Import OATH PSKC Devices and Cards

You can import OATH PSKC devices and cards (including devices for PSD2 Revised Payment Services Directive (PSD-2) regulating payment services and their providers operating in the European Union (EU) and European Economic Area (EEA). compliance) using a .pskc file which are XML files containing credentials for one or more OATH devices or cards.

Certain parts of a .pskc file relate to the secret information in the token and are stored encrypted. You must enter the encryption key to read such encrypted sections.

Prerequisites: If you intend to install OATH .pskc devices or cards, then you must first install IBM’s unrestricted JCA/JCE policy files.

Import PSKC Devices

  1. Log on to the ActivID Management Console as a Device Manager.

  2. Select the Help Desk tab and, under Devices, select Import Device.

  3. Click Browse to select the .pskc file to be imported.

  4. If not automatically selected, from the Import Adapter drop-down list, select OATH-PSKC device Import Adapter.

  5. Enter the Encryption Key for the import file and click Next.

  6. Define the Re-synch Window and the Auto synchronization configuration.

    7. For further information about device synchronization and window size, see Synchronizing OTP Devices.

    There are three possible scenarios:

    • For OATH event-based algorithms (HOTP):
      • Since the Re-synch window is 20, the event tolerance window is equal to 20, and the authentication will succeed for any OTP used within the event tolerance window.
      • If the first OTP to authenticate is the 1st OTP generated by the device, then the authentication should succeed.
      • If the next OTP to authenticate is any OTP between the 2nd to the 21st OTP from the device, then the authentication should succeed.
      • If the next OTP to authenticate is the 22nd OTP from the device, then the authentication should fail.
    • For OATH time-based algorithms (TOTP):
      • Since the Re-synch window is 20, the time tolerance window is equal to + or - 20 time steps, and the authentication will succeed for any OTP used within the time tolerance window.
      • The time step is usually equal to 30 seconds, so this gives a time tolerance of + or - 10 minutes.
    • For event-based OATH devices, since the Re-synch window is 20, the event tolerance window is equal to 20, and the authentication should succeed for any OTP used within the event tolerance window.

      • As the value of Auto Synchronization configuration is “Increased Sync window at first use”, the event tolerance window is extended to 30 OTPs if the given OTP is not available in the initial event tolerance window. The event tolerance window will be extended for only the first successful OTP verification. Once an OTP has been successfully verified, the window goes back to its initial value of 20.

    • For time-based OATH devices, the number of time steps to check is increased so that a time window of + or - 3600 seconds (+/- 120 time steps) is used until the first successful authentication. Then the time window is set back to its default value of 20 time steps (that is, + or - 10 minutes).

    The behavior is the same as that for scenario 2 except that this is applied for all the authentications, not only the first one.

  1. From the Status drop-down list, select either Active or Pending.

    2. If you select Pending, an operator can change the status to Active in the device's Details page when required.

  2. If required, enter the Valid From, and Valid To dates.

    3. The start date and end date are validated during authentication. These values then are applied to all devices loaded as part of this import. If in doubt, leave these fields empty.

  3. For each algorithm detected in the import file, select the corresponding Device Type.

    4. For example, when importing devices for PSD2 compliance, map the algorithms found in the PSKC file as follows:

    • TOTP – [DT_PSD2_OT] PSD2 OATH OT device
    • OCRA-1:HOTP-SHA1-6:QA06 – [DT_PSD2_CR] PSD2 OATH OA Challenge Response device
    • OCRA-1:HOTP-SHA1-6:QA32-T30S – [DT_PSD2_SG] PSD2 OATH OA Signing device

    Note:

    • The drop-down lists only contain the device types compatible with the detected algorithms. ActivID Appliance does not read the file to automatically determine the device type.

    • If a compatible device type is not found for one of the algorithms, the file cannot be imported.

  1. Click Import.

  2. To view import results, select the Reporting tab, and then check the audit reports.

Import PSKC EMV Cards

  1. Log on to the ActivID Management Console as a Device Manager.

  2. Select the Help Desk tab and, under Devices, select Import Device.

  3. Click Browse to select the .pskc file to be imported.

  4. From the Import Adapter drop-down list, select PSKC card Import Adapter and click Next.

  5. Select the Device Type contained within the file.

    6. Note: ActivID Appliance does not read the file to automatically determine the device type.

  6. From the Status drop-down list, select either Active or Pending.

    7. If you select Pending, an operator can change the status to Active in the device's Details page when required.

  7. Click Import.

  8. To view import results, select the Reporting tab, and then check the audit reports.

Import a PSKC File as a Batch

You can import multiple PSKC devices using large .PSKC files with file size greater than 1.5 MB.

