DualShield provides a central place where the system administrators can centrally manage all tokens in the entire system, Token Repository. For extra flexibility and security, the system administrators can create multiple token repositories, sub repositories within a repository, and bind a repository to a domain, group or a unit. This allows domain/group/unit administrators to manage only tokens that are allocated to their domains, groups or units.

From within the Token Management facility the administrators can manage the full life cycle of tokens such as assigning tokens to users, synchronising tokens, importing new tokens or deleting existing tokens.

Import Tokens

Hardware tokens must be first imported into the system before they can be assigned to users. The process of importing hardware tokens involves importing a so-called token seed file. A single seed file can contain information of one or many tokens. 

To import tokens, follow the steps below.

  1. In the main menu, select “Repository | Token Management”.
  2. On the left pane, select the token repository where you want to place the new tokens.  

  3. On the right pane, press the "Import" button on the toolbar

  4. Click the File Browser button to the right of the Token Seed File box and select the token seed file to be imported.
  5. Optionally, enter the password if the token seed file is encrypted.
  6. Click the “Import” to start the import process.

Assign Tokens

You can assign one token to a user at a time (single assignment) or a number of tokens to each of its user at a time (batch assignment).

Single Assignment

  1. Locate and select the token you wish to assign in the token repository
  2. Click the context menu of the token
  3. Click “Assignment” in the context menu

  4. Click “New Assignment” on the toolbar

  5. Select the Domain in which the user resides
  6. Enter the user’s login name or use the search button to search the user in the domain
  7. Optionally, you can specify the start, expiration date/time of the assignment, and/or the sage limit of the token by this user.
  8. Click “Assign” button to finish the assignment.

Batch Assignment

To assign a number of tokens in one single operation, you will first need to create a CSV (Comma Separated Values) file, then use the “Assign Tokens” feature which is located on the toolbar in the Token Management view.

CSV is a delimited data format that has fields/columns separated by the comma character and records/rows terminated by newlines. Fields that contain a special character (comma, newline, or double quote), must be enclosed in double quotes. If a line contains a single entry which is the empty string, it may be enclosed in double quotes. If a field's value contains a double quote character it is escaped by placing another double quote character next to it.

The first line in a csv file must contain column names in each of the fields. The column names for the token batch assignment are:

  • domain
  • loginName
  • manufacturerCode
  • productCode
  • serial

Note that column names are case sensitive.

domainThe name of the domain in which the user resides
loginNameThe user’s login name
manufacturerCodeThe manufacturer code of the token. Tokens produced by Deepnet Security has the manufacturer code: DN
productCode

The product code of the token. Tokens produced by Deepnet Security has the following codes:

ST:          SafeID, Time-Based

SE:          SafeID, Event-Based

serialThe serial number of thetoken


Example:

domain, loginName, manufacturerCode,productCode,serial
"deepnetsecurity.com", "user1.test", DN, ST, 20001001
"deepnetsecurity.com", "user2.test", DN, SE, 10001002


The above CSV file will assign two tokens:

  1. A Deepnet SafeID (Time Based) token with the serial number 20001001 to a user with the login name  “user1.test” in the domain “deepnetsecurity.com”
  2. A Deepnet SafeID (Event Based) token with the serial number 10001002 to a user with the login name  “user2.test” in the domain “deepnetsecurity.com”

Create Tokens

While hardware tokens have to be first imported into the system then assigned to users, software tokens such as MobileID can be simply created for the users.

Similarly, you can create one software token for a user a time (single creation) or a software token for a number of users in a single operation (batch creation).

Single Creation

To create one token for a user, follow the steps below:

  1. Locate and select the user in the user directory
  2. Click the context menu of the user
  3. Select “Tokens” in the context menu

  4. Click the "Create" button on the toolbar

  5. Select the type of the token product you wish to create, e.g. MobileID/Time-Based
  6. Optionally, provide the details of the token properties
  7. Click the "Save" button to create the token

Batch Creation

You can create a soft token for all users in a group, a unit or an entire domain. This feature is called “Provision Tokens”. 

  1. Locate the group, unit or the domain in the user directory
  2. Click its context menu
  3. Select “Provision Tokens” in the context menu

  4. Select the type of the token product you wish to deploy
  5. Click the "Provision" button to start the batch deployment process

Povisioning tokens will be executed as a backgroud task as it may takes a length of time. You can check its progress in the Task list, and its result in the Audit trails.

Synchronise Tokens

One-time password tokens can be out of sync causing failure to login. For event/counter based OTP token, the most common cause of out-of-sync is that the user has generated too many dynamic passwords in the token device without using them. For time based OTP tokens, time drifts in the token device can cause a token to be out of sync with the server.

In DualShield you can pre-set a window in which tokens can be automatically synchronised by the server. However, when the counter or the clock in a token has drifted outside the pre-set window, the token has to be manually synchronised by the user or the system administrator.

The preset window values are configurable in the token’s policy settings.

Below are the default settings for SafeID Event-Based tokens:

Maximum steps in automatic synchronisation

This value specifies the maximum steps that the server will look forward and backward in order to automatically re-synchronise the token.

Maximum steps in manual synchronisation

This value specifies the maximum steps that the server will look forward and backward in order to re-synchronise the token in the manual synchronisation the user.

Maximum steps in checking synchronisation

This value specifies the maximum steps that the server will look forward and backward in order to detect if a token is out of sync.

Below are the default settings for SafeID Time-Based tokens:

Maximum time windows allowed at authentication

This values specifies the maximum windows that the server will look forward and backward in order to automatically re-synchronise the token.

Maximum time windows in manual synchronisation

This value specifies the maximum windows that the server will look forward and backward in order to re-synchronise the token in the manual synchronisation the user.

Maximum time windows in checking synchronisation

This value specifies the maximum windows that the server will look forward and backward in order to detect if a token is out of sync.

To synchronise a token in the Management Console, select "Synchronise" in the token's context menu:

Depending on the token’s policy settings, you will need to generate two or more OTPs from the token. Optionally, you can also enter a value in the Search Scope field to overwrite the token’s synchronisation policy setting: Maximum steps/time windows in manual synchronisation, which allows you to enlarge the search steps or windows.

Revive Tokens

If a token is lost, damaged or becomes malfunctioned, you can temporarily disable the token or “decease” the token. Later, you can also re-enable it or “revive” the token. These functions are located in the context menu of the token. 

Delete Tokens

You can also permanently remove a token from the server by deleting it.