Offline Mode for Client Administrators

Offline mode allows user to connect their offline virtual card automatically when they connect token from the server for the first time. Offline mode provides an option to export the keys from the database, and store them on the machines' file system or in the supported Trusted Platform Module (TPM) 2.0. It allows the user to perform read-only operations. Offline mode data for each device is saved locally to the client machine. As the tokens are offline, all the cryptographic operations on these tokens are performed locally (not synced to the server).

When the user uses the virtual smart card in offline mode, the icon changes to (blue) , indicating that the system is disconnected from the network or backend (Identity Provider or Safenet IDPrime Virtual Server).

About TPM

A TPM chip is a secure crypto-processor designed to carry out the cryptographic operations. This chip includes multiple physical security mechanisms to secure it from malicious attacks. The TPM chip generates, stores, and limits the use of cryptographic keys.

Prerequisites for Offline Mode

The following prerequisites are required to go offline:

Prerequisites for Client Administrator

1. IDP user must be a part of the offline enabled group.
2. Update OfflineTokenEnabledGroup parameters in the appsettings.yml configuration file.
3. HSM must support a private key export.
4. Set the tenant -k true, refer Create a tenant section for more details.

Scenarios of Offline Mode

1. In case of intermittent network outage.

   • The IDPV client switches to offline mode automatically but the tray icon remain in online state until the application is refreshed. On failure of network with the server, the tray icon changes to offline state (blue) .
   • When the network is available and the IDPV client is required to go online, user must click Go Online in the tray menu.
     
     
     If refresh token is not expired, IDPV Client directly switches to the online mode without requesting for IDP login. However, IDP login is required in case it is expired.
   • If the user has a valid offline bundle and network is not available, the tray icon changes to offline state (blue) while performing PKI operations.

2. In the absence of any available network.

   • The IDPV client starts directly working in offline mode, and the tray icon changes to offline state (blue) .
   • When the network is available and the IDPV client is required to go online, user must click Go Online in the tray menu.
     
     
     If refresh token is not expired, IDPV Client directly switches to the online mode without requesting for IDP login. However, IDP login is required in case it is expired.
   • If the offline bundle was downloaded successfully earlier and then the machine is restarted, the IDPV application state will be in (blue) .
   • If the offline bundle was downloaded successfully earlier and then machine is started after shutdown, the IDPV application state will be in (blue) .
   • Depending on the sleep settings of user's machine, if IDPV client is not able to communicate with IDPV server in sleep mode or when coming out of the sleep mode, the tray icon changes to offline state (blue) .

   A User is required to go online if the offline bundle of the token expires.

3. Go Offline option in System tray.

   Pre-requisite: User must have only one token.

   • A user can now go offline after clicking Go Offline in System tray.

     

   • When a user clicks Go Offline, a prompt is displayed asking for the token PIN.

     

   • Upon entering the token PIN and after successful authentication, the user is switched to the Offline mode, and the tray icon changes to offline state (blue) .

4. The Offline mode expiry timer is refreshed.

   • When the user clicks Go Online in the System tray menu and authenticates with an IDP (either through credentials or an active token), regardless of whether the offline usage is remaining or already expired.
   • When the user clicks Go Offline in the System tray menu, regardless of whether the IDPV server is reachable or not.
   • When the user initiates a PKI operation and the IDPV server is not reachable.
   • When the user clicks Connect in the System tray menu and the IDPV server is reachable with the isAutoOfflineBundleDownloadEnabled setting is set to true.

5. IDPV client switches to offline mode and the Offline expiry timer starts.

   • When the user initiates a PKI operation and the IDPV server is not reachable.
   • When the user clicks Go Offline in the System tray menu, regardless of whether the IDPV server is reachable or not.
   • When the user clicks Connect in the System tray menu and the IDPV server is reachable with the isAutoOfflineBundleDownloadEnabled setting is set to true.

6. A new flag isAutoOfflineBundleDownloadEnabled (-o) is added to enable the offline usage of the smart card when the smart card is connected. This flag can be configured while creating a tenant. For more information, refer to the Creating a Tenant section.

