Author: Anna Korobkyna

• Configure SMPP server connection to add your SMS provider to deliver one-time passwords via SMS.
• Configure delivery of one-time passwords via email.
• Add SSL certificate for the Protectimus Platform. Different SSL certificate formats are supported, including .pkcs12, .pem, .der, .pfx.
• Specify the path to the license file. Please note that the path to the license file should be indicated with double backslashes
  (eg. C:\\some\\path\\file).

PLEASE NOTE! Additionally, you can configure settings for SMSC and ALIBABA as well.

smpp.server.login

smpp.server.password

smpp.server.host

smpp.server.port

smpp.message.encoding

smpp.from.address

smpp.server.login = login
smpp.server.password = **********
smpp.server.host = smpp.example.com
smpp.server.port = 12000
smpp.message.encoding = UTF-8
smpp.from.address = Protectimus

• Configure delivery of one-time passwords via email.
• Configure SMPP server connection to add your SMS provider to deliver one-time passwords via SMS.
• Add SSL certificate for the Protectimus Platform. Different SSL certificate formats are supported, including .pkcs12, .pem, .der, .pfx.
• Specify the path to the license file. Please note that the path to the license file should be indicated with double backslashes
  (eg. C:\\some\\path\\file).

smtp.host

smtp.port

smtp.user

smtp.password

default.from.address

smtp.host = smtp-server.com
smtp.port = 25
smtp.user = [email protected]
smtp.password = **********

Protectimus Bots are used for delivering one-time passwords (OTPs) and important notifications from the Protectimus Two-Factor Authentication System to end users. OTP delivery through messaging apps addresses several key issues: it is much more secure than SMS authentication, completely free, and easy to use. ProtectimusBot chatbots are available on Facebook Messenger, Telegram, and Viber. You can also create and connect your own chatbot by following these instructions.

1. Check the Bot Box During Platform Installation

1. Ensure that you check the Bot box during the installation process.
2. If the Protectimus On-Premise Platform is not yet installed, also check the Platform box to include the necessary components.

2. Edit the bot.yml Configuration File

1. Navigate to the following directory: ./Protectimus/Bot/
2. Open the bot.yml file in a text editor.
3. Add the token(s) for the messaging platform(s) you intend to use.
   
   

   Important: At least one token must be added; otherwise, the bot will not function.

bot.yml
server:
  port: 8180

spring:
  activemq:
    broker-url: tcp://localhost:61616
    user: admin
    password: admin

bot:
  facebook:
    verification-token: your_token
    page-access-token: your_token
  viber:
    token: your_token
  telegram:
    token: your_token

logging:
  level:
    com.protectimus.bot: INFO

1. Updating Platform Using a Docker Image

• cloning a repository from Git;
• manual update.

1.1. Updating via Git Repository Cloning

1. Use this command to copy the repository containing Docker Compose files to your local computer, where the Protectimus On-Premise Platform is installed.
   
   

   git clone 
   https://github.com/protectimus/platform

   
   The contents of the archive will be as follows:
   
   

   .
   └── platform
       ├── platform
       │   ├── docker-compose.yaml
       │   ├── .env
       │   ├── platform_data
       │   │   ├── autogenerated-keystore.jks
       │   │   └── protectimus.platform.properties
       │   └── postgres_data
       ├── radius
       │   ├── config
       │   │   ├── radius.all.yml
       │   │   └── radius.yml
       │   ├── docker-compose.yaml
       │   └── .env
       └── unifi-guest-portal
           ├── config
           │   ├── fragments.html
           │   ├── guest-portal.all.yml
           │   └── guest-portal.yml
           ├── docker-compose.yaml
           └── .env

2. Go to the platform directory:
   
   

   cd platform/platform

   
   

3. Run the application using Docker Compose.
   
   This command will start all the containers required for your application in the background (-d):
   
   

   docker-compose up -d

   
   

4. Stop running containers using this command:
   
   

   docker-compose down

   
   

5. Make a backup of your database. The data is located in the postgres_data directory.

6. Get latest changes from Git repository.
   
   This command will update your local repository to the latest version that you have uploaded to Git.
   
