LogoLogo
Contact Uscybus.io
Connectware 1.11.0
Connectware 1.11.0
  • Getting Started
    • Introduction
    • System Requirements
    • Connectware Admin UI
    • Basic Components of Connectware
    • Connecting your First Machine
      • Your First Service Commissioning File
  • Documentation
    • Installation and Upgrades
      • Installing Connectware
        • Installing Connectware (Kubernetes)
        • Installing Connectware (Docker)
      • Upgrading Connectware
        • Upgrading Connectware (Kubernetes)
          • Version-Specific Upgrades (Kubernetes)
        • Upgrading Connectware (Docker)
          • Version-Specific Upgrades (Docker)
      • Uninstalling Connectware
        • Uninstalling Connectware (Kubernetes)
        • Uninstalling Connectware (Docker)
      • Licensing
      • Restarting Connectware
    • User Management
      • Users and Roles View
      • Users
      • Roles
      • Permissions
      • Password Policy Rules
      • Default Admin User
      • MQTT Users
      • Adding a MQTT Publish Prefix for Users
      • Multi-Factor Authentication
      • Single Sign-On (SS0)
        • Single Sign-On with Microsoft Entra ID
        • Single Sign-On with LDAP
      • JSON Web Tokens
      • Access Permissions for Admin-UI
        • UI Access
        • Minimum Access Role Pages
    • Services
      • Service Overview
      • Service Resources View
        • Service Links View
        • Servers View
        • Containers View
        • Volumes View
        • Connections View
        • Endpoints View
        • Mappings View
      • Service Details View
      • Service Commissioning Files
        • Version
        • Description
        • Metadata
        • Parameters
        • Definitions
        • Resources
          • Cybus::Connection
          • Cybus::Container
            • Docker Problem with Network Changes
          • Cybus::Endpoint
          • Cybus::File
          • Cybus::IngressRoute
          • Cybus::Link
          • Cybus:Mapping
          • Cybus::Node
          • Cybus::Role
          • Cybus::Server
          • Cybus::User
          • Cybus::Volume
      • Setting Up and Configuring Services
        • Installing Services
        • Enabling Services
        • Updating Services
        • Disabling Services
        • Deleting Services
      • FlowSync
        • Example 1 - Node with Transaction Mode (HTTP)
        • Example 2 - Node Responds (HTTP)
        • Example 3 - Node with Error (HTTP)
        • Example 4 - Node with Timeout Error Code and Error Message (HTTP)
        • Example 5 - Full Transactional Data Flow (HTTP)
        • Example 6 - Full Transactional Data Flow (OPC UA)
      • ServiceID
      • Inter-Service Referencing
      • Deviations
      • Service Logs
        • Logs of Individual Services
        • Logs of All Services
      • Rule Engine
        • Data Processing Rules
        • Rule Sandbox
      • Shared Subscriptions
        • Setting Up Shared Subscriptions
    • Agents
      • Agents View
      • Installing Agents
        • Installing Agents via Docker
        • Installing Agents via Docker Compose
        • Installing Agents via Kubernetes
        • Using Mutual TLS for Agents
      • Registering Agents in Connectware
      • Using Agents
      • Monitoring Agents
      • Agents in Kubernetes
        • Adding Agents Inside your Connectware Installation
        • Remote Agents with the connectware-agent Helm Chart
        • Kubernetes Cluster Requirements for the connectware-agent Helm Chart
        • Installing Connectware Agents using the connectware-agent Helm Chart
        • Installing Connectware Agents without a License Key Using the connectware-agent Helm Chart
        • Upgrading the connectware-agent Helm Chart
        • Uninstalling Connectware agents with the connectware-agent Helm chart
        • Configuration Principles for the connectware-agent Helm Chart
        • Configuring Agents with the connectware-agent Helm Chart
          • Configuring Target Connectware for the connectware-agent Helm Chart
          • Configuring Agent Persistence for the connectware-agent Helm Chart
          • Configuring Compute Resources for the connectware-agent Helm Chart
          • Using a Custom Image Registry for the connectware-agent Helm Chart
          • Configuring Image Pull Policy for the connectware-agent Helm Chart
          • Using Mutual Transport Layer Security (mTLS) for agents with the connectware-agent Helm chart
