JaCarta Authentication Server (JAS)

JaCarta Authentication Server (JAS) is a stand-alone high-performance server for enhanced one-time password authentication.

2024: ViPNet PKI Service 2.3 Compatibility

The company InfoTeCS"" and the company Aladdin on February 19, 2024 announced the achievement of compatibility of the multifunctional software and hardware complex (PAC) ViPNet PKI Service 2.3 servers authentications and JaCarta Authentication Server. More. here

2022: JaCarta Authentication Server compatibility (as part of JMS 3.7) with UserGate firewalls

Aladdin RD., "the Russian developer and provider of security solutions, and information security, UserGate the Russian developer and, software microelectronics completed the verification of the joint work of servers authentications JaCarta Authentication Server (JAS) firewalls and the next generation. This was UserGate announced by Aladdin R.D. on August 29, 2022.

The companies have signed certificate product compatibility, which will expand the arsenal of integrated domestic safety information systems (IS) solutions.

By integrating UserGate network devices with the JAS authentication server, it becomes possible to assign additional authentication methods to VPN users - when connecting to information systems, enter the use of a one-time password (OTP) using SMS or PUSH notifications (using the Aladdin 2FA mobile application).

UserGate firewalls are based on a special architecture and its own operating system UGOS. This approach allows you to process and analyze network traffic on high-load channels communications and achieve efficient scaling. The UserGate line of solutions forms UserGate SUMMA's own security ecosystem. All components of the ecosystem are certified, FSTEC of Russia compatible with each other and provide protection of the current network from infrastructures various - Internetthreats related to external, attacks malicious applications scripts and other risks, and also allow applying different politicians to Internet users in relation to traffic control and used applications.

UserGate NGFW supports user authentication and the application of firewall rules, content filtering, Active Directory application control, as well as authentication tools and protocols such as Kerberos, RADIUS, LDAP, Captive Portal, TACACS +, 2FA to users/user groups.

The high-performance JaCarta Authentication Server (JAS) implements enhanced two-factor authentication with support for both hardware tokens and OTP/SMS/PUSH software authenticators to ensure secure access to devices and information system resources. JAS is a domestic product registered in the Unified Register of Russian Software, certified by the FSTEC of Russia and implemented as part of the JaCarta Management System (JMS) 3.7 platform. JMS 3.7 is a certified system for accounting and centralized management of authentication and electronic signature (EA) tools, protected media, as well as means of secure remote work.

JMS 3.7 and JAS products are used in large corporate IT systems and information services to improve the level of security and automation of information security administrators. In particular, JAS is capable of performing more than 5,000 authentications per second.

Aladdin R.D. specialists pay a lot of attention to improving the functionality of JMS, JAS products and expanding the list of compatible products and devices. In the course of the work, JAS compatibility as part of JaCarta Management System 3.7 was confirmed with the following models of UserGate network equipment: next-generation firewalls UserGate C100, UserGate D200, D500, UserGate E1000, E3000, UserGate F8000, UserGate X1; UserGate virtual firewall, which guarantees their correct operation in IT infrastructures of various scales and allows solving issues of strengthening the process of authentication of IP users completely on domestic developments.

2021: Use when working with the VDI service in OnCloud.ru

Onlanta (part of the LANIT group) has implemented two-factor authentication when working with a remote desktop service (VDI) in a secure облакеOnCloud.ru. Authorization is based on the JaCarta Authentication Server (JAS) solution developed by Aladdin R.D. LANIT announced this on February 11, 2021. Read more here.

2020: Special Price on JaCarta Authentication Server

On March 26, 2020, Aladdin R.D. launched an action for remote employees, in which it proposes to use the JaCarta Authentication Server (JAS) solution for a special price. The solution is designed for secure remote access and enhanced authentication using OTP (user authentication by one-time passwords) on a smartphone as an additional authentication factor in VPN and VDI (VMware Horizon View, Citrix XenApp/XenDesktop). The company's specialists offer assistance in remotely configuring the server components of the solution and are ready to provide instructions for "forced" home users. To obtain information on the implementation of two-factor authentication (2FA) through OTP and special prices, you need to make a request on the developer's website.

2019: Adding an authentication feature

On June 10, 2019, Aladdin R.D., a Russian developer and provider of information security solutions, announced the release of an additional option under the ^[1] Authentication Server (JAS) product.

servers authentications The authentication function - JAS OTP Logon (JOL) - has been added to the package (JAS). It expands the standard set of Credential data Providers, with OS Windows which the user can open a Windows session (displayed as fields for entering authentication data on the login screen), as well as authenticate in standard Windows services and applications, for example, in Web applications, IIS to connect to remote to the computer Windows terminal service tools, etc.

This feature provides enhanced two-factor authentication (i.e., without the use of smart cards or other cryptographic authentication tools), where an OTP password generated using standard OTP tokens is added as a second factor in addition to the main password. The option of using popular OTP software generators, such as Yandex.Key and Google Authenticator, is also allowed.

Authentication for logging into Windows using JOL is performed both in a domain environment (based on Microsoft Active Directory) and on non-domain workstations. This allows organizations to implement two-factor authentication without deploying a PKI infrastructure. The product contains built-in tools for centralized installation and configuration through Windows Group Policies.

