5.2. Import tokens¶
When you are using preseeded hardware tokens, where the seed was implanted in the factory, you will also get a file, that contains the serial numbers of the tokens and the corresponding seeds.
Warning
Please assure that no unauthorized person gets possession on those seeds.
LinOTP can import many different seed files directly by using the Web management client.
The Web management client can import:
Aladdin/SafeNet XML files
OATH compliant PSKC files
simple CSV files for OATH (HOTP and TOTP) tokens
KeyIdentity Day Password Token (so called “Tagespasswort”)
Yubico YubiKey CSV
eToken DAT file
Feitian XML files
Vasco DPX files
Note
If some very special file format is not supported it can be converted before importing the data.
5.2.1. Importing tokens with the Web UI¶
The Web management client can import different token files. Log in to the Web interface: http://YOURLINOTPSERVER/manage and click on “Import Token File” as shown below.
From the dropdown menu you can choose, which type of token file you wish to import.
5.2.1.1. Importing PSKC files¶
PSKC (Portable Symmetric Key Container) is defined in RFC 6030 1 and is used for OATH compliant tokens. OATH is the Initiative for Open Authentication where several vendors meet to use and define open standards to make strong authentication simpler and more compatible.
Note
If a token vendor claims to sell you OATH compliant tokens the vendor must deliver you a compatible PSKC file.
The PSKC file can contain HOTP or TOTP tokens and the seeds in the file can either be plain text or encrypted with a password or a preshared key.
The OATH standard also defines that the serial numbers of the tokens have to follow a certain naming scheme. Some
vendors do not use
this scheme, so you either check or uncheck the checkbox Check the serial numbers for OATH compliance
.
If you check this checkbox, tokens with non-compliant serial number will not be imported.
In the drop-down box you can choose if the seeds in the PSKC file are plain value
, password protected
or
encrypted with a preshared key
.
An input field will appear, where you can enter the password or the preshared key.
5.2.1.2. Importing OATH CSV files¶
This import dialog can be used to import OATH tokens, that do not provide a PSKC file.
The seeds can be stored in a simple comma separated file.
The fields in the CSV file need to be
serial number
seed
type (optional, default=hotp)
OTP length (optional, default=6)
time step (optional, default=30)
Note
Depending on the length of the seed the token is either imported as an HMAC-SHA1 (40 characters = 160 bit) or an HMAC-SHA256 (64 characters = 256 bit) token.
The file can contain different types of tokens at the same time. So a valid file might look like this:
TS000001, 1f6aeda29fed39a8e2c3fe45c954d9ba93a14af4
TS000002, e3a391658226f63153443bb03a365eb962e1775b, hotp, 8
TS000003, bd15fb2b2c84a3ce56670fe0062b7369a0b8f4d4, totp, 6
TS000004, 881c7498360553b0e51a677ad7daa41b3b390ad5, totp, 8, 60
TS000005, 0eb6597f402151f97726208dc7e94bd541ff56b5a3ff63003c8ff0b6049185d7
The token TS000001 will be imported as a SHA1 HOTP token with 6 digits.
The token TS000002 will be imported as a SHA1 HOTP token with 8 digits.
The token TS000003 will be imported as a SHA1 TOTP token with 6 digits and a time step of 30 seconds.
The token TS000004 will be imported as a SHA1 TOTP token with 8 digits and a time step of 60 seconds.
The token TS000005 will be imported as a SHA256 HOTP token with 6 digits.
5.2.1.3. Importing Tagespasswort files¶
The Tagespasswort token is a token that displays a password valid for one day. I.e. the user can use this password several times to authenticate during this day. It will change on the next day.
The file format is fairly simple and just consist of one token per line with the serial number and the seed divided by white spaces.
5.2.1.4. Import Vasco DPX files¶
You can import the proprietary Vasco DPX file for the Vasco Digipass tokens.
To import the DPX file and use the Vasco tokens you need to license the Vasco vacman controller library and install it on the LinOTP server.
Install the vacman controller library aal2sdk on your system.
Locate the shared object file, it might reside at /opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so.
Now you need to set the variable linotpImport.vasco_dll=/opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so in the DEFAULT section in your linotp.ini file.
Restart your LinOTP.