5.2. Import tokens

When you are using preseeded hardware tokens, where the seed was implanted in the factory, you will also get a file, that contains the serial numbers of the tokens and the corresponding seeds.

Warning

Please assure that no unauthorized person gets possession on those seeds.

LinOTP can import many different seed files directly by using the Web management client.

The Web management client can import:

  • Aladdin/SafeNet XML files

  • OATH compliant PSKC files

  • simple CSV files for OATH (HOTP and TOTP) tokens

  • KeyIdentity Day Password Token (so called “Tagespasswort”)

  • Yubico YubiKey CSV

  • eToken DAT file

  • Feitian XML files

  • Vasco DPX files

Note

If some very special file format is not supported it can be converted before importing the data.

5.2.1. Importing tokens with the Web UI

The Web management client can import different token files. Log in to the Web interface: http://YOURLINOTPSERVER/manage and click on “Import Token File” as shown below.

../../_images/import-web1.png

Importing token files with the Web management client

From the dropdown menu you can choose, which type of token file you wish to import.

5.2.1.1. Importing PSKC files

PSKC (Portable Symmetric Key Container) is defined in RFC 6030 1 and is used for OATH compliant tokens. OATH is the Initiative for Open Authentication where several vendors meet to use and define open standards to make strong authentication simpler and more compatible.

Note

If a token vendor claims to sell you OATH compliant tokens the vendor must deliver you a compatible PSKC file.

../../_images/import-pskc1.png

Import PSKC key file

The PSKC file can contain HOTP or TOTP tokens and the seeds in the file can either be plain text or encrypted with a password or a preshared key.

The OATH standard also defines that the serial numbers of the tokens have to follow a certain naming scheme. Some vendors do not use this scheme, so you either check or uncheck the checkbox Check the serial numbers for OATH compliance.

If you check this checkbox, tokens with non-compliant serial number will not be imported.

In the drop-down box you can choose if the seeds in the PSKC file are plain value, password protected or encrypted with a preshared key. An input field will appear, where you can enter the password or the preshared key.

1

http://tools.ietf.org/html/rfc6030

5.2.1.2. Importing OATH CSV files

This import dialog can be used to import OATH tokens, that do not provide a PSKC file.

The seeds can be stored in a simple comma separated file.

../../_images/import-oath1.png

Import OATH CSV token file

The fields in the CSV file need to be

  • serial number

  • seed

  • type (optional, default=hotp)

  • OTP length (optional, default=6)

  • time step (optional, default=30)

Note

Depending on the length of the seed the token is either imported as an HMAC-SHA1 (40 characters = 160 bit) or an HMAC-SHA256 (64 characters = 256 bit) token.

The file can contain different types of tokens at the same time. So a valid file might look like this:

TS000001, 1f6aeda29fed39a8e2c3fe45c954d9ba93a14af4
TS000002, e3a391658226f63153443bb03a365eb962e1775b, hotp, 8
TS000003, bd15fb2b2c84a3ce56670fe0062b7369a0b8f4d4, totp, 6
TS000004, 881c7498360553b0e51a677ad7daa41b3b390ad5, totp, 8, 60
TS000005, 0eb6597f402151f97726208dc7e94bd541ff56b5a3ff63003c8ff0b6049185d7

The token TS000001 will be imported as a SHA1 HOTP token with 6 digits.

The token TS000002 will be imported as a SHA1 HOTP token with 8 digits.

The token TS000003 will be imported as a SHA1 TOTP token with 6 digits and a time step of 30 seconds.

The token TS000004 will be imported as a SHA1 TOTP token with 8 digits and a time step of 60 seconds.

The token TS000005 will be imported as a SHA256 HOTP token with 6 digits.

5.2.1.3. Importing Tagespasswort files

The Tagespasswort token is a token that displays a password valid for one day. I.e. the user can use this password several times to authenticate during this day. It will change on the next day.

../../_images/import-tagespasswort1.png

Import Tagespasswort token file

The file format is fairly simple and just consist of one token per line with the serial number and the seed divided by white spaces.

5.2.1.4. Import Vasco DPX files

../../_images/import-dpx.png

Import Vasco dpx file

You can import the proprietary Vasco DPX file for the Vasco Digipass tokens.

To import the DPX file and use the Vasco tokens you need to license the Vasco vacman controller library and install it on the LinOTP server.

  • Install the vacman controller library aal2sdk on your system.

  • Locate the shared object file, it might reside at /opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so.

  • Now you need to set the variable linotpImport.vasco_dll=/opt/vasco/VACMAN_Controller-3.11.2/lib/libaal2sdk.so in the DEFAULT section in your linotp.ini file.

  • Restart your LinOTP.