   Resolve any configuration conflicts if necessary.
   
   

   git pull

   
   

7. Download the updated images. This command will download the updated Docker images from your Docker registry:
   
   

   docker-compose pull

   
   

8. Restart containers with new images.
   
   This command will restart the containers using the updated images in the background mode (-d):
   
   

   docker-compose up -d

   
   

1.2. Manual Update from Github

1. Download the latest version of the archive with the Protectimus Platform from Github and extract it:
   https://github.com/protectimus/platform/releases
   
   The contents of the archive will be as follows:
   
   

   .
   └── platform
       ├── platform
       │   ├── docker-compose.yaml
       │   ├── .env
       │   ├── platform_data
       │   │   ├── autogenerated-keystore.jks
       │   │   └── protectimus.platform.properties
       │   └── postgres_data
       ├── radius
       │   ├── config
       │   │   ├── radius.all.yml
       │   │   └── radius.yml
       │   ├── docker-compose.yaml
       │   └── .env
       └── unifi-guest-portal
           ├── config
           │   ├── fragments.html
           │   ├── guest-portal.all.yml
           │   └── guest-portal.yml
           ├── docker-compose.yaml
           └── .env

2. Go to the platform directory:
   
   

   cd platform/platform

   
   

3. Run the application using Docker Compose.
   
   This command will start all the containers required for your application in the background (-d):
   
   

   docker-compose up -d

   
   

4. Stop running containers using this command:
   
   

   docker-compose down

   
   

5. Make a backup of your database. The data is located in the postgres_data directory.

6. Change the component version to the latest in the .env file.

7. Download the updated images. This command will download the updated Docker images from your Docker registry:
   
   

   docker-compose pull

   
   

8. Restart containers with new images.
   
   This command will restart the containers using the updated images in the background mode (-d):
   
   

   docker-compose up -d

   
   

2. Updating Platform on Windows

2.1. Stop Platform, Bot, and Radius Services

2.2. Upgrade Platform and Select Existing Database

1. Choose the necessary components.

2. Click Next.

3. Click Next.

4. Use your username and password to log in to the PostgreSQL database you created during the first platform installation and click LogIn.

5. Enter the name of the database you used in the old version of the Protectimus platform and click Select.
   You can click the List button to see the list of available databases if you don’t remember the exact name of the necessary database.

6. Preferably, use the same destination folder as previously.

7. Once the platform is installed, you will see the changelog describing recent updates; close it.

8. Then click OK to finish the installation.

1. How to issue a trusted SSL certificate for the On-Premise Platform using AD CS with Web Enrollment

Please Note:

1. The certificate of Certification Authority (CA) has to be installed on the clients machines in your domain to integrate the On-Premise Platform with such solutions as OWA.
2. The Common Name (CN) for which the certificate was issued has to be accessible in your domain to integrate the On-Premise Platform with such solutions as OWA.

Prerequisites:

1. AD CS installed with Web Enrollment feature.
2. You need to have access to the Web Server template in certsrv.
3. Keytool and OpenSSL tools are required.

1.1. Generate a Certificate Signing Request (CSR) Using OpenSSL

1. Generate a private key:
   
   

   openssl genrsa -out test-server.key 2048

   
   
2. Create a CSR:
   
   

   openssl req -new -key test-server.key -out test-server.csr

1.2. Submit the CSR to AD CS to issue and download a certificate

1. Open the AD CS web interface:
   
   

   http://CA-Server-Name/certsrv

   
   
2. Select Request a Certificate:
   
   
3. Select Advanced Certificate Request:
   
   
4. Open your .csr file in a text editor, copy its contents, and paste it into the request box.
5. Choose the Web Server template and submit the request:
   
   
6. The Certificate Issued page should be opened, Select Base64 encoded checkbox.
7. Click on the Download certificate.
8. (Optional) Click on the Download certificate chain in case you need your CA to be trusted in your domain. Import the ca-chain.pem into the Trusted Root Certification Authorities store on the clients machines.