The devices from the .PSKC file are imported in a "batch" operation, which runs as a background process.

Note:  
  • If the device import operation fails (that is, some devices might be missing, and/or you have received a monitoring message indicating a failure), then you can import the PSKC file again.
  • If you try to import several large PSKC files in a short time frame, the batch jobs will be executed sequentially. The second import starts only when the first import has completed.
  • If the import of a particular device fails, then the import of the other devices of the PSKC still proceeds. The import does not stop until all the devices have been processed.

  1. Log on to the ActivID Management Console as a Device Manager.

  2. Select the Help Desk tab and, under Devices, select Import Device.

  1. Click Browse to select the large .PSKC file to be imported.

  1. If not automatically selected, from the Import Adapter drop-down list, select OATH-PSKC device Import Adapter.

  2. Enter the Encryption Key for the import file and click Next.

  3. Optionally, enter a Batch Correlation ID to identify your device import batch or leave it empty.

    The ID must consist of between 5 and 32 alphanumeric characters.

    If you leave it empty, a Batch Correlation ID is set automatically.

  4. Define the Re-synch Window and the Auto synchronization configuration.

    For further information about device synchronization and window size, see Synchronizing OTP Devices.

    There are three possible scenarios:

    • For OATH event-based algorithms (HOTP):
      • Since the Re-synch window is 20, the event tolerance window is equal to 20, and the authentication will succeed for any OTP used within the event tolerance window.
      • If the first OTP to authenticate is the 1st OTP generated by the device, then the authentication should succeed.
      • If the next OTP to authenticate is any OTP between the 2nd to the 21st OTP from the device, then the authentication should succeed.
      • If the next OTP to authenticate is the 22nd OTP from the device, then the authentication should fail.
    • For OATH time-based algorithms (TOTP):
      • Since the Re-synch window is 20, the time tolerance window is equal to + or - 20 time steps, and the authentication will succeed for any OTP used within the time tolerance window.
      • The time step is usually equal to 30 seconds, so this gives a time tolerance of + or - 10 minutes.
    • For event-based OATH devices, since the Re-synch window is 20, the event tolerance window is equal to 20, and the authentication should succeed for any OTP used within the event tolerance window.

      • As the value of Auto Synchronization configuration is “Increased Sync window at first use”, the event tolerance window is extended to 30 OTPs if the given OTP is not available in the initial event tolerance window. The event tolerance window will be extended for only the first successful OTP verification. Once an OTP has been successfully verified, the window goes back to its initial value of 20.

    • For time-based OATH devices, the number of time steps to check is increased so that a time window of + or - 3600 seconds (+/- 120 time steps) is used until the first successful authentication. Then the time window is set back to its default value of 20 time steps (that is, + or - 10 minutes).

    The behavior is the same as that for scenario 2 except that this is applied for all the authentications, not only the first one.

  5. From the Status drop-down list, select either Active or Pending.

    If you select Pending, an operator can change the status to Active in the device's Details page when required.

  6. If required, enter the Valid From and Valid To dates.

    The start date and end date are validated during authentication. These values then are applied to all devices loaded as part of this import. If in doubt, leave these fields empty.

  7. For each algorithm detected in the import file, select the corresponding Device Type.

    For example, when importing devices for PSD2 compliance, map the algorithms found in the PSKC file as follows:

    • TOTP – [DT_PSD2_OT] PSD2 OATH OT device
    • OCRA-1:HOTP-SHA1-6:QA06 – [DT_PSD2_CR] PSD2 OATH OA Challenge Response device
    • OCRA-1:HOTP-SHA1-6:QA32-T30S – [DT_PSD2_SG] PSD2 OATH OA Signing device
    Note:  

    • The drop-down lists only contain the device types compatible with the detected algorithms. ActivID Appliance does not read the file to automatically determine the device type.

    • If a compatible device type is not found for one of the algorithms, the file cannot be imported.

  8. Click Import.

    A success message appears showing the Batch Correlation ID for your device import request. The import procedure starts at this point, and devices will be imported as a background task.

  9. To import more devices, click Back.

  10. To monitor the progress of the import, you can check the traps received by your client though SNMP monitoring.

  11. To verify that the import has completed successfully, check the presence of the successful completion message in the traps received by your client though SNMP monitoring.

  12. If import has not been completed successfully, or has been interrupted, you can repeat the operation to have the devices missing from the initial attempt imported.