   • If Auto offline download setting is enabled, the offline bundle is automatically downloaded in background when the user clicks Connect. The tray icon changes to offline state (blue) .

   • If the user's offline bundle is not present and the user clicks Connect, a prompt is displayed asking for the token PIN.

     

     Upon entering the token PIN and after successful authentication, the user is switched to the Offline mode, and the tray icon changes to offline state (blue) .

   • There are additional scenerios when isAutoOfflineBundleDownloadEnabled (-o) is enable (true) or disabled (false). These scenerios are explained below.

     Online Mode | System Restart

     Scenario	Result, when -o is true	Result, when -o is false
     The offline bundle is available and the IDPV server is accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is not available and the IDPV server is accessible.	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .
     The offline bundle is available and the IDPV server is not accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is not available and the IDPV server is not accessible.	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .

     Offline Mode | System Restart

     Scenario	Result, when -o is true	Result, when -o is false
     The offline bundle is available and the IDPV server is accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is available and the IDPV server is not accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .

     Online Mode | System Shutdown and Start

     Scenario	Result, when -o is true	Result, when -o is false
     The offline bundle is available and the IDPV server is accessible.	The IDPV client will be in the Online mode with the tray icon in the online state (green) .	The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
     The offline bundle is not available and the IDPV server is accessible.	The IDPV client will be in the Online mode with the tray icon in the online state (green) .	The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
     The offline bundle is available and the IDPV server is not accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is not available and the IDPV server is not accessible.	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .

     Offline Mode | System Shutdown and Start

     Scenario	Result, when -o is true	Result, when -o is false
     The offline bundle is available and the IDPV server is accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is available and the IDPV server is not accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .

     Online Mode | System Logoff and Login

     Scenario	Result, when -o is true	Result, when -o is false
     The offline bundle is available and the IDPV server is accessible.	The IDPV client will be in the Online mode with the tray icon in the online state (green) .	The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
     The offline bundle is not available and the IDPV server is accessible.	The IDPV client will be in the Online mode with the tray icon in the online state (green) .	The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
     The offline bundle is available and the IDPV server is not accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is not available and the IDPV server is not accessible.	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .	The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .

     Offline Mode | System Logoff and Login

     Scenario	Result, when -o is true	Result, when -o is false
     The offline bundle is available and the IDPV server is accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
     The offline bundle is available and the IDPV server is not accessible.	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .	The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .

7. A new flag IsOfflineFallbackEnabled (-f) is added in SafeNet IDPV v2.5 to enable or disable the Offline fallback feature. If it is enabled, a user can go offline when TPM is FIPS compliant, but the keys are non-FIPS.
   This flag can be configured while creating a tenant. For more information, refer to the Creating a Tenant section.

Configuring Offline Mode

This sections describes offline mode in terms of windows administration. In normal mode, a user connects the IDPV smart card to the server. In the end-point UI application, the device tray icon shows a connected state (green).

Standard User Individual Lockout Threshold

Offline Mode Keys are stored within the TPM, and protected with AuthData derived from the User PIN.

• The individual lockout threshold limits the number of authorization failures for each user.

• When threshold is reached, Windows 10 lockout time is triggered, and the user is prevented to send commands that require authorization to the TPM. For more information, refer to Microsoft Information Protection.

The administrator can set the TPM Group Policy Settings for vToken user PIN verification failure.

Offline Bundle

The Offline Bundle consists of the following:

• Private Keys: These are unwrapped into the TPM chip of Windows.
• Metadata: This is stored on the hard disk in C:\ProgramData\Thales\IDPrimeVirtual
• For every token the user logs in, separate metadata files are created.
• As metadata for every token is stored locally, even in offline mode, the user can run the cryptographic operations on these tokens.

If the user manually deletes the metadata information from the configured directory, the keys are deleted by the application when it is started.

