Import hardware tokens

When you purchase OATH tokens, they are delivered with a key file (also called a seed file) that contains all OATH keys for the tokens. This OATH key file must be imported to the OTP Server database used to be able to assign the OATH key to specific users.

The OATH key file format must be one of the following:

  • Semicolon separated file.
  • PSKC format (RFC 6030) 
    • 

NOTE: PSKC RFC 6030 version 1.0 is the official version. RFC 6030 versions 1.1 and 1.2 are drafts and are not supported. 
    • NOTE: Token encryption with Pre-Shared-Key is supported. Other encryption methods are not supported.

Note:

Before you begin start by taking a full backup of the system

Prepare the system

Start by verifying that the two directories used for token import are present (otherwise create them):

  • <phenixid_server_root>/tokensin
  • <phenixid_server_root>/tokensout

Installing the import module

The hardware token import module will automatically be installed and activated when hardware tokens are enabled. There are two ways to enable hardware tokens:

  1. Enable hardware tokens from the application "MFA Admin"
  2. Enable hardware tokens from the application "Self Service"

Enabling hardware tokens can be done either when using the guide to activate the application for the first time, or from the edit view, see example for "MFA Admin" below:

Installing the import module

Importing tokens from PSKC file

Tokens are automatically imported. A token can only be imported once.

Place the import file in the <path_to_phenixid_server_root>/tokensin/ directory. Once processed it will be moved to <path_to_phenixid_server_root>/tokensout/.

Note: The file must have the extension .xml

Information regarding encrypted tokens in PSKC file

Many token vendors will send the PSKC file with encrypted data.

This means that we need a corresponding key file to decrypt the data, when doing the import.

The key file must be placed in the same directory as the PSKC file.

Make sure that the key file name is matched in the PSKC file.

Key file must contain only the key itself, not any additional text.

Example extracted from PSKC file:

<EncryptionKey>
<ds:KeyName>Pre-shared-key</ds:KeyName>
</EncryptionKey>

In this example the key file name MUST be "Pre-shared-key".

If this file is not in place or if the name does not match, the  import will fail and a message will be written to log, indicating that  the file cannot be found.

NOTE:

Other encrytion methods than Pre-shared-key, such as PassPhrase are not supported.

Using CSV as import file

For scenarios where token file format not complies with the PSKC 1.0 format it is possible to create a import file using CSV format. The value of the key has to be HEX encoded.

Note: The file must have the extension .csv

The following syntax formats is supported:

  • For HOTP: 
    • HOTP;serial;key;counter 
    • serial;key;counter
    • serial;key;counter ;otplength
    • serial;key;counter ;assigned_username
    • serial;key;counter ;otplength ;assigned_username
  • For TOTP: 
    • TOTP;serial;SHA;key;epoch;timeinterval;otplength
    • TOTP;serial;SHA;key;epoch;timeinterval;otplength ;assigned_username

 Example:

HOTP;TA129298222;94CC4CD6CDDF074E71EBC1C2FBAFE0F73D9162CF;6566
129298222;94CC4CD6CDDF074E71EBC1C2FBAFE0F73D9162CF;0;6;janderson
TOTP;TA129298329;1;A3A18EB666CA79E98A34C509DF0A853FC4A0E125;0;30;6
Click to copy

Importing Yubikey OATH tokens

Note: The file must have the extension .yubikey

The syntax then must match:

id,serial,counter,key,password,timestamp,

where id, password and timestamp are not used.

Regarding OTP length

When importing hardware tokens, including yubikeys, where otp length is not set in the csv/yubikey file, an additional configuration parameter (otp_length) can be set on the hardware token import module. This value defaults to 6 but sometimes the hardware token has 8 as otp length. This can be changed under the ADVANCED tab, as seen below.

NOTE: If using yubikey with otp length set to 8, this also needs to be reflected in MFA Admin.
Set the parameter "token_digits", on the otpadmin module, to 8.
Like this example: