the
71	database, subsequent logins will still be done using a two-step method.	93	database, subsequent logins will still be done using a two-step method.
@@ -74,56 +96,40 @@
74	Authenticator, this time, however, the secret will no longer be	96	Authenticator, this time, however, the secret will no longer be
75	displayed.</para>	97	displayed.</para>
76		98
		99	<figure>
		100	<title>Second login</title>
		101
		102	<mediaobject>
		103	<imageobject>
		104	<imagedata align="center" scale="80"
		105	fileref="images/mfa_login.png" />
		106	</imageobject>
		107	</mediaobject>
		108	</figure>
		109
77	<note>	110	<note>
78	<para>If the shared secret is ever lost, it can always be regenerated, but	111	<para>If the shared secret is ever lost, it can always be regenerated,
79	only upon request to the administrator. It is done by accessing	112	but only upon request to the administrator. It is done by accessing
80	the <emphasis role="bold">Security</emphasis> tab, selecting	113	the <emphasis role="bold">Security</emphasis> tab, selecting the
81	the <emphasis role="bold">Configuration</emphasis> menu and choosing	114	<emphasis role="bold">Configuration</emphasis> menu and choosing the
82	the user, and on the right-hand side panel unchecking the	115	user, and on the right-hand side panel unchecking the <emphasis
83	<emphasis role="bold">Enable MFA Login</emphasis> checkbox. Then	116	role="bold">Enable MFA Login</emphasis> checkbox. Then pressing the
84	pressing the <emphasis role="bold">Apply</emphasis> button, checking it	117	<emphasis role="bold">Apply</emphasis> button, checking it again, and
85	again, and clicking <emphasis role="bold">Apply</emphasis> one final time. When	118	clicking <emphasis role="bold">Apply</emphasis> one final time. When
86	the MFA Login is disabled, the secret is also erased from the database.	119	the MFA Login is disabled, the secret is also erased from the
87	</para>	120	database.</para>
88	</note>	121	</note>
89	</section>	122	</section>
90		123
91	<section id="token_generators">	124	<section id="token_generators">
92	<title>Supported Token Generators</title>	125	<title>Supported Token Generators</title>
93		126
94	<para>Multi Factor Authentication in the Enea Edge Management application is	127	<para>Multi Factor Authentication in the Enea Edge Management
95	supported only for Google Authenticator.	128	application is supported only for Google Authenticator.</para>
96	</para>
97
98	<para>The time on the server hosting the Enea Edge Management application
99	and the device holding the Authenticatior application must be synchronized,
100	within an error margin of 30 seconds.</para>
101	</section>
102
103	<section id="mfa_limitations">
104	<title>MFA Limitations</title>
105
106	<para>The following is a brief list of the limitations currently affecting
107	MF Authentication:</para>
108		129
109	<itemizedlist>	130	<para>The time on the server hosting the Enea Edge Management
110	<listitem>	131	application and the device holding the Authenticatior application must
111	<para>Configuring MFA will only be possible using the Web interface,	132	be synchronized, within an error margin of 30 seconds.</para>
112	and not the REST API.</para>
113	</listitem>
114
115	<listitem>
116	<para>Users with MFA enabled will not be able to log in using the
117	REST API. In this case, a <literal>401</literal> HTTP code will be
118	returned, with the <literal>EMS-Error</literal> header containing
119	the <literal>EMS_UserMFAEnabled</literal> error.</para>
120	</listitem>
121
122	<listitem>
123	<para>MFA authentication will not be supported using the RADIUS or
124	LDAP AAA methods.</para>
125	</listitem>
126	</itemizedlist>
127	</section>	133	</section>
128	</section>	134	</section>
129	</chapter>	135	</chapter> \ No newline at end of file