Registration/bwForCluster/NEMO: Difference between revisions

From bwHPC Wiki
Jump to navigation Jump to search
mNo edit summary
 
(7 intermediate revisions by the same user not shown)
Line 8: Line 8:
|}
|}


After having completed steps A+B please visit the '''[https://bwservices.uni-freiburg.de bwForCluster NEMO registration page]'''.
NEMO still uses the old registration page https://bwservices.uni-freiburg.de/, while NEMO2 will use the new registration page https://login.bwidm.de/.
The security feature "One-time Password" (OTP), which is used as a second factor (2FA), is only available on the new registration page.
Therefore, we unfortunately have to use both registration servers to get more security.
The registration and setting of the service password must still be done via the old registration service, the OTP must be registered on the new registration page.

The registration process consists of two steps:
* [[Registration/bwForCluster/NEMO#Registering_for_Service_bwForCluster_NEMO|Registering for Service bwForCluster NEMO]]
* [[Registration/bwForCluster/NEMO#Registering_a_Second_Factor|Registering a Second Factor]]


== Registering for Service bwForCluster NEMO ==

[[Registration/bwForCluster|'''After having completed steps A+B''']] please visit the '''[https://bwservices.uni-freiburg.de bwForCluster NEMO registration page]'''.


Do the following steps to complete registration:
Do the following steps to complete registration:
Line 47: Line 59:
|}
|}


You have now completed the registration for NEMO.
8. NEMO uses a '''2-factor authentication''' (2FA) mechanism to increase security.
You can close the page for the registration server.
This service is provided by [https://login.bwidm.de bwIDM].
However, to be able to access NEMO interactively via SSH, you must also carry out the following steps.
You will need to visit the [https://login.bwidm.de/user/twofa.xhtml registration page] first.

If you have never registered a 2FA token on bwIDM, the following error message will appear:

[[File:Bwidm-3-red.png|center|600px|thumb|Second factor missing.]]
== Registering a Second Factor ==

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
* You or your group must take care of the hardware for the second factor yourself. We do not provide hardware keys or mobile devices.
* Create at least two separate tokens: '''FIRST''' set up a software/hardware TOTP token. '''THEN''' create and print a "backup TAN list". Never create the "backup TAN list" first.
* If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
* The "backup TAN list" should always be created and printed in a '''second step'''. The printout should be kept in a separate place for emergencies.
* Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
* Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section [[Registration/2FA#Returning_Users|Returning Users]].
* '''Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.''' These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.
|}

To improve security a '''2-factor authentication mechanism (2FA)''' is being enforced for logins to NEMO. In addition to the service password or SSH key a second value, the '''second factor''', has to be entered on every login.

If you only have a mobile device, you can use software-based solutions as a second factor. If you don't want to use a smartphone app, we recommend using a hardware token such as Yubikey. The Pros and Cons of the various solutions can be found in the generic [[Registration/2FA#Pros_and_Cons_of_the_different_Solutions|'''Second Factor Wiki''']].

'''bwForCluster NEMO Tokens''' are generally managed via the '''Index -> My Tokens''' menu entry on the new registration page. Here you can register, activate, deactivate and delete tokens.


[[Registration/bwForCluster/NEMO#Registering_for_Service_bwForCluster_NEMO|'''After having completed steps "Registering for Service bwForCluster NEMO"''']] please visit the '''[https://login.bwidm.de/user/twofa.xhtml registration page for the "Second Factor"]'''.

To activate the second factor, '''please perform the following steps:'''

1. Select your home organization from the list on the main page and click '''Proceed''' or '''Fortfahren'''.
[[File:BwIDM-login.png|center|600px|thumb|Select your home organization]]

3. You will be directed to the ''Identity Provider'' of your home organization.
Enter the username and password of your '''home organization''' (usually these credentials are also used for other services like email) and click '''Login/Einloggen'''.

4. You will be redirected back to the registration page '''https://login.bwidm.de/user/twofa.xhtml'''.
When you log in to login.bwidm.de for the first time, an overview will appear, with the account information that your home institution submits to the system.
Please verify that all data is valid and then click '''Continue/Weiter'''.

5. '''Register a new "[[Registration/bwForCluster/NEMO#Registering_a_new_Software_Token_using_a_Mobile_APP|Smartphone Token]]"'''. (KIT members can reuse their existing hardware and software tokens.)
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
If you own a [https://www.yubico.com/ Yubikey]''' and would like to register a Yubikey token, visit the generic [[Registration/2FA|'''Second Factor Wiki''']].
|}

6. '''Register a new "[[Registration/bwForCluster/NEMO#Backup_TAN_List|TAN List]]" (backup TAN list)'''.