1.3. Import a SSL certificate to the Protectimus Platform

2. How to Import Trusted SSL Certificate

1. Combine the certificate (test-server.cer) and the private key (test-server.key) into a PKCS12 file which is Java-compatible keystore (.jks) format:

openssl pkcs12 -export -in test-server.cer -inkey test-server.key -out test-server.pfx

2. Create a Java Keystore and import the .pfx file into it:

keytool -importkeystore -srckeystore test-server.pfx -srcstoretype PKCS12 -destkeystore “C:\Program Files\Protectimus\Platform\keystore.jks” -deststoretype JKS

3. How to Configure SSL Certificate, Mail and SMS Tokens, and Specify the Path to the License File

• Add SSL certificate for the Protectimus Platform. Different SSL certificate formats are supported, including .pkcs12, .pem, .der, .pfx.
• Configure delivery of messages via email;
• Configure SMPP server connection to add your SMS provider to deliver one-time passwords via SMS.
• Specify the path to the license file. Please note that the path to the license file should be indicated with double backslashes
  (eg. C:\\some\\path\\file).

3.1. SSL Certificate Configuration

https.port

https.keystore.type

https.keystore.password

https.keystore

https.port = 8443
https.keystore.type = JKS
https.keystore.password = **********
https.keystore = C:\\Program Files\\Protectimus\\Platform\\keystore.jks

3.2. Email Message Delivery Configuration

smtp.host

smtp.port

smtp.user

smtp.password

default.from.address

smtp.host = smtp-server.com
smtp.port = 25
smtp.user = [email protected]
smtp.password = **********

3.3. SMPP Server Connection Configuration

PLEASE NOTE! Additionally, you can configure settings for SMSC and ALIBABA as well.

smpp.server.login

smpp.server.password

smpp.server.host

smpp.server.port

smpp.message.encoding

smpp.from.address

smpp.server.login = login
smpp.server.password = **********
smpp.server.host = smpp.example.com
smpp.server.port = 12000
smpp.message.encoding = UTF-8
smpp.from.address = Protectimus

1. General Information

• Database (DB);
• Application server and API.

2. Possible Failure Scenarios

• Database failure;
• Application server crash or malfunction;
• Network failure – no access to the API;
• Hardware failure.

Note: External attacks such as DDoS are not considered, as the platform does not have external access.

3. Monitoring Recommendations for Immediate Issue Detection

1. API responsiveness:
   • Request:

     [platform path]/api/v1/auth-service/balance

   
   
   • If successfully connected without authorization, a 401 response should be returned.
   
   
2. Root URL accessibility (this method does not guarantee that the database is operational):
   • https://localhost:8443/ should respond with a 200 status code and the platform’s HTML page.

4. Failure Response Plan

4.1. Administrator Actions Upon Detecting an Incorrect Response:

1. Resolve network issues (if applicable).
2. Resolve hardware issues (if applicable).
3. If previous steps do not help – restore from a virtual machine snapshot, database backup, or full system backup.

4.2. Backup Recommendations

• Daily incremental database backups;
• Weekly full database backups;
• Monthly full system backups.

Please note: When restoring from a backup, any data created after the last backup will be lost. This will primarily affect new users or resources, and event logs for that period will also be lost.

4.3. Clustered Platform

5. Post-Failure Recovery

1. Perform recovery according to the selected procedure.
2. Ensure all services are running and functional.
3. Test authentication on client devices.
4. Notify responsible personnel upon completion of recovery.

6. Preventing Future Failures

• Regularly check the integrity of backups.
• Perform test recoveries to verify the functionality of backup copies.
• Conduct stress tests to assess platform load capacity.
• Configure alerts for administrators about critical events.