          • Configuring image name and version for the connectware-agent Helm chart
          • Configuring Environment Variables for the connectware-agent Helm Chart
          • Configuring Labels and Annotations for the connectware-agent Helm Chart
          • Configuring podAntiAffinity for the connectware-agent Helm Chart
          • Assigning Agents to Kubernetes Nodes for the connectware-agent Helm Chart
          • Configuring Security Context for the connectware-agent Helm Chart
          • Controlling the Name of Kubernetes Objects for the connectware-agent Helm Chart
      • Troubleshooting Agents
    • Client Registry
      • Implicit Flow
      • Explicit Flow
      • Granting Access
    • Certificates
      • Certificates View
      • Adding Certificates
      • Removing Certificates
    • Monitoring
      • Data Explorer
      • Live Data
    • Node-RED Workbench
    • System Status
      • System Container Status
      • Internet Connectivity Status
      • Metrics (Data Points and Messages)
      • Agents Status
      • License Information
      • System Information
    • Backup and Restore
      • Volumes
      • User Database
    • CybusMQ
      • Configuring CybusMQ
    • Connectware on Kubernetes
      • Connectware Helm Chart
      • Resizing Broker Volumes in Kubernetes
      • Configuring Core Services
      • LDAP Authentication
        • Configuring LDAP Authentication
        • Enabling TLS for LDAP Authentication
        • Manual Kubernetes Secret for LDAP Authentication Bind User
        • Customizing the Search Filter for LDAP Authentication
        • Customizing the User RDN for LDAP Authentication
      • Troubleshooting Connectware on Kubernetes
    • Environment Variables
    • Industry Protocol Details
      • ADS
        • ADS Connection Properties
        • ADS Endpoint Properties
      • BACnet
        • BACnet Connection Properties
        • BACnet Endpoint Properties
      • Custom Connectors
        • Developing Custom Connectors
        • Deploying Custom Connectors
        • Using Custom Connectors
      • EtherNet/IP
        • EtherNet/Ip Connection Properties
        • EtherNet/Ip Endpoint Properties
      • FOCAS
        • FOCAS Connection Properties
        • FOCAS Endpoint Properties
      • Hottinger Baldwin Messtechnik (HBM)
        • HBM Connection Properties
        • HBM Endpoint Properties
      • Heidenhain DNC
        • Heidenhain DNC Connection Properties
        • Heidenhain DNC Endpoint Properties
      • HTTP/REST
        • HTTP/REST Connection Properties
        • HTTP/REST Endpoint Properties
      • HTTP Server/Node
        • HTTP Server Properties
        • HTTP Node Properties
      • InfluxDB
        • InfluxDB Connection Properties
        • InfluxDB Endpoint Properties
      • Kafka
        • Kafka Connection Properties
        • Kafka Endpoint Properties
      • Modbus/TCP
        • Modbus/TCP Connection Properties
        • Modbus/TCP Endpoint Properties
      • MQTT
        • MQTT Connection Properties
        • MQTT Endpoint Properties
      • MSSQL
        • Mssql Connection Properties
        • Mssql Endpoint Properties
      • OPC DA
        • OPC DA Connection Properties
        • OPC DA Endpoint Properties
      • OPC UA
        • OPC UA Client
          • OPC UA Client Connection Properties
          • OPC UA Client Endpoint Properties
        • OPC UA Server
          • OPC UA Server Properties
          • OPC UA Node Properties
        • OPC UA Object Types
        • OPC UA Server References
          • OPC UA Reference Node
          • OPC UA Object Node
      • Siemens SIMATIC S7
        • Siemens S7 Connection Properties
        • Siemens S7 Endpoint Properties
      • Shdr
        • Shdr Connection Properties
        • Shdr Endpoint Properties
      • SINUMERIK
        • SINUMERIK Connection Properties
        • SINUMERIK Endpoint Properties
      • SOPAS
        • SOPAS Connection Properties
        • SOPAS Endpoint Properties
      • SQL
        • SQL Connection Properties
        • SQL Endpoint Properties
      • Werma WIN Ethernet
        • Werma WIN Ethernet Connection Properties
        • Werma WIN Ethernet Endpoint Properties
      • Systemstate
        • Systemstate Endpoint Properties
    • API Reference
      • User Management (API)
      • Client Registry (API)
      • Services (API)
      • Resources (API)
      • System Status (API)
      • Resource Status Tracking (HTTP API)
      • Industry Protocol Details (API)
    • Changelog
Powered by GitBook
LogoLogo

