Building on last week’s Cogent DataHub v11 Security Enhancements Deep Dive blog, this post dives into a practical application of these security enhancement by focusing on the implementation of multifactor authentication (MFA) using a TOTP (Time-based One-time Password) key to secure a Remote Config connection to the DataHub. We will guide you through the process of setting up a built-in user with the “RemoteConfig” role, ensuring that remote access is equipped with the necessary permissions. To further strengthen security, we’ll integrate a TOTP key with an authentication app and define an IP pattern Principal to restrict access to specific source network locations. We’ll conclude by performing a successful login from a different system, thus verifying the effectiveness of our secure setup.
The addition of MFA through use of TOTP to these security measures is crucial to significantly reduce the risk of unauthorized access, including protection against brute force attacks, and ensure compliance with industry standards and regulatory requirements. Furthermore, the ease of DataHub’s MFA integration minimizes disruptions to existing systems while providing greater confidence in the integrity and security of your data.
Step 1: Add Built-in User to Local Security Organization
In this step, we will add a built-in User to the Local Security Organization in DataHub. This user will act as a secure access point to the system, forming the basis of our remote configuration.
Step 2: Configure User Details and Enable MFA/TOTP Authentication.
We will configure the built-in use by assigning a specific username and password. Additionally, it is critical to ensure that the “RequireTotpAuthentication” option is selected, establishing multifactor authentication as a security requirement.
Step 3: Assign the “RemoteConfig” Role
Once the built-in user has been successfully created, we will proceed by assigning it the “RemoteConfig” role. This role is a preconfigured default role that provides the necessary permissions for managing remote DataHub properties configuration. As you make changes, you will notice that certain elements turn red, along with the Change Report tab. As highlighted in our previous security deep dive blog, this visual cue serves as a proactive measure allowing you to clearly identify and review modifications before finalizing them. This approach helps mitigate the risk of unintended consequences by ensuring you are fully aware of all changes made.
Step 4: Generate and Configure the TOTP Key
Next, we will generate a TOTP key following two straightforward actions: clicking on “Add TOTP Key” and then “Generate Random Key”. The generated key can be manually entered into an authentication app, such as Microsoft Authenticator, or you can scan the QR code for automatic input, which is a more reliable and recommended method. You are welcome to use any authenticator app that supports industry-standard implementations of MFA, TOTP keys and the QR code for scanning.
For this demonstration, the TOTP key was successfully added to the Microsoft Authenticator app using the QR code.
Step 5: Configure IP Pattern Principal for Network Security
To restrict system access to a specific source network, we will modify the default principal (0.0.0.0/0) to a designated IP address. In this case, we will limit Remote Config access only to a test client computer with the IP address: 192.168.111.74. DataHub also supports the specification of entire IP ranges through use of CIDR notation, which we covered in the DataHub security deep-dive blog. This capability allows for more flexible and precise network configurations.
Step 6: Launch and Validate DataHub Remote Config Access
Finally, we will launch the DataHub Remote Config from the remote client computer. For those new to DataHub or the concept of Remote Config, it’s a pre-installed utility that comes with DataHub, allowing remote users to manage properties and interact with DataHub when installed as a service. For more details please refer to a previous Tech Support Corner blog where Remote config is introduced. To establish the connection, we will provide a connection name, input the host IP of the DataHub instance we are trying to access, specify the HTTP Port, and provide the username, password and the current TOTP one-time password code generated by the Microsoft Authenticator App.
Upon successful connection, it is confirmed through the Remote Config event log, and full access to the Cogent DataHub properties window is granted. This confirms the success of our configuration.
If an incorrect TOTP code had been entered or the connection attempt was made from an unauthorized IP address, the connection would have been denied. The DataHub Remote Config’s log would then reflect this failed attempt. In the Example below, the username, password, and TOTP are all correct, but the IP address (192.168.111.97) of the computer was not granted access in the security construct.
Takeaway
The steps outlined in this guide not only demonstrate how to securely configure access to the Cogent DataHub Remote Config, but can also be used as a foundation for future expansions in your access control for other communication protocols and data acquisition methods supported by DataHub.
Be sure to check out our recent blog post on securing your MQTT Data Access in Cogent DataHub V11 where we explore how custom role creation can be leveraged to manage user access to data domains, providing a tailored approach to data security within your system.
Subscribe to our blog to continue exploring the exciting new features of Cogent DataHub v11.
Explore these enhancements firsthand by downloading the fully-functional free trial of DataHub version 11 today.
If you're an existing user, upgrade your experience by requesting your license update here.
Stay tuned for more insights on how DataHub V11 can benefit your operations!