.. _importtokens: Import tokens ------------- .. index:: Preseeded hardware tokens, hardware tokens, Import tokens When you are using preseeded hardware tokens, where the seed was implanted in the factory, you will also get a file, that contains the serial numbers of the tokens and the corresponding seeds. .. WARNING:: Please assure that no unauthorized person gets possession on those seeds. LinOTP can import many different seed files directly by using the Web management client. The Web management client can import: * Aladdin/SafeNet XML files * OATH compliant PSKC files * simple CSV files for OATH (HOTP and TOTP) tokens * KeyIdentity Day Password Token (so called "Tagespasswort") * Yubico YubiKey CSV * eToken DAT file * Feitian XML files * Vasco DPX files .. note:: If some very special file format is not supported it can be converted before importing the data. Importing tokens with the Web UI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Web management client can import different token files. Log in to the Web interface: http://YOURLINOTPSERVER/manage and click on "Import Token File" as shown below. .. figure:: images/import-web1.png :width: 100% *Importing token files with the Web management client* From the dropdown menu you can choose, which type of token file you wish to import. Importing PSKC files .................... PSKC (Portable Symmetric Key Container) is defined in RFC 6030 [#rfc6030]_ and is used for OATH compliant tokens. OATH is the Initiative for Open Authentication where several vendors meet to use and define open standards to make strong authentication simpler and more compatible. .. note:: If a token vendor claims to sell you OATH compliant tokens the vendor must deliver you a compatible PSKC file. .. figure:: images/import-pskc1.png :width: 70% *Import PSKC key file* The PSKC file can contain HOTP or TOTP tokens and the seeds in the file can either be plain text or encrypted with a password or a preshared key. The OATH standard also defines that the serial numbers of the tokens have to follow a certain naming scheme. Some vendors do not use this scheme, so you either check or uncheck the checkbox ``Check the serial numbers for OATH compliance``. If you check this checkbox, tokens with non-compliant serial number will not be imported. In the drop-down box you can choose if the seeds in the PSKC file are ``plain value``, ``password protected`` or encrypted with a ``preshared key``. An input field will appear, where you can enter the password or the preshared key. .. [#rfc6030] http://tools.ietf.org/html/rfc6030 Importing OATH CSV files ........................ This import dialog can be used to import OATH tokens, that do not provide a PSKC file. The seeds can be stored in a simple comma separated file. .. figure:: images/import-oath1.png :width: 70% *Import OATH CSV token file* The fields in the CSV file need to be * serial number * seed * type (optional, default=hotp) * OTP length (optional, default=6) * time step (optional, default=30) .. note:: Depending on the length of the seed the token is either imported as an HMAC-SHA1 (40 characters = 160 bit) or an HMAC-SHA256 (64 characters = 256 bit) token. The file can contain different types of tokens at the same time. So a valid file might look like this:: TS000001, 1f6aeda29fed39a8e2c3fe45c954d9ba93a14af4 TS000002, e3a391658226f63153443bb03a365eb962e1775b, hotp, 8 TS000003, bd15fb2b2c84a3ce56670fe0062b7369a0b8f4d4, totp, 6 TS000004, 881c7498360553b0e51a677ad7daa41b3b390ad5, totp, 8, 60 TS000005, 0eb6597f402151f97726208dc7e94bd541ff56b5a3ff63003c8ff0b6049185d7 The token TS000001 will be imported as a SHA1 HOTP token with 6 digits. The token TS000002 will be imported as a SHA1 HOTP token with 8 digits. The token TS000003 will be imported as a SHA1 TOTP token with 6 digits and a time step of 30 seconds. The token TS000004 will be imported as a SHA1 TOTP token with 8 digits and a time step of 60 seconds. The token TS000005 will be imported as a SHA256 HOTP token with 6 digits. Importing Tagespasswort files ............................. The *Tagespasswort* token is a token that displays a password valid for one day. I.e. the user can use this password several times to authenticate during this day. It will change on the next day. .. figure:: images/import-tagespasswort1.png :width: 70% *Import Tagespasswort token file* The file format is fairly simple and just consist of one token per line with the serial number and the seed divided by white spaces. Import Vasco DPX files ...................... .. index:: Vasco Digipass .. figure:: images/import-dpx.png :width: 70% *Import Vasco dpx file* You can import the proprietary Vasco DPX file for the Vasco Digipass tokens. To import the DPX file and use the Vasco tokens you need to license the Vasco vacman controller library and install it on the LinOTP server. * Install the vacman controller library `aal2sdk` on your system. * Locate the shared object file, it might reside at `/opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so`. * Now you need to set the variable `linotpImport.vasco_dll=/opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so` in the DEFAULT section in your `linotp.ini` file. * Restart your LinOTP.