Import OATH PSKC Devices and Cards

You can import OATH PSKC devices and cards (including devices for PSD2 Revised Payment Services Directive (PSD-2) regulating payment services and their providers operating in the European Union (EU) and European Economic Area (EEA). compliance) using a .pskc file which are XML files containing credentials for one or more OATH devices or cards.

Certain parts of a .pskc file relate to the secret information in the token and are stored encrypted. You must enter the encryption key to read such encrypted sections.

Prerequisites: If you intend to install OATH .pskc devices or cards, then you must first install IBM’s unrestricted JCA/JCE policy files.

Import PSKC Devices

  1. Log on to the ActivID Management Console as a Device Manager.

  2. Select the Help Desk tab and, under Devices, select Import Device.

  3. Click Browse to select the .pskc file to be imported.

  4. If not automatically selected, from the Import Adapter drop-down list, select OATH-PSKC device Import Adapter.

  5. Enter the Encryption Key for the import file and click Next.

  6. Define the Re-synch Window and the Auto synchronization configuration.

  7. For further information about device synchronization and window size, see Synchronizing OTP Devices.

    There are three possible scenarios:

  1. From the Status drop-down list, select either Active or Pending.

  2. If you select Pending, an operator can change the status to Active in the device's Details page when required.

  3. If required, enter the Valid From, and Valid To dates.

  4. The start date and end date are validated during authentication. These values then are applied to all devices loaded as part of this import. If in doubt, leave these fields empty.

  5. For each algorithm detected in the import file, select the corresponding Device Type.

  6. For example, when importing devices for PSD2 compliance, map the algorithms found in the PSKC file as follows:

    • TOTP – [DT_PSD2_OT] PSD2 OATH OT device
    • OCRA-1:HOTP-SHA1-6:QA06 – [DT_PSD2_CR] PSD2 OATH OA Challenge Response device
    • OCRA-1:HOTP-SHA1-6:QA32-T30S – [DT_PSD2_SG] PSD2 OATH OA Signing device

    Note:
    • The drop-down lists only contain the device types compatible with the detected algorithms. ActivID AS does not read the file to automatically determine the device type.

    • If a compatible device type is not found for one of the algorithms, the file cannot be imported.

  1. Click Import.

  2. To view import results, select the Reporting tab, and then check the audit reports.

Import PSKC EMV Cards

  1. Log on to the ActivID Management Console as a Device Manager.

  2. Select the Help Desk tab and, under Devices, select Import Device.

  3. Click Browse to select the .pskc file to be imported.

  4. From the Import Adapter drop-down list, select PSKC card Import Adapter and click Next.

  5. Select the Device Type contained within the file.

  6. Note: ActivID AS does not read the file to automatically determine the device type.
  7. From the Status drop-down list, select either Active or Pending.

  8. If you select Pending, an operator can change the status to Active in the device's Details page when required.

  9. Click Import.

  10. To view import results, select the Reporting tab, and then check the audit reports.

Import a PSKC File as a Batch

You can import multiple PSKC devices using large .PSKC files with file size greater than 1.5 MB.

The devices from the .PSKC file are imported in a "batch" operation, which runs as a background process.

Prerequisites: For ActivID AS deployments, the HTTP Post size parameter of your application server must be set to at least 40 MB. For further information, refer to the ActivID AS installation guide for your application server available from the ActivID Customer Portal.
Note:  
  • If the device import operation fails (that is, some devices might be missing, and/or you have received a monitoring message indicating a failure), then you can import the PSKC file again.
  • If you try to import several large PSKC files in a short time frame, the batch jobs will be executed sequentially. The second import starts only when the first import has completed.
  • If the import of a particular device fails, then the import of the other devices of the PSKC still proceeds. The import does not stop until all the devices have been processed.
  1. Log on to the ActivID Management Console as a Device Manager.

  2. Select the Help Desk tab and, under Devices, select Import Device.

  1. Click Browse to select the large .PSKC file to be imported.

  1. If not automatically selected, from the Import Adapter drop-down list, select OATH-PSKC device Import Adapter.

  2. Enter the Encryption Key for the import file and click Next.

  3. Optionally, enter a Batch Correlation ID to identify your device import batch or leave it empty.

    The ID must consist of between 5 and 32 alphanumeric characters.

    If you leave it empty, a Batch Correlation ID is set automatically.

  4. Define the Re-synch Window and the Auto synchronization configuration.

    For further information about device synchronization and window size, see Synchronizing OTP Devices.

    There are three possible scenarios:

  5. From the Status drop-down list, select either Active or Pending.

    If you select Pending, an operator can change the status to Active in the device's Details page when required.

  6. If required, enter the Valid From and Valid To dates.

    The start date and end date are validated during authentication. These values then are applied to all devices loaded as part of this import. If in doubt, leave these fields empty.

  7. For each algorithm detected in the import file, select the corresponding Device Type.

    For example, when importing devices for PSD2 compliance, map the algorithms found in the PSKC file as follows:

    • TOTP – [DT_PSD2_OT] PSD2 OATH OT device
    • OCRA-1:HOTP-SHA1-6:QA06 – [DT_PSD2_CR] PSD2 OATH OA Challenge Response device
    • OCRA-1:HOTP-SHA1-6:QA32-T30S – [DT_PSD2_SG] PSD2 OATH OA Signing device
    Note:  
    • The drop-down lists only contain the device types compatible with the detected algorithms. ActivID AS does not read the file to automatically determine the device type.

    • If a compatible device type is not found for one of the algorithms, the file cannot be imported.

  8. Click Import.

    A success message appears showing the Batch Correlation ID for your device import request. The import procedure starts at this point, and devices will be imported as a background task.

  9. To import more devices, click Back.

  10. To monitor the progress of the import, you can check the audit where an event is added for each imported device (the correlation ID is also edited).

  11. To verify that the import has completed successfully, check the presence of the successful completion message in the Audit log.

  12. If import has not been completed successfully, or has been interrupted, you can repeat the operation to have the devices missing from the initial attempt imported.