Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SafeNet IDPrime Virtual Client End User Workflows

Offline Mode for End Users

search

Offline Mode for End Users

Offline mode allows user to connect their offline virtual card automatically when they connect token from the server for the first time. Offline mode provides an option to export the keys from the database, and store them on the machines' file system or in the supported Trusted Platform Module (TPM) 2.0. It allows the user to perform read-only operations. Offline mode data for each device is saved locally to the client machine. As the tokens are offline, all the cryptographic operations on these tokens are performed locally (not synced to the server).

When the user uses the virtual smart card in offline mode, the icon changes to (blue) Default icon, indicating that the system is disconnected from the network or backend (Identity Provider or Safenet IDPrime Virtual Server).

About TPM

A TPM chip is a secure crypto-processor designed to carry out the cryptographic operations. This chip includes multiple physical security mechanisms to secure it from malicious attacks. The TPM chip generates, stores, and limits the use of cryptographic keys.

Prerequisites for Offline Mode

The following prerequisites are required to go offline:

  1. Enable TPM from the BIOS.

    By default, TPM is disabled on the machine. Windows 10 Operating System initializes and takes ownership of the TPM on start-up.

  2. In order to download offline bundle, token must have a certificate and token must be logged in once.

  3. To use offline mode, it is necessary to perform one successful PKI operation, which entails entering the PIN of the smartcard through the SAC Tools user interface or a third-party application such as Adobe or Outlook. Refer to the screenshot presented below.

    Default icon

    Default icon
    Once the PIN is provided, the offline capability is enabled, which means the status changes from (green) Default icon to (blue) Default icon anytime connectivity to the backend (Identity Provider or Safenet IDPrime Virtual Server) is broken.

Scenarios of Offline Mode

  1. In case of intermittent network outage.

    • The IDPV client switches to offline mode automatically but the tray icon remain in online state until the application is refreshed. On failure of network with the server, the tray icon changes to offline state (blue) Default icon.
    • When the network is available and the IDPV client is required to go online, user must click Go Online in the tray menu.
      Default icon

      If refresh token is not expired, IDPV Client directly switches to the online mode without requesting for IDP login. However, IDP login is required in case it is expired.
    • If the user has a valid offline bundle and network is not available, the tray icon changes to offline state (blue) Default icon while performing PKI operations.

  2. In the absence of any available network.

    • The IDPV client starts directly working in offline mode, and the tray icon changes to offline state (blue) Default icon.
    • When the network is available and the IDPV client is required to go online, user must click Go Online in the tray menu.
      Default icon

      If refresh token is not expired, IDPV Client directly switches to the online mode without requesting for IDP login. However, IDP login is required in case it is expired.
    • If the offline bundle was downloaded successfully earlier and then the machine is restarted, the IDPV application state will be in (blue) Default icon.
    • If the offline bundle was downloaded successfully earlier and then machine is started after shutdown, the IDPV application state will be in (blue) Default icon.
    • Depending on the sleep settings of user's machine, if IDPV client is not able to communicate with IDPV server in sleep mode or when coming out of the sleep mode, it will switch to (blue) Default icon.

    User is required to go online if the offline bundle of the token expires.

  3. Go Offline option in System tray.

    • A user can now go offline after clicking Go Offline in System tray.

      Default icon

    • When a user clicks Go Offline, a prompt is displayed asking for the token PIN.

      alt_text

    • Upon entering the token PIN and after successful authentication, the user is switched to the Offline mode, and the tray icon changes to offline state (blue) Default icon.

  4. The Offline mode expiry timer is refreshed.

    • When the user clicks Go Online in the System tray menu and authenticates with an IDP (either through credentials or an active token), regardless of whether the offline usage is remaining or already expired.
    • When the user clicks Go Offline in the System tray menu, regardless of whether the IDPV server is reachable or not.
    • When the user initiates a PKI operation and the IDPV server is not reachable.
    • When the user clicks Connect in the System tray menu and the IDPV server is reachable with the isAutoOfflineBundleDownloadEnabled setting is set to true.

  5. IDPV client switches to offline mode and the Offline expiry timer starts.

    • When the user initiates a PKI operation and the IDPV server is not reachable.
    • When the user clicks Go Offline in the System tray menu, regardless of whether the IDPV server is reachable or not.
    • When the user clicks Connect in the System tray menu and the IDPV server is reachable with the isAutoOfflineBundleDownloadEnabled setting is set to true.

  6. A new flag isAutoOfflineBundleDownloadEnabled (-o) is added to enable the offline usage of the smart card when the smart card is connected.

    • If Auto offline download setting is enabled, the offline bundle is automatically downloaded in background when the user clicks Connect. The tray icon changes to offline state (blue) Default icon.

    • If the user's offline bundle is not present and the user clicks Connect, a prompt is displayed asking for the token PIN.

      alt_text

      Upon entering the token PIN and after successful authentication, the user is switched to the Offline mode, and the tray icon changes to offline state (blue) Default icon.

    • There are additional scenerios when isAutoOfflineBundleDownloadEnabled (-o) is enable (true) or disabled (false). These scenerios are explained below.

      Online Mode | System Restart

      Scenario Result, when -o is true Result, when -o is false
      The offline bundle is available and the IDPV server is accessible.