Cybus

  • Terms and Condition
  • Imprint
  • Data Privacy

© Copyright 2025, Cybus GmbH

On this page
  • Prerequisites for Multi-Factor Authentication
  • General
  • For Administrators (MFA Implementation)
  • For Users (MFA Usage)
  • Configuration Parameters (Multi-Factor Authentication)
  • Encryption Secrets and Salt
  • Configuring Connectware to Support Multi-Factor Authentication
  • Setting up Multi-Factor Authentication
  • Signing in with Multi-Factor Authentication
  • Signing in with Multi-Factor Authentication Backup Codes
  • Disabling Multi-Factor Authentication (User)
  • Disabling Multi-Factor Authentication (Admin)
  • Regenerate Backup Codes
  • Making Multi-Factor Authentication Mandatory for Individual Users (Admin)

Was this helpful?

  1. Documentation
  2. User Management

Multi-Factor Authentication

PreviousAdding a MQTT Publish Prefix for UsersNextSingle Sign-On (SS0)

Last updated 2 months ago

Was this helpful?

Multi-factor authentication (MFA), also known as 2-factor authentication, allows you to add an extra layer of security to your Connectware account. With MFA, you need a one-time code generated by an authentication app in addition to your main Connectware password to sign in.

If you do not have access to your authentication device, you can use backup codes to sign in or ask a Connectware admin to disable your MFA. Connectware admins can disable MFA for each user individually.

Prerequisites for Multi-Factor Authentication

General

  • Offline access: Multi-factor authentication can be used even without an internet connection.

  • Microsoft Entra ID limitation: Multi-factor authentication is not available when using for authentication.

For Administrators (MFA Implementation)

To configure multi-factor authentication, administrators need to modify the Connectware configuration file:

  • Kubernetes: Modify the values.yaml file.

  • Docker: Modify the .env file.

For Users (MFA Usage)

  • MFA enabled: Your organization has enabled multi-factor authentication for your Connectware account.

  • Usage: Multi-factor authentication can be optional or mandatory depending on your organization's settings.

  • Authentication apps: You have installed a time-based one-time password (TOTP) authentication app such as:

    • Google Authenticator

    • Microsoft Authenticator

    • Authy

    • FreeOTP

Configuration Parameters (Multi-Factor Authentication)

Configure the following environment variables to enable multi-factor authentication.

Helm Values (Multi-Factor Authentication)

Helm value
Description
Status

global.authentication.mfa.enabled

If set to true, multi-factor authentication is enabled. If set to false, multi-factor authentication is disabled.

Required

global.authentication.mfa.encryptionSecret

Primary encryption key that secures MFA.

Required*

global.authentication.mfa.encryptionSalt

Random value added to strengthen the encryption process.

Required*

global.authentication.mfa.existingSecret

The name of your existing Kubernetes secret that contains the encryptionSecret and encryptionSalt values.

Required*

Environment Variables (Multi-Factor Authentication)

Environment variable
Description
Status

CYBUS_MFA_ENABLED

If set to true, multi-factor authentication is enabled. If set to false, multi-factor authentication is disabled.

Required

CYBUS_MFA_ENCRYPTION_SECRET

Primary encryption key that secures MFA.

Required

CYBUS_MFA_ENCRYPTION_SALT

Random value added to strengthen the encryption process.

Required

CYBUS_MFA_MAX_INVALID_OTPS_PER_USER

Sets how many times a user can enter an incorrect one-time password when logging in with multi-factor authentication before their account is temporarily locked.

Optional

CYBUS_MFA_BAN_DURATION_MINUTES

Sets the lockout period (in minutes) after too many failed one-time password attempts when logging in with multi-factor authentication.

Optional

Encryption Secrets and Salt

The multi-factor authentication system uses two critical security components:

  • Secret: An encryption key for securing MFA tokens.

  • Salt: A random value that enhances encryption strength.

Changing the encryption secret or salt will invalidate all existing MFA configurations, requiring users to reconfigure their MFA settings. Keep these values secure. If compromised, an attacker could potentially bypass authentication.

Configuring Connectware to Support Multi-Factor Authentication

To use multi-factor authentication with a new Connectware installation or with your existing Connectware setup, you must update your Connectware configuration file. The update procedure depends on your current installation method.

