Export from Safenet

[qi9x...@sneakemail.com]

Hi, I have a SafeNet server, but would like to know if it is possible to migrate to LinOTP, and continue to use the existing hardware tokens.

If I export/backup the data from SafeNet, I get a text file with entries for every user/token, with fields like e.g. sccAdminSignatureMethod (DES), sccAuthenticatorId (token ID) , sccTokenKey (128 bit value in hex)

Is it possible to import this into LinOTP? I could not find any info on tools that could handle data in this format.

I do have a folder on the server C:\Program Files\Secure Computing\SafeWord\ImportData with many files named importAlpine, alpineUser, alpineXml, but I do not know if these represent the full number of tokens registered on the server.

Thanks for your help!

[qi9x...@sneakemail.com]

Note: The export file has 5x the number of token IDs in the ImportData folder. So I am assuming that I need the export to get the complete data.

[corneliu...@netknights.it]

Hi, does one of your files look like this:

#dn: sccAuthenticatorId=F722425
#objectclass: sccCompatibleToken
#sccAuthenticatorId: F722425
#sccTokenType: SafeWord-Alpine-ES
#sccTokenData: sccKey=C8842DADF04F17FD3E5C87039DA39D841DC06C7C;sccMode=E;sccPwLen=6;sccVer=1.1;
#sccSignature: MC4CFQD1myMBcOQ8voA9xu0DrKedEMr4rAIVAOch+nTAd6Sxgcqw3fLdNhEznCTE

Than the ID is your token serial number. The sccKey is the OTPKey.

You can check like this:

Create a new HOTP/HMAC Key with otplength =6 and SHA1 by copying the sscKey C8842DADF04F17FD3E5C87039DA39D841DC06C7C.
Try to resync the key. If this works out, you are done!
The key might be pressed more than a 1000 times, than you need to increase the syncWindow.

The tool to convert the SafeWord format for import can be found here:
    https://github.com/LinOTP/LinOTP/blob/master/linotpd/src/tools/linotp-convert-token

Kind regards
Cornelius

[vasily...@gmail.com]

воскресенье, 15 февраля 2015 г., 22:54:10 UTC+2 пользователь qi9x...@sneakemail.com написал:

Hi! Did you migrate to LinOTP?

@Cornelius, how I can export data from Safenet to get mentioned output?

[Cornelius Kölbel]

Hi Vasily,

what SafeNet Software are you running?
You can not export token data from SafeNet Authentication Manager.
The token data of the SafeNet authentication manager is encrypted in a
not known way, containing the domain name...
If you are running SafeWord 2008 I am not sure if the data can be
exported.

But if you still have the dat or xml file, you can use these files to
import the token seeds.
These files usually contain the seeds in an unencrypted way.

Kind regards
Cornelius

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[vasily...@gmail.com]

вторник, 5 января 2016 г., 15:45:18 UTC+2 пользователь Cornelius Kölbel написал:

> Am Dienstag, den 05.01.2016, 04:56 -0800 schrieb :
> > воскресенье, 15 февраля 2015 г., 22:54:10 UTC+2 пользователь qi9x...@sneakemail.com написал:
> > > Hi, I have a SafeNet server, but would like to know if it is possible to migrate to LinOTP, and continue to use the existing hardware tokens.
> > >
> > >
> > > If I export/backup the data from SafeNet, I get a text file with entries for every user/token, with fields like e.g. sccAdminSignatureMethod (DES), sccAuthenticatorId (token ID) , sccTokenKey (128 bit value in hex)
> > >
> > >
> > > Is it possible to import this into LinOTP? I could not find any info on tools that could handle data in this format.
> > >
> > >
> > > I do have a folder on the server C:\Program Files\Secure Computing\SafeWord\ImportData with many files named importAlpine, alpineUser, alpineXml, but I do not know if these represent the full number of tokens registered on the server.
> > >
> > >
> > > Thanks for your help!
> >
> > Hi! Did you migrate to LinOTP?
> >
> > @Cornelius, how I can export data from Safenet to get mentioned output?
> >
>
> Hi Vasily,
>
> what SafeNet Software are you running?
> You can not export token data from SafeNet Authentication Manager.
> The token data of the SafeNet authentication manager is encrypted in a
> not known way, containing the domain name...
> If you are running SafeWord 2008 I am not sure if the data can be
> exported.
>
> But if you still have the dat or xml file, you can use these files to
> import the token seeds.
> These files usually contain the seeds in an unencrypted way.
>
> Kind regards
> Cornelius
>
> --
> Cornelius Kölbel
>

> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel

Hi Cornelius,

Thank you for your reply! Yes, we are using safenet authentication manager (SAM). So we cannot decrypt tokens data and need to recreate tokens for each migrated user. Thank you for clarification!

[Cornelius Kölbel]

Hi Vasily,

which token types are you using with SAM?

What you should try to avoid is to reenroll tokens physically to the
user, since this is often a time consuming task.

Kind regards
Cornelius

--
Cornelius Kölbel
corneliu...@netknights.it

[vasily...@gmail.com]

Just want to share successful solution for migration from SAM to any radius based OTP:

With ISE Identity Source Sequence I was able to configure such workflow:

Ask Safenet for authentication and if ACCESS_REJECT is received ask PI radius. One important note: access reject for the first radius in the chain should be tracked as "User not found". In this case ISE will ask next radius (it's possible to configure in External Identity Sources -> Radius Token). Now I can authenticate in my network with SAM and PI tokens in same time so it makes migration really smoothly.

[Angel T]

Is it possible to use some software TOTP windows apps instead of SafeNet eToken Pass hardware token?