We're pleased to announce the release of a prototype authentication plugin for Cloudstack that will add WiKID Two-factor authentication to the administrator login. The jar is available for download at our Sourceforge site. The license is GPL.

There are five steps to adding two-factor authentication to the Cloudstack management server. 1. Copy the jar files. 2. Edit components.xml. 3. Create a network client on the WiKID server. 4. Edit the WiKID properties file. 5. Turn off MD5 hashing on the login page.

You need both the WiKIDUserAuthenticator.jar and the wikid-server-enterprise or or wikid-server-community jars which can be found in your server in /opt/WiKID/lib. Drop these two jars into /usr/share/java on your Cloudstack server.

Edit your /etc/cloud/management/components.xml to include WiKID:

     <adapters key="com.cloud.server.auth.UserAuthenticator">
            <adapter name="WiKID" class="com.wikidsystems.cloud.WikidUserAuthenticator"/>
            <adapter name="LDAP" class="com.cloud.server.auth.LDAPUserAuthenticator"/>
     </adapters>

On the WiKID server, create a network client that uses the wAuth protocol and the Cloudstack server's IP address or domain name. This will create a client certificate in /opt/WiKID/private which you will need to copy over to the Cloudstack server, along with /opt/WiKID/private/CACertStore. Restart the WiKID server.

Inside the jar file, you will find a file called cloudstack-examples.properties. Edit that file changing the hostname, cert name, CaStore location and domain identifier.

Finally, in sharedFunctions.js turn off the MD5 hashing of the password:

// Default password is MD5 hashed.  Set the following variable to false to disable this. 
var md5Hashed = false; 
var md5HashedLogin = false;

Restart your cloud management software and you should be prompted to authenticate. Use your cloudstack manager username and a valid OTP from WiKID.