=== Registering a new Software Token using a Mobile APP ===

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.
|}

If you want to know how the "Time-based OTP" (TOTP) works or need a TOTP app, please visit the general [[Registration/2FA|'''Second Factor Wiki''']].

1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''.
[[File:BwIDM-token.png|center|600px|thumb|Create a new Token]]

2. A new window opens. Click '''Start''' to generate a new '''QR code'''.
This may take a while.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
The QR code contains a key which has to remain secret.
Only use the QR code to link your software token app with bwIDM/bwServices in the next step.
Do not save the QR code, print it out or share it with someone else.
|}
[[File:BwIDM-qr.png|center|600px|thumb|QR Code for Mobile App]]

3. Start the software token app on your separate device and scan the QR code.
The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called '''bwIDM''' (bwUniCluster, JUSTUS 2 and NEMO) or '''bwServices''' (Helix).
Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item.
You will receive a six-digit code.
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''.
{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
If you do not confirm the token by entering the six-digit code in the "Current code:" field, the token will '''NOT''' be initialized!
|}

5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token.
[[File:BwIDM-app.png|center|400px|thumb|Success]]

6. Repeat the process to register additional tokens.
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

=== Backup TAN List ===

{|style="background:#deffee; width:100%;"
|style="padding:5px; background:#cef2e0; text-align:left"|
[[Image:Attention.svg|center|25px]]
|style="padding:5px; background:#cef2e0; text-align:left"|
Passwords from the "Backup TAN list" should only be used if no other token is left.
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs.
Each TAN can only be used once.
Please disable all privacy tools, ad blockers and further add-ons when registering a new Backup TAN list.
|}

1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''.
[[File:BwIDM-token.png|center|600px|thumb|Generate Backup TAN list]]

2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs.
[[File:BwIDM-tan.png|center|400px|thumb|Success]]

3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies.
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|800px|thumb|Print Backup TAN List]]


You are now registered for the bwForCluster NEMO and can [[NEMO/Login|login]] to the cluster.
Use this '''[https://login.bwidm.de/user/twofa.xhtml link]''' or select '''Index -> My Tokens''' in the main menu.
To register a new token, please follow these '''[[Registration/2FA|instructions]]'''.
Please complete this step before continuing.


----
----

Latest revision as of 19:09, 17 November 2023

Registration at the bwForCluster NEMO

Attention.svg

You can return to the registration website at any time, in order to review your registration details, change/reset your service password or de-register from the service by yourself.

NEMO still uses the old registration page https://bwservices.uni-freiburg.de/, while NEMO2 will use the new registration page https://login.bwidm.de/. The security feature "One-time Password" (OTP), which is used as a second factor (2FA), is only available on the new registration page. Therefore, we unfortunately have to use both registration servers to get more security. The registration and setting of the service password must still be done via the old registration service, the OTP must be registered on the new registration page.

The registration process consists of two steps:


Registering for Service bwForCluster NEMO

After having completed steps A+B please visit the bwForCluster NEMO registration page.

Do the following steps to complete registration:

1. Select your home organization from the list on the main page and click Proceed or Fortfahren.

Select your home organization

2. You will be directed to the Identity Provider of your home organization. Enter the username and password of your home organization (usually these credentials are also used for other services like email) and click Login/Einloggen.

3. You will be redirected back to the registration page https://bwservices.uni-freiburg.de. When you log in to bwServices for the first time, an overview will appear, with the account information that your home institution submits to the system. Please verify that all data is valid and then click Continue/Weiter.

4. After you have successfully logged into the bwServices, you will be greeted by a welcome screen that displays all the statewide services you have access to. There you will find a field labeled bwForCluster NEMO. Click Register/Registrieren to start the registration process.

Register for NEMO
Attention.svg

If you do not meet all the necessary requirements for a service, this will be shown on the registry page. In this case please contact the service desk of your home organisation. In some cases further information is given and should be executed or provided in your support ticket.

6. Read the Terms of Use (Nutzungsbedingungen und -richtlinien), place a check mark next to I have read and accepted the terms of use and click Register/Registrieren.

7. Set a service password for NEMO by clicking Set Password/Dienstpasswort setzen. Be sure to use a secure password that is different from any other passwords you currently use or have used on other systems and click Save/Speichern.

Set service password
Attention.svg

Setting a service password is mandatory for access to any bwForCluster.

