Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II

11 April,19 at 11:50 AM


This article is the second of a 3 part series. Part II will cover the following:

  • Setting up the on premise components of this integration
  • Configuring the Symantec VIP Enterprise Gateway
  • Configuring the RADIUS validation service on the Symantec VIP Enterprise Gateway.

To view the other parts of this series, go here:

Part I

Part III



  • This posting is provided "AS IS" with no warranties, and confers no rights.
  • This is a lab entry.  It is only meant to show the reader that this integration is possible and to provide a how to guide on setting it up. Its not meant for production design and does not address things like high availability and separation of duties. Production designs require planning for people, process and technology.
  • Symantec VIP and and CentOS are registered trademarks of their respective owners.
  • The versions of software used in this guide work together. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to test new versions of software.

Lets get started. We are going to pick up right where we left off on part I of this series.


  1. Setup and configure the Symantec VIP Enterprise Gateway


Before you integrate PAM with Symantec VIP for MFA, you must install and configure Symantec VIP Enterprise Gateway. In general, you must complete the following steps: 

  • Install Symantec VIP Enterprise Gateway. For installation procedures, refer to VIP Enterprise Gateway Installation and Configuration Guide (VIPEG98InstallAndConfig.pdf).
  • The installation and configuration guide can be found in the Accounts section of the VIP Manager page. Click on the Download Files link on the right side of the page and find the document “VIP Enterprise Gateway Installation and Configuration Guide”. 8.png






  • After you click Download Files, you will see a folder for Enterprise Gateway. Click on that link.9.png






  • I am using the latest version in this guide (9.8). Click on that link.10.png





  • On the next page, you have a copy of the Install and Configuration guide (VIPEG98InstallAndConfig.pdf) and you can also download the bits for your install. I am installing on Windows for this guide.11.png





  • You will then download the Symantec VIP Enterprise Gateway and install it using the instructions in the guide.
  • Rather than re-writing all the instructions that are clearly laid out by Symantec, I am going to reference the Symantec Install and Configuration guide “VIPEG98InstallAndConfig.pdf” for Enterprise Gateway version 9.8. This file has been attached to this blog post.
  • Make sure you check the Hardware and Software requirements to ensure your test server for the Enterprise Gateway meets the minimum requirements. For my test environment, I installed the Gateway on a Windows 2012 Server that is running in a virtual environment.
  • Next, review the “Before you Start” section in the install and configuration guide. Specifically, for Windows, you need to install the gateway with administrative privileges.
  • Next, follow the steps in the “Installing VIP Enterprise Gateway on Windows” on page 10 of the pdf. NOTE: In step 6 you will be creating a local administrator account for the Enterprise Gateway. Keep the credentials for this account handy because you need to use them again later.
  • At the end of the installation of the Enterprise Gateway, you will get a message like the below from the installer:12.png





  • You can click “Finish” and keep the “Launch the Configuration Console” checked.
  • NOTE: The following url can be used to launch the configuration console (keep this handy because there is no application shortcut installed).


  • Once the configuration console is launched and you will be asked to login with an administrator account. You will need the account credentials you created during the Symantec VIP Enterprise Gateway installation wizard.


  1. Configure the RADIUS validation service on the Symantec VIP Enterprise Gateway.

Now that you have the Symantec VIP Enterprise Gateway installed, it is time to configure the gateway to talk to the VIP Manager (hosted in the cloud) and ensure the RADIUS validation service is running.

  • The first step (after logging in to the Symantec VIP Enterprise Gateway) is to configure the trust between the Symantec VIP Enterprise Gateway and the VIP Manager service. The certificate has already been added in my environment but setting up the trust is straightforward.
  • First go to the VIP Manager service and sign in with your username, password, and OTP. Go to Account and then look for “Manage VIP Certificates”13.png





  • I already have a certificate requested named “demoVIP” but you can request a new certificate and make note of the name.
  • Once you have requested and received the certificate, you can come back to this page and click on the link for Certificate Download Page:14.png





  • On this page, you can select “PKCS12” as your certificate format and password protect the certificate before clicking on the Download Certificate Button.15.png





  • Save the *.p12 certificate file on your file system where you can use it on your Symantec VIP Enterprise Gateway. On your Symantec VIP Enterprise Gateway, go to the home screen and find the section for managing your VIP Manager certificates.16.png





  • On the VIP certificates screen, you can click “Add VIP Certificate” to add your VIP manager certificate (the pkcs12 file you downloaded) to the Symantec VIP Enterprise Gateway. Now you have established trust between your Symantec VIP Enterprise Gateway and the Symantec VIP Manager in the cloud.
  • Once you are done you will see something like below showing the VIP certificate that is in place and how long it is valid.17.png





  • Next we are going to add the Validation server as follows:
  • Log in to Symantec VIP Enterprise Gateway and click the Validation 18.png





  • Click Add Server. The Add RADIUS Validation server dialog box is displayed. Select the items shown below:19.png





  • Press Continue. On the next screen, enter a name for the Unix system that you are securing with PAM (in my case its engcen6). Also, enter in the details for that server such as its up address, RADIUS port being used, and the shared secret that will be used to secure the RADIUS traffic. NOTE: keep account of the shared secret as you will need it later.20.png





  • Submit and make sure the RADIUS validation services are running and ON.


We now have Symantec VIP Manager configured and we have the Symantec VIP Enterprise Gateway configured. This concludes Part II of this article. In Part III of this article, we will configure our target system to use the VIP integration module for PAM to communicate with the Validation Service using the RADIUS protocol. Additionally, we will tweak the PAM modules to configure them to work with Symantec VIP and Centrify so that we can leverage AD based authentication as well as MFA through the VIP service.


Part III will cover the following:

  • Configure the Symantec VIP and Centrify PAM modules. 
  • Configure SSH to leverage the Symantec VIP PAM module and Centrify PAM module for authentication and MFA. 
  • Testing the Configuration
  • Conclusion

To continue to Part III, go here.