ctotp
Utility to initialize (enable), reinitialize, or disable the One-Time Password (OTP) feature for a specified slot and role.
One-Time Password introduces multifactor authentication to the SafeNet ProtectToolkit-C environment. The OTP is a 6-digit number displayed on the SafeNet 110 OTP Token. This 6-digit number is automatically changed every 30 seconds on the token screen. When OTP is enabled for a slot, the User or Security Officer must enter the token PIN, followed by the 6-digit OTP, to log in to the slot. With OTP disabled, only the role's token PIN is required.
See Multifactor Authentication (One-Time Password) for detailed procedures.
Syntax
Initialize/enable OTP on the specified slot
ctotp init -s<slot_num> -t<token_SN> -x<xml_file> -p<passcode_file> [-O]
Log in to the specified slot using OTP
ctotp login -s <slot_num> [-O]
Re-initialize OTP on the specified slot
ctotp reinit -s<slot_num> -t<token_SN> -x<xml_file> -p<passcode_file>
Disable OTP on the specified slot
ctotp del -s<slot_num> [-O]
NOTE Since the SafeNet 110 OTP token is time-based, ensure that the HSM time is in sync with the client by running ctconf -t on the client machine before you initialize OTP.
Commands
| Command | Description |
|---|---|
| del | Disable OTP for the specified slot (-s). To disable OTP for the Security Officer role, include the -O option. |
| init | Initialize/enable OTP for the specified slot (-s). You must specify the SafeNet 110 OTP Token serial number (-t), and filepaths to TokenSeed.xml (-x) and PSCKPassword.txt (-p). To initialize OTP for the Security Officer role, include the -O option. |
| login | Log in to the HSM token. To log in as the Security Officer, include the -O option. |
| reinit | Re-initialize OTP for the User on the specified slot (-s) using a different SafeNet 110 OTP Token. The Security Officer must log in to use this command. You must specify the SafeNet 110 OTP Token serial number (-t), and filepaths to TokenSeed.xml (-x) and PSCKPassword.txt (-p). You may re-initialize OTP for the User or Administrator roles only. |
Options
| Option | Description |
|---|---|
| -s<slotnum> |
--slot-num =<slotnum> Specifies the slot on which to initialize, re-initialize, or disable OTP. |
| -t<token_SN> |
--token-name =<label> Specifies the desired SafeNet 110 OTP Token serial number (located on the back of the device). This serial number must match a number in the provided TokenSeed.xml file. |
| -x<xml_file> | Specifies the full or relative filepath to the TokenSeed.xml file. |
| -p<password_file> | Specifies the full or relative filepath to the PSCKPassword.txt file. |
| -O | Specifies that the command applies to the Security Officer role (or the Administration Security Officer role on the Admin token). |
| -h, -? |
--help Display help information. |
Examples
Initialize/enable OTP on the specified slot
ctotp.exe init -s0 -tGALT10282853 -xC:\otp\seed.xml -pC:\otp\passcode.txt -O Please Enter the Security Officer Token PIN: ================================= OTP Initialization Successful. ===================================
Log in to the specified slot using OTP
>ctotp login -s0 Please Enter the Token PIN: ================================= OTP Login Successful. ===================================
Re-initialize OTP on the specified slot
ctotp reinit -s0 -tGALT10282857 -xc:/otp/seed.xml -pc:/otp/passcode.txt Please Enter the Security Officer Token PIN: Please Enter the Token PIN: ================================= OTP Re-Initialization Successful. ===================================
Disable OTP on the specified slot
ctotp delete -s0 Please Enter the Token PIN: ================================= OTP Deletion Successful. ===================================
Exit Status
The ctotp utility will return a zero (0) exit status when successful. A non-zero exit status is returned on an error. Warnings are not treated as errors.