Protectimus Bots are used for delivering one-time passwords (OTPs) and important notifications from the Protectimus Two-Factor Authentication System to end users. These chatbots, named Protectimus Bot, are available on Facebook Messenger, Telegram, and Viber. The list of supported messaging applications is constantly growing and can be expanded upon request from our clients. OTP delivery through messaging apps addresses several key issues: it is much more secure than SMS authentication, completely free, and easy to use.

1. Login to Your Protectimus Account and Add Resource

1. Login to your account in Protectimus SAAS Service or On-Premise Platform and go to the Resources page.

2. Click the Add Resource button.

3. This will take you to the Resource adding page, where you’ll need to specify just a Resource Name and click Save, the remaining parameters are optional.

• Webhook URL. Whenever there is an update for the Resources, we will send a POST request containing a JSON update to the specified webhook URL. In case of an unsuccessful request, we will give up only after a reasonable amount of attempts. Currently, webhook is used to receive the result of INTERACTIVE authentications. INTERACTIVE authentications are supported by Protectimus Bot token.
• SSL certificate. The public key certificate certifies the belonging of the public key to the indicated webhook. The certificate supplied should be PEM encoded (ASCII BASE64), The pem file must contain only the public key beginning with “—–BEGIN CERTIFICATE—– ” and end with “—– END CERTIFICATE —–“
• Allowed IP Addresses. Allows you to restrict access to the system only from trusted IP addresses.
• IP Verification is Enabled. Enables the restriction of access to the system only from trusted IP addresses.
• Number of Unsuccessful Login Attempts before Locking. The value of this parameter should be specified between 3 and 10. If a User or Token is not authenticated successfully, the number of failed authentication attempts will be increased for this User. When the threshold number of failed attempts for the specified Resource is exceeded, this User will be locked. A User can be unlocked through the web interface or the API (the edit user method). If a User is authenticated successfully, the number of failed authentication attempts will be set at zero, if the threshold number of failed attempts for the specified resource is not exceeded, and if this User has not yet been locked.
• Enabled. Allows you to enable or disable the Resource.

2. Activate Users’ Self-Service Portal

1. Go to the Resources tab, click on the resource name, and navigate to the Self-Service tab.

2. If you haven’t enabled the Self-Service Portal for your users yet, click on Enable User’s Self-Service for your resource.

3. Specify the address at which your users will access the Self-Service Portal.
   
   Enter just the final portion of the address, the portal alias, in the field. The full address to the portal will be the authentication server address plus the alias you specified. For example, if you’re using the Protectimus SaaS service, and you specify “portal” as the alias, the link you give to your users will look like this: https://service.protectimus.com/selfservice/portal
   
   If you are running your own instance of the authentication platform on your own premises, the “service.protectimus.com” portion of the address will be replaced with the address to your platform instance. For example: https://localhost:8080/selfservice/portal.

4. Set up the list of actions available to your users in the self-service portal.
   
   You’ll see the list of actions available to your users, as shown in the image below. By default, all actions are disabled.
   
   Enable the action Register New Token. Then you’ll need to specify the Token types for enroll token, if your users will use only Protectimus Bots, leave only Protectimus Bot.

3. Add Users and Specify Their Passwords or Emails

1. Go to the Users page.

2. Click the Add User button.

3. Set the user Login. The User Login must contain only Latin letters, numbers, and symbols _-@∽!#%+.$. Spaces and any other symbols are not allowed.
   
   Also set a password or an email address. A verification code will be sent to the registered email address to allow your users to log into the Self-Service Portal. If a User has both a password and a registered email address, that User will use the password to log in. After a Token is issued for a User and assigned to a Resource, the User will also be asked for an OTP password from the Token when logging in to the Users’ Self-Service Portal.

PLEASE NOTE! You can import users. Detailed instructions on importing users are available here – https://www.protectimus.com/guides/users/#2-how-to-import-users. Make sure that your Users have specified passwords or email addresses.

4. Assign Users to the Resource

1. Go to the Resources page.

2. Find the Resource you need, click Assign, then Users. And assign all necessary Users to this Resource. Users must be assigned to an appropriate Resource in order to have access to the Self-Service Portal.