  • Kubernetes: Modify the values.yaml file.

  • Docker: Modify the .env file.

Multi-Factor Authentication Configuration for Kubernetes

There are two ways to configure multi-factor authentication encryption settings in your Kubernetes deployment. You must choose one of these methods:

Using Kubernetes Secrets (Recommended)

  1. Create a Kubernetes secret. The values in Kubernetes secrets must be base64-encoded strings.

kubectl create secret generic my-mfa-secret --from-literal=encryptionSecret=$(echo -n "18473274-5073-11ee-be56-0242ac120002" | base64)  --from-literal=encryptionSalt=$(echo -n "229c75c2-5073-11ee-be56-0242ac120002" | base64)
  1. Open the values.yaml file.

    • Now you must configure the helm file to enable multi-factor authentication.

  2. Configure the following helm values to enable and configure multi-factor authentication.

global:
    authentication:
        mfa:
            # Enable multi-factor authentication
            enabled: true
            # The name of your existing Kubernetes secret that contains the encryptionSecret and encryptionSalt values
            existingSecret: my-mfa-secret
  1. Optional: Specify the allowed number of invalid one-time password attempts and the lockout period after too many failed one-time password attempts.

global:
    authServer:
        env:
            # Specify the allowed number of invalid one-time password attempts
            - name: CYBUS_MFA_MAX_INVALID_OTPS_PER_USER
              value: '5'
            # Specify the lockout period after too many failed one-time password attempts in minutes
            - name: CYBUS_MFA_BAN_DURATION_MINUTES
              value: '10'
  1. After configuring your values.yaml file, deploy or update Connectware by running the following Helm command:

Make sure to adjust the command parameters based on your specific setup:

  • Installation name (currently set to connectware)

  • Namespace (currently set to cybus)

  • Repository name (currently set to cybus/connectware)

  • Path and filename of your values file (currently set to values.yaml)

helm upgrade --install connectware -n cybus cybus/connectware -f values.yaml

Using Clear Text Values

Storing encryption secrets and salt values in clear text within your values.yaml file is not recommended for production environments. Instead, use Kubernetes secrets to manage these sensitive values securely. The clear text configuration shown below should only be used for development or testing purposes.

  1. Open the values.yaml file.

    • Now you must configure the helm file to enable multi-factor authentication.

  2. Configure the following helm values to enable and configure multi-factor authentication.

global:
    authentication:
        mfa:
            # Enable multi-factor authentication
            enabled: true
            # Clear text secret key for encrypting MFA secrets
            encryptionSecret: '18473274-5073-11ee-be56-0242ac120002'
            # Clear text salt value for encrypting MFA secrets
            encryptionSalt: '229c75c2-5073-11ee-be56-0242ac120002'
  1. Optional: Specify the allowed number of invalid one-time password attempts and the lockout period after too many failed one-time password attempts.

global:
    authServer:
        env:
            # Specify the allowed number of invalid one-time password attempts
            - name: CYBUS_MFA_MAX_INVALID_OTPS_PER_USER
              value: '5'
            # Specify the lockout period after too many failed one-time password attempts in minutes
            - name: CYBUS_MFA_BAN_DURATION_MINUTES
              value: '10'
  1. After configuring your values.yaml file, deploy or update Connectware by running the following Helm command:

Make sure to adjust the command parameters based on your specific setup:

  • Installation name (currently set to connectware)

  • Namespace (currently set to cybus)

  • Repository name (currently set to cybus/connectware)

  • Path and filename of your values file (currently set to values.yaml)

helm upgrade --install connectware <repository>/connectware -f values.yaml

Multi-Factor Authentication Configuration for Docker

  1. Navigate to your Connectware installation directory. If you have used the default values during installation, this is the installation folder: /opt/connectware. The directory contains an .env file that is loaded when starting Connectware.

  2. Open the .env file.

    • Now you must configure the .env file to enable multi-factor authentication.

