Import hardware tokens
When you purchase OATH tokens, they are delivered with a key file (also called a seed file) that contains all OATH keys for the tokens. This OATH key file must be imported to the OTP Server database used to be able to assign the OATH key to specific users.
The OATH key file format must be one of the following:
- Semicolon separated file
- PSKC format (RFC 6030) NOTE: PSKC RFC 6030 version 1.0 is the official version. RFC 6030 versions 1.1 and 1.2 are drafts and are not supported.
Before you begin start by taking a full backup of the system
Prepare the system
Start by verifying that the two directories used for token import are present (otherwise create them):
Installing the import module
The hardware token import module will automatically be installed and activated when hardware tokens are enabled. There are two ways to enable hardware tokens:
- Enable hardware tokens from the application "MFA Admin"
- Enable hardware tokens from the application "Self Service"
Enabling hardware tokens can be done either when using the guide to activate the application for the first time, or from the edit view, see example for "MFA Admin" below:
Importing tokens from PSKC file
Tokens are automatically imported. A token can only be imported once.
Place the import file in the <path_to_phenixid_server_root>/tokensin/ directory. Once processed it will be moved to <path_to_phenixid_server_root>/tokensout/.
Note: The file must have the extension .xml
Using CSV as import file
For scenarios where token file format not complies with the PSKC 1.0 format it is possible to create a import file using CSV format.
Note: The file must have the extension .csv
The syntax then must match the following:
- For HOTP: HOTP;serial;key;counter ( or serial;key;counter )
- For TOTP: TOTP;serial;SHA;key;epoch;timeinterval;otplength
Importing Yubikey tokens
Note: The file must have the extension .yubikey
The syntax then must match:
where id, password and timestamp are not used.