      		The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is not available and the IDPV server is accessible. The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) . The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .
      The offline bundle is available and the IDPV server is not accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is not available and the IDPV server is not accessible. The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) . The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .

      Offline Mode | System Restart

      Scenario Result, when -o is true Result, when -o is false
      The offline bundle is available and the IDPV server is accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is available and the IDPV server is not accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .

      Online Mode | System Shutdown and Start

      Scenario Result, when -o is true Result, when -o is false
      The offline bundle is available and the IDPV server is accessible. The IDPV client will be in the Online mode with the tray icon in the online state (green) . The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
      The offline bundle is not available and the IDPV server is accessible. The IDPV client will be in the Online mode with the tray icon in the online state (green) . The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
      The offline bundle is available and the IDPV server is not accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is not available and the IDPV server is not accessible. The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) . The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .

      Offline Mode | System Shutdown and Start

      Scenario Result, when -o is true Result, when -o is false
      The offline bundle is available and the IDPV server is accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is available and the IDPV server is not accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .

      Online Mode | System Logoff and Login

      Scenario Result, when -o is true Result, when -o is false
      The offline bundle is available and the IDPV server is accessible. The IDPV client will be in the Online mode with the tray icon in the online state (green) . The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
      The offline bundle is not available and the IDPV server is accessible. The IDPV client will be in the Online mode with the tray icon in the online state (green) . The IDPV client will be in the Online mode with the tray icon in the offline state (green) .
      The offline bundle is available and the IDPV server is not accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is not available and the IDPV server is not accessible. The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) . The IDPV client will be in the Disconnected mode with the tray icon in the disconnected state (grey) .

      Offline Mode | System Logoff and Login

      Scenario Result, when -o is true Result, when -o is false
      The offline bundle is available and the IDPV server is accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .
      The offline bundle is available and the IDPV server is not accessible. The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) . The IDPV client will be in the Offline mode with the tray icon in the offline state (blue) .

Offline Mode Troubleshooting

If the Icon does not change to (blue) Default icon even after the network is unavailable. Then check the scenarios provided below and report results to the IT Admin support.

  1. Check if Offline Bundle files were downloaded successfully.
    After smartcard authentication, the offline files of the smartcard are located in the following location on the end user machine. If end users have admin rights, they can check the offline files at following location: C:/ProgramData/Thales/IDPrimeVirtual

    • Located under this format (IDPUser.bundleindentifier). Refer to the sample screenshot.
      Default icon
    • For every smartcard login user performs, a separate offline bundle is created for that particular user. Refer to the sample screenshot.
      Default icon
    • In case of successful download of the offline bundle files, the sample structure is shown in the below screenshot.
      alt_text

  2. Check errors in SAC Tools UI or third-party applications due to issues in offline bundle files.

    • When the IDPV offline bundle files becomes invalid or fails to download successfully due to any issue, the smartcard/certificates still appear visible in the SAC Tools user interface or third-party applications. However, when the end user attempts to authenticate with the PIN to the smartcard for any PKI operation or token login in SAC Tools, a generic error message of Invalid Password is displayed.
    • If the user is not authorized to operate in offline mode, the IDPV Client will continue to display (green) (Default icon) and the token will remain visible in SAC. However, if the connection is lost or an offline PKI operation is attempted during signing or decryption, an error message of Invalid Password will appear when the user tries to authenticate with the PIN for the operation.
    • If the end user attempts to authenticate for the first time with their PIN for PKI operations such as signing or decryption while the network is down, the end user may receive a balloon notification from the IDPV client stating Invalid password or Failed to connect to IDPV server. Contact your administrator. However, subsequent attempts will function correctly.
    • If the offline bundle has expired, as per the policies configured on the IDPV server, and the user attempts to perform token login or PKCS11 operations, a generic error message of Invalid Password is displayed by SAC, and a notification appears on the IDPV client stating The smart card offline usage has expired. Please contact the administrator.

Offline Mode End User Resolution

  1. Collect Data Logs
    When the end user logs are enabled, logs are stored together with SafeNet Minidriver and SafeNet Authentication at the location: C:\Windows\Temp\eToken.log.
    Logs are in the format of Month_Date as shown in the below screenshot.
    Default icon
    Every time the logs are updated, the Date Modified column is updated accordingly. The file can be zipped and accordingly shared with the IT administrator for analysis.
    In case logs are not visible at the mentioned location, follow the below steps:

    • Enable Logs via SAC Tools
      • In case of SAC Tools, Click on Enable Logging button.
        Default icon
      • Restart IDPV Client and SAC Client.

  2. Collect TPM information

    • The user must have administrator rights before executing the following steps.
    • Launch Windows Powershell from start menu. Execute Get-Tpm and collect the output. For more detais, refer to Get TPM section. Refer to the sample screenshot below: Default icon
    • Download the TPM.exe file.
    • To run the TpmCheck tool (32bit version) follow instructions as below:
      • Copy the extracted exe file to a location.
      • Open a command prompt as administrator and navigate to the directory where file is extracted.
      • Execute th TpmCheck.exe file.
      • This command would automatically stop after few seconds.
      • Result would look like below on success: Default icon

On this page