  3. Configure the following environment variables to enable and configure multi-factor authentication.

environment:
    # Enable multi-factor authentication
    CYBUS_MFA_ENABLED=true

    # Multi-factor authentication encryption credentials
    CYBUS_MFA_ENCRYPTION_SECRET=18473274-5073-11ee-be56-0242ac120002
    CYBUS_MFA_ENCRYPTION_SALT=229c75c2-5073-11ee-be56-0242ac120002
  1. Optional: Specify the allowed number of invalid one-time password attempts and the lockout period after too many failed one-time password attempts.

environment:
    # Specify the allowed number of invalid one-time password attempts
    CYBUS_MFA_MAX_INVALID_OTPS_PER_USER=5

    # Specify the lockout period after too many failed one-time password attempts in minutes
    CYBUS_MFA_BAN_DURATION_MINUTES=10
  1. After configuring the environment variables, restart Connectware by running docker compose up -d in your installation directory.

Setting up Multi-Factor Authentication

  1. On the navigation panel, click Settings.

  2. Click Enable Multi-Factor Authentication.

  3. Open your authentication app and do one of the following:

  • Scan the QR code.

  • Enter your secret key.

The authentication app generates a one-time 6-digit code.

  1. Enter the one-time 6-digit code in the Register Device fields and click Enable Multi-Factor Authentication. Connectware displays a list of backup codes. If you do not have access to your authentication device, you can use a backup code instead of a one-time 6-digit code. You can use each backup code only once. Alternatively, you can ask a Connectware admin to disable your MFA.

  2. Copy and paste the backup codes to a safe location.

Signing in with Multi-Factor Authentication

  1. On the Connectware login screen, enter your Username and Password.

  2. Click Sign In.

  3. Open the authentication app and select your Connectware account.

  4. Enter the one-time 6-digit code displayed on the authentication app.

Signing in with Multi-Factor Authentication Backup Codes

If you have no access to your multi-factor authentication app, you can use backup codes instead of a one-time 6-digit code to sign in to Connectware. Backup codes are displayed when you set up multi-factor authentication.

This gives you access to Connectware in case you have misplaced your authentication device, uninstalled your authentication app or removed Connectware from your authentication app.

You can use each backup code only once.

  1. On the Connectware login screen, enter your Username and Password.

  2. Click Sign In.

  3. Click Use backup code.

  4. In the Backup Code field, enter your backup code and click Sign In.

Disabling Multi-Factor Authentication (User)

You must have access to your authentication app to disable multi-factor authentication.

If you do not have access to your authentication app, ask a Connectware admin to disable your multi-factor authentication.

  1. On the navigation panel, click Settings.

  2. In the Multi-Factor Authentication section, click Disable Multi-Factor Authentication.

  3. Open the authentication app and select your Connectware account.

  4. Enter the one-time 6-digit code displayed on the authentication app.

  5. Click Disable Multi-Factor Authentication.

Disabling Multi-Factor Authentication (Admin)

As a Connectware admin, you can disable multi-factor authentication for each user individually.

  1. On the navigation panel, select User Management > Users and Roles.

  2. Click the user for which you want to disable the multi-factor authentication.

  3. In the MFA row, click Disable.

  4. Click Update.

Regenerate Backup Codes

You must have access to your authentication app to regenerate multi-factor authentication backup codes.

  1. On the navigation panel, click Settings.

  2. In the Multi-Factor Authentication section, click Regenerate Backup Codes.

  3. Open the authentication app and select your Connectware account.

  4. Enter the one-time 6-digit code displayed on the authentication app in the text field.

  5. Click Regenerate Backup Codes.

Making Multi-Factor Authentication Mandatory for Individual Users (Admin)

As a Connectware admin, you can set multi-factor authentication to be the mandatory login method for individual users.

  1. On the navigation panel, select User Management > Users and Roles.

  2. Click the user for which you want to make multi-factor authentication mandatory.

  3. In the MFA (Required) row, click Enable.

  4. Click Update.

* You must provide either encryptionSecret and encryptionSalt or provide the existingSecret. For enhanced security, use existingSecret. For more information, see .

Kubernetes secrets (recommended): Use to store your encryption values.

Clear text values: Write the encryption values directly in your values.yaml file .

For a list of all environment variables for Docker Compose, see .

For LDAP users, you can set CYBUS_LDAP_AUTO_ENFORCE_MFA to true to make multi-factor authentication the mandatory login method for all new LDAP users. For more information, see .

Microsoft Entra ID
Using Kubernetes Secrets (Recommended)
Kubernetes secrets
in clear text
Docker Compose
Connectware LDAP Parameters