We're pleased to announce the release of a prototype authentication plugin for Cloudstack that will add WiKID Two-factor authentication to the administrator login. The jar is available for download at our Sourceforge site. The license is GPL.
There are five steps to adding two-factor authentication to the Cloudstack management server. 1. Copy the jar files. 2. Edit components.xml. 3. Create a network client on the WiKID server. 4. Edit the WiKID properties file. 5. Turn off MD5 hashing on the login page.
You need both the WiKIDUserAuthenticator.jar and the wikid-server-enterprise or or wikid-server-community jars which can be found in your server in /opt/WiKID/lib. Drop these two jars into /usr/share/java on your Cloudstack server.
Edit your /etc/cloud/management/components.xml to include WiKID:
<adapters key="com.cloud.server.auth.UserAuthenticator"> <adapter name="WiKID" class="com.wikidsystems.cloud.WikidUserAuthenticator"/> <adapter name="LDAP" class="com.cloud.server.auth.LDAPUserAuthenticator"/> </adapters>
On the WiKID server, create a network client that uses the wAuth protocol and the Cloudstack server's IP address or domain name. This will create a client certificate in /opt/WiKID/private which you will need to copy over to the Cloudstack server, along with /opt/WiKID/private/CACertStore. Restart the WiKID server.
Inside the jar file, you will find a file called cloudstack-examples.properties. Edit that file changing the hostname, cert name, CaStore location and domain identifier.
Finally, in sharedFunctions.js turn off the MD5 hashing of the password:
// Default password is MD5 hashed. Set the following variable to false to disable this. var md5Hashed = false; var md5HashedLogin = false;
Restart your cloud management software and you should be prompted to authenticate. Use your cloudstack manager username and a valid OTP from WiKID.