Synchronization in Offline Bundle

1. Application removes invalid offline bundle from the local host.
2. Perform the steps given in Connecting IDPV Smart Card to the Server to return token to the synchronized state.
3. After it is synchronized, login to this token to get it updated in the offline tokens list.
4. If the application stops, token gets disconnected. Restart the application and connect the token again. Admin cannot download the offline bundle of a user token. In the offline mode, an admin can perform operations on the admin tokens and cannot log in to the user token.

Scenarios where Offline Bundle becomes Invalid

1. If the first user logs out of the system tray and a new user logs in, the offline bundle for the first user is deleted.
2. If the user enters an incorrect PIN multiple times and exhausts the allowed retry attempts, the offline bundle becomes invalid.
3. If the server URL or tenant ID is modified while operating in offline mode, the offline bundle becomes invalid.

By default, the offline bundle has a server-side expiration time of 120 hours, but it is possible to modify this value by referring to the policySettings.json file.

The SAC client issues a generic error message called Invalid Password when the user tries to log in to the token in the aforementioned scenarios.

Offline Mode Troubleshooting

If the Icon does not change to (blue) even after the network is unavailable. Then check the scenarios provided below and report results to the IT Admin support.

1. Check if Offline Bundle files were downloaded successfully
   After smartcard authentication, the offline files of the smartcard are located in the following location on the end user machine. If end users have admin rights, they can check the offline files at following location: C:/ProgramData/Thales/IDPrimeVirtual

   • Located under this format (IDPUser.bundleindentifier). Refer to the sample screenshot.
     
   • For every smartcard login performed by a user, a separate offline bundle is created for that particular user. Refer to the sample screenshot.
     .
   • In case of successful download of the offline bundle files, the sample structure is shown in the below screenshot.
     

2. Check errors in SAC Tools UI or third party applications due to issues in offline bundle files

   • When the IDPV offline bundle files becomes invalid or fails to download successfully due to any issue, the smartcard/certificates still appear visible in the SAC Tools user interface or third-party applications. However, when the end user attempts to authenticate with the PIN to the smartcard for any PKI operation or token login in SAC Tools, a generic error message of Invalid Password is displayed.
   • If the user is not authorized to operate in offline mode, the IDPV Client will continue to display (green) () and the token will remain visible in SAC. However, if the connection is lost or an offline PKI operation is attempted during signing or decryption, an error message of Invalid Password will appear when the user tries to authenticate with the PIN for the operation.
   • If the end user attempts to authenticate for the first time with their PIN for PKI operations such as signing or decryption while the network is down, the end user may receive a balloon notification from the IDPV client stating Invalid password or Failed to connect to IDPV server. Contact your administrator. However, subsequent attempts will function correctly.
   • If the offline bundle has expired as per the policies configured on the IDPV server and the user attempts to perform token login or PKCS11 operations, a generic error message of Invalid Password is displayed by SAC, and a notification appears on the IDPV client stating The smart card offline usage has expired. Please contact the administrator.

Offline Mode End User Resolution

1. Collect Data Logs
   When the end user logs are enabled, logs are stored together with SafeNet Minidriver and SafeNet Authentication at the location: C:\Windows\Temp\eToken.log.
   Logs are in the format of Month_Date as shown in the below screenshot.
   
   Every time the logs are updated,the Date Modified column is updated accordingly. The file can be zipped and accordingly shared with the IT administrator for analysis.
   In case logs are not visible at the mentioned location, follow the below steps:

   • Enable Logs via SAC Tools
     • In case of SAC Tools, Click on Enable Logging button.
       
     • Restart IDPV Client and SAC Client.

2. Collect TPM information
   

   The user must have administrator rights before executing the following steps.

   • Launch Windows Powershell from start menu. Execute Get-Tpm and collect the output. For more detais, refer to Get TPM section. Refer to the sample screenshot below:
   • Download the TPM.exe file.
   • To run the TpmCheck tool (32bit version) follow instructions as below:
     • Copy the extracted exe file to a location.
     • Open a command prompt as administrator and navigate to the directory where file is extracted.
     • Execute th TpmCheck.exe file.
     • This command would automatically stop after few seconds.
     • Result would look like below on success: