CTOTP
Utility to initialize (enable), reinitialize, or disable the One-Time Password (OTP) feature for a specified slot and role.
One-Time Password introduces multifactor authentication to the SafeNet ProtectToolkit-C environment. The OTP is a 6-digit number displayed on the SafeNet 110 OTP Token. This 6-digit number is automatically changed every 30 seconds on the token screen. When OTP is enabled for a slot, the User or Security Officer must enter the token PIN, followed by the 6-digit OTP, to log in to the slot. With OTP disabled, only the role's token PIN is required.
See Multifactor Authentication (One-Time Password) for detailed procedures.
Syntax
Initialize/enable OTP on the specified slot
ctotp init –s<slot_num> –t<token_SN> –x<xml_file> –p<passcode_file> [–O]
Log in to the specified slot using OTP
ctotp login –s <slot_num> [–O]
Re-initialize OTP on the specified slot
ctotp reinit –s<slot_num> –t<token_SN> –x<xml_file> –p<passcode_file>
Disable OTP on the specified slot
ctotp del –s<slot_num> [–O]
NOTE Since the SafeNet 110 OTP token is time-based, ensure that the HSM time is in sync with the client by running ctconf –t on the client machine before you initialize OTP.
Commands
| Command | Description |
|---|---|
| del | Disable OTP for the specified slot (–s). To disable OTP for the Security Officer role, include the –O option. |
| init | Initialize/enable OTP for the specified slot (–s). You must specify the SafeNet 110 OTP Token serial number (–t), and filepaths to TokenSeed.xml (–x) and PSCKPassword.txt (–p). To initialize OTP for the Security Officer role, include the –O option. |
| login | Log in to the HSM token. To log in as the Security Officer, include the –O option. |
| reinit | Re-initialize OTP for the User on the specified slot (–s) using a different SafeNet 110 OTP Token. The Security Officer must log in to use this command. You must specify the SafeNet 110 OTP Token serial number (–t), and filepaths to TokenSeed.xml (–x) and PSCKPassword.txt (–p). You may re-initialize OTP for the User or Administrator roles only. |
Options
| Option | Description |
|---|---|
| –s<slotnum> |
––slot–num =<slotnum> Specifies the slot on which to initialize, re-initialize, or disable OTP. |
| –t<token_SN> |
––token–name =<label> Specifies the desired SafeNet 110 OTP Token serial number (located on the back of the device). This serial number must match a number in the provided TokenSeed.xml file. |
| –x<xml_file> | Specifies the full or relative filepath to the TokenSeed.xml file. |
| –p<password_file> | Specifies the full or relative filepath to the PSCKPassword.txt file. |
| –O | Specifies that the command applies to the Security Officer role (or the Administration Security Officer role on the Admin token). |
| –h, –? |
––help Display help information. |
Examples
Initialize/enable OTP on the specified slot
ctotp.exe init -s0 -tGALT10282853 -xC:\otp\seed.xml -pC:\otp\passcode.txt -O Please Enter the Security Officer Token PIN: ================================= OTP Initialization Successful. ===================================
Log in to the specified slot using OTP
>ctotp login -s0 Please Enter the Token PIN: ================================= OTP Login Successful. ===================================
Re-initialize OTP on the specified slot
ctotp reinit -s0 -tGALT10282857 -xc:/otp/seed.xml -pc:/otp/passcode.txt Please Enter the Security Officer Token PIN: Please Enter the Token PIN: ================================= OTP Re-Initialization Successful. ===================================
Disable OTP on the specified slot
ctotp delete -s0 Please Enter the Token PIN: ================================= OTP Deletion Successful. ===================================
Exit Status
The ctotp utility will return a zero (0) exit status when successful. A non-zero exit status is returned on an error. Warnings are not treated as errors.