2016

Registration in the Unified Register of Russian Software

In November 2016, Aladdin R.D., a Russian developer and provider of information security solutions, announced the registration of the JaCarta Authentication Server (JAS) product in the Unified Register of Russian Programs for Electronic Computers and Databases under number 2128 (Ministry of Communications and Mass Media of Russia). As you know, if there is a domestic solution, structures financed from the Russian budget cannot purchase import software similar in function .

JAS is a stand-alone high-performance server for enhanced one-time password (OTP) authentication when accessing enterprise systems (CRM, portals, mail, etc.), including Microsoft SharePoint and Microsoft Outlook Web App, Web sites and cloud services, remote banking systems, as well as remote desktops (VMware Horizon View and Citizen XenApp/XenDesktop). The use of JAS allows you to ensure reliable protection of access to resources and services of the organization, including from tablets smartphones Google and (Authenticator and sending a password by are supported SMS), as well as increase user loyalty and satisfaction, since the authentication process is significantly simplified.

JaCarta Authentication Server Release

On July 26, 2016, Aladdin R.D. announced the release of a server for enhanced authentication using one-time passwords JaCarta Authentication Server (JAS).

JAS is designed to provide enhanced user authentication using one-time passwords (OTP) when accessing corporate systems (CRM, portals, mail, etc.), sites, cloud services, remote banking systems (RBS) and remote desktops (Microsoft RDP, VMware Horizon View, Citizen XenApp/XenDesktop). Authentication of mobile users working outside the secure network perimeter of the organization is supported.

JAS Server Interaction Diagram, (2016)

When creating JAS, we took into account many years of experience in selling products of other vendors (Token Management System, SafeNet Authentication Manager) and developing our own JaCarta tokens. As a result, we can offer the Russian market a completely domestic product, in no way inferior to Western counterparts, at a much lower price. We expect that JAS will be of interest to all organizations that need enhanced user authentication or are looking for a replacement for foreign solutions, as well as developers of RBS systems, corporate software and online services. In the future, we plan to conduct JAS certification according to the requirements of the FSTEC of Russia, which will allow it to be used in high-class protection systems and will contribute to the further dissemination of our development. Sergey Gruzdev, General Director of Aladdin R.D.

The advantage of a one-time password over a regular static password is to eliminate the ability to reuse OTP. For this reason, even if an attacker intercepts the authentication session data, he will not be able to use the copied password to gain access to the protected information system.

JAS can be used for OTP authentication:

• in government and commercial organizations that need to strengthen user authentication when accessing external or internal corporate systems;
• in RBS systems;
• enterprise software developers;
• developers of online services;
• organizations interested in import substitution of similar products of foreign vendors (primarily SafeNet Authentication Manager).

JAS allows you to use different authentication modes for different groups of users:

• OTP only;
• OTP + OTP PIN;
• domain password + OTP;
• domain password + OTP + OTP PIN.

Supported token models (OTP generation mode "by event"):

• JaCarta WebPass;
• eToken PASS;
• eToken NG-OTP (Java);
• Google Authenticator.

For integration with application software, support for protocols is implemented:

• Remote Authentication in Dial-In User Service (RADIUS);
• Representational State Transfer (REST);
• Windows Communication Foundation (WCF).

System properties Autonomy

JAS does not require any additional software as part of the product:

• an authentication service including monitoring means;
• plugin for Microsoft Network Policy Server (NPS);
• tools for administering and managing tokens and users.

High performance

• One JAS server can provide up to 1,000 authentications per second
• Vertical scalability is a direct dependence on processor performance.

• Authentication server: implemented as a service Microsoft Windows - Aladdin JAS Engine Service
• OTP cache: token information is read into RAM from the database when the service starts
• Counters.dat file:
  • storage of current values of authentication counters;
  • The file is updated during maintenance operations through the Management Console.

• JAS Management Console (JAS Agent):
  • token and user management;
  • can be installed on a separate computer;
  • user authentication and authorization modes:
  • * Microsoft Windows account + group membership;
  • * authentication is disabled.

• Account Store: Microsoft SQL Server or Microsoft Active Directory/Microsoft Security Account Manager
• Microsoft SQL Server Data Base
• Storing Token and User Information
• It is enough to install only one component - Microsoft SQL Server Database Engine
• Data Base is created automatically during the JAS server configuration process
• Available database user authentication modes:
  • means; Microsoft Windows
  • by Microsoft SQL Server.

Application Software Integration

• RADIUS:
  • Available for applications that use RADIUS protocol for user authentication
  • Microsoft NPS server and plugin must be installed;
  • the plugin communicates with the JAS server through the REST interface;
  • no rework of the application software is required.

• REST:
  • works "on top" of HTTP;
  • available for any application, on any platform;
  • Application software revision is required.

• WCF:
  • works "on top" of HTTP, or TCP;
  • only available for.Net applications;
  • Application software revision is required.

Fault tolerance

Microsoft Failover Cluster, модель Active/Standby

• Multiple JAS servers:
  • synchronizing the counters.dat file;
  • You must save your encryption password.

• Multiple Microsoft SQL Server:
  • Microsoft SQL Server database replication.

Supported OTP calculation algorithms

• RFC 4226 + HMAC-SHA-1 (6 characters);
• RFC 4226 + HMAC-SHA-256 (6 characters);
• RFC 4226 + HMAC-SHA-256 (7 characters);
• RFC 4226 + HMAC-SHA-256 (8 characters).