5. Provide Your Users With Instructions on How to Access the Protectimus Self-Service Portal

1. Give your users a URL to access the Self-Service Portal.

2. Inform your users what usernames and passwords / emails should they use to access the Users Self-Service Portal.

6. Provide Your Users With Instructions on How to Add the Protectimus Bot

1. Log into the Protectimus Self-Service Portal using your username and password or email (contact your administrator for more info if you have any questions).
2. Choose Register New Token.

3. Then choose Bot Token.

4. Enter the token name (any name you want).
5. Open the messaging app you prefer: Facebook Messenger, Telegram, or Viber.
6. Find the ProtectimusBot chatbot using the built-in search (built-in search works only for Telegram) or use the link:
   
   

   Please note: To find the ProtectimusBot chatbot on Facebook Messenger and Viber, users will need to use a direct link, as the built-in search feature doesn’t work for these messaging apps.

   • For Facebook Messenger: http://m.me/ProtectimusBot
   • For Telegram: https://t.me/protectimusbot
   • For Viber: viber://pa?chatURI=Protectimus
7. Send the command /getid to the ProtectimusBot to receive a unique chat ID.
8. Input the received chat ID into the field User’s Chat ID.
9. Indicate which messaging app you’ve chosen in the field Messenger.
10. Don’t change anything in the field One-time Password Length.
11. Click Save.

12. After that, you will receive the one-time password in the messaging app you’ve chosen. Enter it into the field One-time Password and click Save.

13. If everything was done correctly, you will see the message: The token has been successfully created.

1. How to Enable Multi-Factor Authentication for NComputing vSpace

You can set up multi-factor authentication (2FA) for NComputing vSpace with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for NComputing vSpace.

2. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

3. Install and Configure Protectimus RADIUS Server

4. Add Protectimus as RADIUS Server for NComputing vSpace

1. Access your NComputing vSpace dashboard and navigate to the RADIUS Server Settings section.


2. Input the details as specified below:
   

   Label	Come up with a name for your RADIUS server.
   Hostname/Address	IP of server where the Protectimus RADIUS Server component is installed.
   Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
   Authentication Type	PAP authentication is required.
   Shared Secret Code	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
   Server Timeout (in seconds)	Set to 90 seconds.
   Max Attempts	This specifies how many times the authentication request should be sent. Set to 1.



3. Click Save and test the integration.

1. How to Enable Multi-Factor Authentication for Nerdio

You can set up multi-factor authentication (2FA) for Nerdio with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for Nerdio.

2. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

3. Install and Configure Protectimus RADIUS Server

4. Add Protectimus as RADIUS Server for Nerdio

1. Access your Nerdio dashboard and navigate to the RADIUS Server Settings section.


2. Input the details as specified below:
   

   Label	Come up with a name for your RADIUS server.
   Hostname/Address	IP of server where the Protectimus RADIUS Server component is installed.
   Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
   Authentication Type	PAP authentication is required.
   Shared Secret Code	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
   Server Timeout (in seconds)	Set to 90 seconds.
   Max Attempts	This specifies how many times the authentication request should be sent. Set to 1.



3. Click Save and test the integration.

1. How to Enable Multi-Factor Authentication for NetApp Virtual Desktop Service

You can set up multi-factor authentication (2FA) for NetApp VDS with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for NetApp Virtual Desktop Service.

2. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

3. Install and Configure Protectimus RADIUS Server

4. Add Protectimus as RADIUS Server for NetApp VDS

1. Access your NetApp Virtual Desktop Service dashboard and navigate to the RADIUS Server Settings section.


2. Input the details as specified below:
   

   Label	Come up with a name for your RADIUS server.
   Hostname/Address	IP of server where the Protectimus RADIUS Server component is installed.
   Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
   Authentication type	PAP authentication is required.
   Shared secret code	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
   Server timeout (in seconds)	Set to 90 seconds.
   Max attempts	This specifies how many times the authentication request should be sent. Set to 1.



3. Click Save and test the integration.