KB_160128: How to import a DPX file using the VASCO Active Directory MMC snap-in console9/12/2017 3:33:23 PM
There are three possible types of DPX files that you might receive with an order – they are STATIC, NOSTATIC, and AUTOREGISTER. Server-side PIN support is only possible for tokens that have been imported using the STATIC or AUTOREGISTER DPX files. If you need to enable PIN functionality and there is no option to do so inside the Web Admin, you can try re-importing a different DPX file that came with the order.
A server-side PIN is a value that the user enters prior to their OTP (One Time Password). For example, a user has a PIN of 1234 and their OTP is 555555. When they authenticate they will enter 1234555555 in the same password field with no spaces.
STATICPW DPX file
You will import this DPX file if you would like to provide the end user with a DIGIPASS that has PIN functionality enabled and already has an initial PIN set. The initial PIN will be found in an Ipin.log file delivered with the DPX file. When the user authenticates they will enter PIN+OTP. For example, 1234 is their PIN and their OTP is 555555. They will enter 1234555555 in the same password field with no spaces.
NOSTATIC DPX file
You will import this DPX file if you want to provide the end user with a DIGIPASS that does not have a PIN enabled DIGIPASS. To achieve multi-factor authentication, you must use another value such as a back-end password.
AUTOREGISTER DPX file
You will import this DPX file if you would like to provide the end user with a DIGIPASS that has PIN functionality enabled and allow them to set the PIN on first use. The first time the user authenticates they will enter OTP + PIN + CONFIRM PIN. For example, the OTP is 555555 and the user would like to set their PIN to 1234. They will enter 55555512341234. The user will enter PIN followed by OTP for all subsequent authentications.
Once you’ve placed an order and received both your DPX files and the associated transport key, it is important to store both the DPX files and the transport key in a safe and secure location. VASCO does not retain these files once their delivery has been made, and it is up to the customer to make sure that they are properly stored and accessible.
Once you have determined which DPX file you need to import, the process itself is fairly straightforward.
First, you will need direct access to a machine that has the VASCO Active Directory MMC snap-in console installed. This is installed by default onto any server that is running the IDENTIKEY software with Active Directory as the datastore. There is also a chance that additional servers/machines may have this installed, as it’s possible to install only the ADUC console in order to manage DIGIPASS tokens from anywhere in the environment.
Launch the snap-in console, right click on the Digipass-Pool container and select Import DIGIPASS…
You will then be presented with the Import DIGIPASS wizard. Select the appropriate DPX file and enter the transport key that came with the order. The transport key is case-sensitive and should not include spaces or dashes. If you’ve copied the transport key from a PDF file, make sure you remove the spaces before pasting it into the field.
On the next screen, you can choose which applications you would like to import. This step should be left alone unless you need to prevent users from being able to use certain applications on their DIGIPASS. Most of the time, a single-button or mobile/software DIGIPASS will have a single application called AUTHENTICATE or Response Only. Make sure that this is checked before proceeding onto the next step. You can find detailed explanations for the three possible application types below:
- Response-Only - generates an OTP based on the current date and time or on the number of uses (i.e. events).
- Challenge/Response - generates an OTP (also referred to as a response) based on a numerical challenge given on a login page.
- Signature - electronic Signature DIGIPASS Applications are typically used in online banking. The DIGIPASS authenticator generates a unique code – i.e. an Electronic Signature – based on a number of transaction data fields entered plus (optionally) the date and time or events.
On the following screen you are able to customize various DIGIPASS parameters before they get imported into your environment. Below is a brief explanation of the various options:
- Upgrade existing DIGIPASS with activation codes from new DPX file will update DIGIPASS with new features such as PIN support.
- Reserve new DIGIPASS for individual assignment only will prevent the imported DIGIPASS records from being used in bulk assign operations.
Applies to:IDENTIKEY Authentication Server
KB 160128– 12/09/2017
© 2017 VASCO Data Security. All rights reserved.