.. _importtokens: Import tokens ------------- .. index:: Preseeded hardware tokens, hardware tokens, Import tokens When you are using preseeded hardware tokens, where the seed was implanted in the factory, you will also get a file, that contains the serial numbers of the tokens and the corresponding seeds. .. WARNING:: Please assure that no unauthorized person gets possession on those seeds. LinOTP can import man different seed files directly. The GTK management client can import Aladdin/SafeNet XML files. The Web management client can import * Aladdin/SafeNet XML files, * OATH compliant PSKC files, * simple CSV files for OATH (HOTP and TOTP) tokens * and Vasco DPX files. .. note:: If some very special file format is not supported it can be converted before importing the data. .. note:: SafeNet Tokens often get delivered with a .dat file. This file can be converted with a linotp tool ``convert-token.pl``. Importing tokens with the GTK client ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. figure:: images/import.png *Importing Aladdin XML files with the GTK client* To import a file in the GTK client do the following: 1. Click the button “import tokenfile” in the left lower corner of the main window. 2. A file choosing dialog will pop up. Choose the corresponding file. 3. The progress of the import will be displayed and the tokens will be listed in the tab “Token” of the main window. Importing tokens with the Web UI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Web management client can import more different token files. .. figure:: images/import-web.png *Importing token files with the Web management client* From the dropdown menu you can choose, which type of token file you wish to import. Importing PSKC files .................... PSKC (Portable Symmetric Key Container) is defined in RFC 6030 [#rfc6030]_ and is used for OATH compliant tokens. OATH is the Initiative for Open Authentication where several vendors meet to use and define open standards to make strong authentication simpler and more compatible. .. note:: If a token vendor claims to sell you OATH compliant tokens the vendor must deliver you a compatible PSKC file. .. figure:: images/import-pskc.png The PSKC file can contain HOTP or TOTP tokens and the seeds in the file can either be plain text or encrypted with a password or a preshared key. The OATH standard also defines that the serial numbers of the tokens have to follow a certain naming scheme. Some vendors do not use this scheme, so you either check or uncheck the checkbox ``Check the serial numbers for OATH compliance``. If you check this checkbox, tokens with non-compliant serial number will not be imported. In the dropdown box you can choose if the seeds in the PSKC file are ``plain value``, ``password protected`` or encrypted with a ``preshared key``. An input field will appear, where you can enter the password or the preshared key. .. [#rfc6030] http://tools.ietf.org/html/rfc6030 Importing OATH CSV files ........................ This import dialog can be used to import OATH tokens, that do not provide a PSKC file. The seeds can be stored in a simple comma separated file. .. figure:: images/import-oath.png The fields in the CSV file need to be * serial number, * seed, * type (optional, default=hotp), * OTP length (optional, default=6), * time step (optional, default=30). .. note:: Depending on the length of the seed the token is either imported as an HMAC-SHA1 (40 characters = 160 bit) or an HMAC-SHA256 (64 characters = 256 bit) token. The file can contain different types of tokens at the same time. So a valid file might look like this:: TS000001, 1f6aeda29fed39a8e2c3fe45c954d9ba93a14af4 TS000002, e3a391658226f63153443bb03a365eb962e1775b, hotp, 8 TS000003, bd15fb2b2c84a3ce56670fe0062b7369a0b8f4d4, totp, 6 TS000004, 881c7498360553b0e51a677ad7daa41b3b390ad5, totp, 8, 60 TS000005, 0eb6597f402151f97726208dc7e94bd541ff56b5a3ff63003c8ff0b6049185d7 The token TS000001 will be imported as a SHA1 HOTP token with 6 digits. The token TS000002 will be imported as a SHA1 HOTP token with 8 digits. The token TS000003 will be imported as a SHA1 TOTP token with 6 digits and a time step of 30 seconds. The token TS000004 will be imported as a SHA1 TOTP token with 8 digits and a time step of 60 seconds. The token TS000005 will be imported as a SHA256 HOTP token with 6 digits. Importing Tagespasswort files ............................. The *Tagespasswort* token is a token that displays a password valid for one day. I.e. the user can use this password several times to authenticate during this day. It will change on the next day. .. figure:: images/import-tagespasswort.png The file format is fairly simple and just consist of one token per line with the serial number and the seed divided by white spaces. Import Vasco DPX files ...................... .. index:: Vasco Digipass .. figure:: images/import-dpx.png You can import the proprietary Vasco DPX file for the Vasco Digipass tokens. To import the DPX file and use the Vasco tokens you need to license the Vasco vacman controller library and install it on the LinOTP server. * Install the vacman controller library `aal2sdk` on your system. * Locate the shared object file, it might reside at `/opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so`. * Now you need to set the variable `linotpImport.vasco_dll=/opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so` in the DEFAULT section in your `linotp.ini` file. * Restart your LinOTP.