Utility to initialize (enable), reinitialize, or disable the one-time password (OTP) feature for a specified slot and role.
One-time password (OTP) introduces multifactor authentication to the SafeNet ProtectToolkit-C environment. The OTP is a 6-digit number displayed on the SafeNet 110 Time-Based OTP Token. This 6-digit number is automatically changed every 30 seconds on the token screen. When OTP is enabled for a slot, the User or Security Officer must enter the token PIN, followed by the 6-digit OTP, to log on to the slot. With OTP disabled, only the role's token PIN is required.
See Multifactor authentication (one-time password) for detailed procedures.
The following ctotp syntax can be used.
Initialize/enable OTP on the specified slot
ctotp init -s<slot_num> -t<token_SN> -x<xml_file> -p<passcode_file> [-O]
Log on to the specified slot using OTP
Re-initialize OTP on the specified slot
ctotp reinit -s<slot_num> -t<token_SN> -x<xml_file> -p<passcode_file>
Disable OTP on the specified slot
Since the SafeNet 110 Time-Based OTP Token is time-based, ensure that the HSM time is in sync with the client by running ctconf -t on the client machine before you initialize OTP.
The following ctotp commands are available.
Disable OTP for the specified slot (-s). To disable OTP for the Security Officer role, include the -O option.
Initialize/enable OTP for the specified slot (-s). You must specify the SafeNet 110 Time-Based OTP Token serial number (-t), and filepaths to TokenSeed.xml (-x) and PSCKPassword.txt (-p). To initialize OTP for the Security Officer role, include the -O option.
Log on to the HSM token. To log on as the Security Officer, include the -O option.
Re-initialize OTP for the User on the specified slot (-s) using a different SafeNet 110 Time-Based OTP Token. The Security Officer must log on to use this command. You must specify the SafeNet 110 Time-Based OTP Token serial number (-t), and filepaths to TokenSeed.xml (-x) and PSCKPassword.txt (-p). You can re-initialize OTP for the User or Administrator roles only. |
The following ctotp options are available.
-s<slotnum>, --slot-num =<slotnum>
Specifies the slot on which to initialize, re-initialize, or disable OTP.
-t<token_SN>, --token-name =<label>
Specifies the desired SafeNet 110 Time-Based OTP Token serial number (located on the back of the device). This serial number must match a number in the provided TokenSeed.xml file.
Specifies the full or relative filepath to the TokenSeed.xml file.
Specifies the full or relative filepath to the PSCKPassword.txt file.
Specifies that the command applies to the Security Officer role (or the Administration Security Officer role on the Admin token).|
-h, -?, --help
Display help information.|
Initialize/enable OTP on the specified slot
Log on to the specified slot using OTP
Re-initialize OTP on the specified slot
Disable OTP on the specified slot
Exit status
The ctotp utility will return a zero (0) exit status when successful. A non-zero exit status is returned on an error. Warnings are not treated as errors.