DualShield provides a central place where the system administrators can centrally manage all tokens in the entire system, Token Repository. For extra flexibility and security, the system administrators can create multiple token repositories, sub repositories within a repository, and bind a repository to a domain, group or a unit. This allows domain/group/unit administrators to manage only tokens that are allocated to their domains, groups or units.
From within the Token Management facility the administrators can manage the full life cycle of tokens such as assigning tokens to users, synchronising tokens, importing new tokens or deleting existing tokens.
Hardware tokens must be first imported into the system before they can be assigned to users. The process of importing hardware tokens involves importing a so-called token seed file. A single seed file can contain information of one or many tokens.
To import tokens, follow the steps below.
- In the main menu, select “Repository | Token Management”.
- On the left pane, select the token repository where you want to place the new tokens.
- On the right pane, press the "Import" button on the toolbar
- Click the File Browser button to the right of the Token Seed File box and select the token seed file to be imported.
- Optionally, enter the password if the token seed file is encrypted.
- Click the “Import” to start the import process.
You can assign one token to a user at a time (single assignment) or a number of tokens to each of its user at a time (batch assignment).
- Locate and select the token you wish to assign in the token repository
- Click the context menu of the token
- Click “Assignment” in the context menu
- Click “New Assignment” on the toolbar
- Select the Domain in which the user resides
- Enter the user’s login name or use the search button to search the user in the domain
- Optionally, you can specify the start, expiration date/time of the assignment, and/or the sage limit of the token by this user.
- Click “Assign” button to finish the assignment.
To assign a number of tokens in one single operation, you will first need to create a CSV (Comma Separated Values) file, then use the “Assign Tokens” feature which is located on the toolbar in the Token Management view.
CSV is a delimited data format that has fields/columns separated by the comma character and records/rows terminated by newlines. Fields that contain a special character (comma, newline, or double quote), must be enclosed in double quotes. If a line contains a single entry which is the empty string, it may be enclosed in double quotes. If a field's value contains a double quote character it is escaped by placing another double quote character next to it.
The first line in a csv file must contain column names in each of the fields. The column names for the token batch assignment are:
Note that column names are case sensitive.
|domain||The name of the domain in which the user resides|
|loginName||The user’s login name|
|manufacturerCode||The manufacturer code of the token. Tokens produced by Deepnet Security has the manufacturer code: DN|
The product code of the token. Tokens produced by Deepnet Security has the following codes:
ST: SafeID, Time-Based
SE: SafeID, Event-Based
|serial||The serial number of thetoken|
The above CSV file will assign two tokens:
- A Deepnet SafeID (Time Based) token with the serial number 20001001 to a user with the login name “user1.test” in the domain “deepnetsecurity.com”
- A Deepnet SafeID (Event Based) token with the serial number 10001002 to a user with the login name “user2.test” in the domain “deepnetsecurity.com”
While hardware tokens have to be first imported into the system then assigned to users, software tokens such as MobileID can be simply created for the users.
Similarly, you can create one software token for a user a time (single creation) or a software token for a number of users in a single operation (batch creation).
To create one token for a user, follow the steps below:
- Locate and select the user in the user directory
- Click the context menu of the user
- Select “Tokens” in the context menu
- Click the "Create" button on the toolbar
- Select the type of the token product you wish to create, e.g. MobileID/Time-Based
- Optionally, provide the details of the token properties
- Click the "Save" button to create the token
You can create a soft token for all users in a group, a unit or an entire domain. This feature is called “Provision Tokens”.
- Locate the group, unit or the domain in the user directory
- Click its context menu
- Select “Provision Tokens” in the context menu
- Select the type of the token product you wish to deploy
- Click the "Provision" button to start the batch deployment process
Povisioning tokens will be executed as a backgroud task as it may takes a length of time. You can check its progress in the Task list, and its result in the Audit trails.
One-time password tokens can be out of sync causing failure to login. For event/counter based OTP token, the most common cause of out-of-sync is that the user has generated too many dynamic passwords in the token device without using them. For time based OTP tokens, time drifts in the token device can cause a token to be out of sync with the server.
In DualShield you can pre-set a window in which tokens can be automatically synchronised by the server. However, when the counter or the clock in a token has drifted outside the pre-set window, the token has to be manually synchronised by the user or the system administrator.
The preset window values are configurable in the token’s policy settings.
Below are the default settings for SafeID Event-Based tokens:
Maximum steps in automatic synchronisation
This value specifies the maximum steps that the server will look forward and backward in order to automatically re-synchronise the token.
Maximum steps in manual synchronisation
This value specifies the maximum steps that the server will look forward and backward in order to re-synchronise the token in the manual synchronisation the user.
Maximum steps in checking synchronisation
This value specifies the maximum steps that the server will look forward and backward in order to detect if a token is out of sync.
Below are the default settings for SafeID Time-Based tokens:
Maximum time windows allowed at authentication
This values specifies the maximum windows that the server will look forward and backward in order to automatically re-synchronise the token.
Maximum time windows in manual synchronisation
This value specifies the maximum windows that the server will look forward and backward in order to re-synchronise the token in the manual synchronisation the user.
Maximum time windows in checking synchronisation
This value specifies the maximum windows that the server will look forward and backward in order to detect if a token is out of sync.
To synchronise a token in the Management Console, select "Synchronise" in the token's context menu:
Depending on the token’s policy settings, you will need to generate two or more OTPs from the token. Optionally, you can also enter a value in the Search Scope field to overwrite the token’s synchronisation policy setting: Maximum steps/time windows in manual synchronisation, which allows you to enlarge the search steps or windows.
If a token is lost, damaged or becomes malfunctioned, you can temporarily disable the token or “decease” the token. Later, you can also re-enable it or “revive” the token. These functions are located in the context menu of the token.
You can also permanently remove a token from the server by deleting it.