You have now completed the registration for NEMO. You can close the page for the registration server. However, to be able to access NEMO interactively via SSH, you must also carry out the following steps.


Registering a Second Factor

Attention.svg
  • You or your group must take care of the hardware for the second factor yourself. We do not provide hardware keys or mobile devices.
  • Create at least two separate tokens: FIRST set up a software/hardware TOTP token. THEN create and print a "backup TAN list". Never create the "backup TAN list" first.
  • If you lose access to all your tokens, you will not be able to create new tokens and support will have to reset your tokens manually.
  • The "backup TAN list" should always be created and printed in a second step. The printout should be kept in a separate place for emergencies.
  • Please clean up your second factors as soon as you have created new tokens. Tokens that can no longer be used (e.g. because not initialized, smartphone/Yubikey lost, etc.) or an old backup TAN list where you have already used all TANs or there is no printout should be deactivated and deleted.
  • Returning users who have already activated one or more tokens must first verify their token before they can create new tokens, see section Returning Users.
  • Please disable all privacy tools, ad blockers and further add-ons when registering new tokens. These tools prevent the registration website from generating new security tokens. When the problems remains (you can not generate the QR code or can not confirm it by clicking CHECK), please try once more with an entirely new unmodified web browser profile.

To improve security a 2-factor authentication mechanism (2FA) is being enforced for logins to NEMO. In addition to the service password or SSH key a second value, the second factor, has to be entered on every login.

If you only have a mobile device, you can use software-based solutions as a second factor. If you don't want to use a smartphone app, we recommend using a hardware token such as Yubikey. The Pros and Cons of the various solutions can be found in the generic Second Factor Wiki.

bwForCluster NEMO Tokens are generally managed via the Index -> My Tokens menu entry on the new registration page. Here you can register, activate, deactivate and delete tokens.


After having completed steps "Registering for Service bwForCluster NEMO" please visit the registration page for the "Second Factor".

To activate the second factor, please perform the following steps:

1. Select your home organization from the list on the main page and click Proceed or Fortfahren.

Select your home organization

3. You will be directed to the Identity Provider of your home organization. Enter the username and password of your home organization (usually these credentials are also used for other services like email) and click Login/Einloggen.

4. You will be redirected back to the registration page https://login.bwidm.de/user/twofa.xhtml. When you log in to login.bwidm.de for the first time, an overview will appear, with the account information that your home institution submits to the system. Please verify that all data is valid and then click Continue/Weiter.

5. Register a new "Smartphone Token". (KIT members can reuse their existing hardware and software tokens.)

Attention.svg

If you own a Yubikey and would like to register a Yubikey token, visit the generic Second Factor Wiki.

6. Register a new "TAN List" (backup TAN list).


Registering a new Software Token using a Mobile APP

Attention.svg

Please disable all privacy tools, ad blockers and further add-ons when registering new tokens.

If you want to know how the "Time-based OTP" (TOTP) works or need a TOTP app, please visit the general Second Factor Wiki.

1. Registering a new Token starts with a click NEW SMARTPHONE TOKEN.

Create a new Token

2. A new window opens. Click Start to generate a new QR code. This may take a while.

Attention.svg

The QR code contains a key which has to remain secret. Only use the QR code to link your software token app with bwIDM/bwServices in the next step. Do not save the QR code, print it out or share it with someone else.

QR Code for Mobile App

3. Start the software token app on your separate device and scan the QR code. The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.

4. Once the QR code has been loaded into your Software Token app there should be a new entry called bwIDM (bwUniCluster, JUSTUS 2 and NEMO) or bwServices (Helix). Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item. You will receive a six-digit code. Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click CHECK.

Attention.svg

If you do not confirm the token by entering the six-digit code in the "Current code:" field, the token will NOT be initialized!

5. If everything worked as expected, you will be returned to the My Tokens screen and there will be a new entry for your software token.

Success

6. Repeat the process to register additional tokens. Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.

Backup TAN List

Attention.svg

Passwords from the "Backup TAN list" should only be used if no other token is left. Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs. Each TAN can only be used once. Please disable all privacy tools, ad blockers and further add-ons when registering a new Backup TAN list.

1. Please create at least one "Backup TAN list" by clicking CREATE NEW TAN LIST.

Generate Backup TAN list

2. Click START. You will be redirected to the My Tokens screen and there will be a new entry for your backup TANs.

Success

3. Click SHOW TANS, print the codes and keep then in a separate place for emergencies.

Print Backup TAN List

You are now registered for the bwForCluster NEMO and can login to the cluster.


Go back to bwForCluster Registration Home