Import YubiKey tokens
To import YubiKey tokens, use the YubiKey Personalization Tool, which is available from Yubico.
The YubiKey Personalization Tool is a Yubico product and is not developed by Thales Group. All questions or feedback regarding the tool and its documentation should be addressed with Yubico.
Import YubiKey tokens into STA, so that they become available to assign to users.
To import YubiKey tokens, perform these two steps:
-
In the YubiKey Personalization Tool, create a token seed file.
-
On the STA Token Management console, import that token seed file.
Create a YubiKey token seed file
Use the YubiKey Personalization Tool to create a token seed file for YubiKeys that are programmed in Open Authentication Initiative HMAC-based One-Time Password (OATH-HOTP) mode. OATH-HOTP is a standard algorithm for calculating one-time passwords based on a secret (a seed value) and a counter. The token seed file includes the core token data, such as the OATH seed value and the programmed counter value.
In the YubiKey Personalization Tool, the logging settings define the output format of the token seed file. To output a file that is suitable for importing into STA, the log configuration output should be in PSKC format.
After you create the token seed file, you import it on the STA Token Management console, so that the tokens become available to assign to users.
Refer to the Yubico documentation for information about the all of the available settings.
Configure the YubiKey settings
-
In the YubiKey Personalization Tool, select Settings.
-
To ensure compatibility with all applications, in the Output Format settings, verify that the Tab or Enter keystrokes are NOT selected.
When a Tab or Enter keystroke is selected, the button has a blue background.
The output format specifies how the OTP is sent from the YubiKey. Tab keystrokes move the cursor to the next input field, and the Enter key sends the OTP code + Enter.
-
In the Logging Settings, select the Log configuration output check box, and select PSKC format in the list.
The logging settings allow you to record the OATH-HOTP parameters that are used for programming the YubiKey in a token seed file, and to specify the format of the data in the token seed file. The log output is a token seed .csv file that is suitable for importing into STA.
Program the YubiKey in OATH-HOTP mode
There are two options for configuring the YubiKey in OATH-HOTP mode:
-
Quick: Program the YubiKey in OATH-HOTP mode using default parameters.
-
Advanced: Program the YubiKey in OATH-HOTP mode using your own parameters.
Quick OATH-HOTP mode
-
In the YubiKey Personalization Tool, select OATH-HOTP or OATH-HOTP Mode.
-
Select Quick, and insert a YubiKey into a USB port on your computer.
-
Select the Configuration Slot. Typically, Configuration Slot 1 is used.
The availability of slots depends on the token type. Consult your YubiKey token guide for the correct slot.
-
Clear the OATH Token Identifier check box, so that the YubiKey doesn't output the OATH Token Identifier.
-
Select Write Configuration, to write to the token and create the token seed file that you can import in STA.
The .csv file that is generated by default is actually a PSKC file that you subsequently import into STA.
-
Open the .csv file and ensure that there is a closing </KeyContainer> tag at the end. Add the closing tag if it is missing.
For example:
Advanced OATH-HOTP
-
In the YubiKey Personalization Tool, select OATH-HOTP or OATH-HOTP Mode.
-
Select Advanced, and insert a YubiKey into a USB port on your computer.
-
Select the Configuration Slot. Typically, Configuration Slot 1 is used.
The availability of slots depends on the token type. Consult your YubiKey token guide for the correct slot.
-
In the OATH-HOTP Parameters section, clear the OATH Token Identifier check box, so that the YubiKey doesn't output the OATH Token Identifier.
-
For the Secret Key, select Generate.
-
Modify the other settings as required.
-
Select Write Configuration, to write to the token and create the token seed file that you can import in STA.
The .csv file that is generated by default is actually a PSKC file that you subsequently import into STA.
-
Open the .csv file and ensure that there is a closing </KeyContainer> tag at the end. Add the closing tag if it is missing.
For example:
Import the YubiKey token seed file and test a token
Import the YubiKey PSKC-formatted token seed file that you created in the YubiKey Personalization Tool, so that the YubiKey tokens become available to assign to users.
-
On the STA Token Management console, select the Tokens tab and expand the Import SafeNet Tokens module.
-
In the Import File field, browse to the Yubikey token seed file (.csv file), and then select Import.
-
To view the list of imported tokens, select the Tokens tab and expand the Tokens module.
-
Select eToken in the Token Type list, and select Search.
-
In the Token List, select a token Serial # to view the details.
-
Test a Yubikey token:
-
Go to the User Portal or the Self-Service site.
-
To find the User Portal URL, on the STA Access Management console, select Applications > User Portal.
-
To find the Self-Service site URL, on the STA Token Management console, select Self-Service > Configuring Self-Service > Self-Service Policy.
-
-
Log in with the User ID and the Yubikey that you assigned.
-
To use slot 1 to enter an OTP, place the cursor in the OTP field and touch the capacity sensor on the token.
-
To use slot 2 to enter an OTP, place the cursor in the OTP field and touch the capacity sensor on the token for at least 3 seconds.
-
-
After you verify that the Yubikey token works, revoke the token from the test user.