Installation Manual | IM-20230628-AVW-02 iProtect Access / Security | Functionalities | iProtect™ - SimonsVoss VCN |
1. iProtect Aurora and SimonsVoss VCN
iProtect Aurora can control SimonsVoss data on card (VCN), by means of using a data on card solution. The VCN system is a data on card system in which the access profiles are distributed via the access cards instead of online card readers. We also refer to this system as “native” or “offline” because the access rights are defined in the iProtect database itself and are distributed to the access card using a iProtect controlled enroll or update reader.
1.1 System architecture
iProtect: The security management system from TKH security.
Pluto/Orion: The network and door controller from TKH security.
RS485 reader: The online update reader to manage the cards from TKH security.
Card: The access control card of the end user.
Smartintego VCN: The Simons Voss integration tool for programming the locks.
Offline cylinder: The offline access control lock/cylinder.
1.2 System requirements
At least the specified firmware versions are needed to let the system work properly.
Hardware | Description | Extra information | Versions |
iProtect | SMS | - | From: 9.03.02 Recommended from: 10.01.xx |
Pluto | Reader manager | - | From 5.00.41 Recommended from: 5.03.23 |
Hardware control applet | only needed when using iProtect version 9.10.xx and lower | From: 3.00 | |
Orion | Door controller | Bootloader | From: 2.3.0.15 Recommended from: 2.4.2.17 |
Firmware | From: 1.4.40 Recommended from: 1.5.18.86 | ||
Sirius | I Serie | - | From firmware: 1.5.32 |
Sirius | IX serie |
| From firmware: 2.0.5.a.1 |
SimonsVoss | SmartIntego VCN
| Use with iProtect version 09.03.02 and higher | 2.1.6411.25403 |
Use with Smartintego VCN version: 2.1.6411.25403 | Access DB Engine Runtime 2007 | ||
SmartIntego VCN
| Use with iProtect version 10.01.xx and higher | From 3.0.7600.18050 | |
SimonsVoss lock firmware | SV SI2 Cylinder | 5.4.16 | |
SV SI2 handle | 5.6.09 | ||
SV AX handle and Cylinder | 1.1.519 | ||
Card | Mifare DESFire | - | ev1 and ev2 |
2 Installing the SimonsVoss software
Be sure before starting to integrate the solution, that the following software is installed as described in the SimonsVoss manual.
SimonsVoss Smartintego VCN
SimonsVoss SMART.CD
A new project file should be created in the SimonsVoss Smartintego VCN software, it is also possible to start a new project by opening a template file (see 2.2). The SimonsVoss Smartintego VCN software is necessary to configure all the locks.
Please contact your consultant or the TKH service and support department for the “TKH_security_defaultSVVCN_cardconfig_DES.ikt” template file or the KEY information.
2.1 Password handling
Project password: The smartintego tool stores the locking system configuration in a project .ikp file. The project password protects the file access. This password is changeable in the tool itself.
Lockingsystem password: The configuration of the locks will be secured with the locking system password. The password will be written into every lock and is not changeable afterwards. With this password it is possible for example to do emergency opening or resets the locks. Keep this password protected!
2.2 Mifare DESFire ev1/ev2 card configuration
From Smartintego VCN version 3.0 the project must be started by opening the “TKH_security_defaultSVVCN_cardconfig_DES.ikt” template file. This template file has the card coding settings so there is no need to create a card configuration in Smartintego VCN. The password is 12345678.
When using Smartintego VCN version 2.1.6411.25403 the standard TKH reader settings which must be set into the SimonsVoss Smartintego VCN software is as described below.
Column name: | TKH setting: |
ID | set as default |
Name | set as default |
AppId: | 16064888 (TKH security default) |
FileNo1: | 0 |
FileNo2: | 1 |
FileNo3 | 2 |
FileSize1 | 0016 |
FileSize2 | 1024 |
FileSize3 | 256 |
FileType1 | standard |
FileType2 | standard |
FileType3 | backup |
Please contact your consultant or the TKH service and support department for the “TKH_security_defaultSVVCN_cardconfig_DES.ikt” template file or the KEY information.
3 Configuring iProtect for update/enrolment
iProtect needs to be configured before a card reader can be used as enrolment or update reader.
An enrolment reader is used to create the SimonsVoss application on the card.
An update reader is used for updating the access rights and collect transactions.
The difference is made in the interpretation. In total there are three different interpretation needed in a system:
DESFire default interpretation (for regular readers)
Enrolment interpretation (for enrolment readers)
Update interpretation (for update readers, and VCN locks)
From iProtect 10.04, the Update card data interpretation must be used instead of the Enrollment interpretation at the Enrollment readers.
3.1 Configuring the card presentation
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation
Right-click in the browse window and press on “Wizard card number presentation”
Enter the following data:
Name: Specify a logical name
Default card data interpretation: “SV VCN TKH Desfire compatible”
Press on “ok”
Click on the created interpretation and go to “system code”.
Enter the following data:
Start: 5
Length: 6
Code: the DESFire system code
Click on the created interpretation and go to “facility”.
Enter the following data:
Start: 21
Length: 4
Code: The from TKH security received code
Click on the created interpretation and go to “interpretation selection”.
Enter the following data:
Start: 25
Length: 2
Code: 2
Click on the created interpretation and go to “offline validity”.
Enter the following data:
Validity period: enter the desired validity, advised is 24:00 (max 8766:00)
Update period before expiring: enter the desired time before expiry when a new update can be done.
Save the data
From iProtect version 10.00.xx also a provisioner group must be chosen:
When using iProtect 10.00.xx and lower select: Pluto Simon Voss update (system default)
When using iProtect 10.01.xx with Smartintego VCN version 2.1 or version 3.0 with the SmartIntego II card configuration select: Pluto SV VCN SI2 update (system default)
When using iProtect 10.01.xx with Smartintego VCN version 3.0 and the SmartIntego AX card configuration select: Pluto SV VCN AX update (system default)
The default added interpretation will be used for update readers
When the validity period time is higher than 480:00, offline transactions uploaded by access card will have a wrong timestamp
When using older iProtect versions the card data interpretation is called SV VCN KP Desfire compatible
3.1.1 Card interpretation for enrolment
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card data interpretation
Right-click in the browse window on the presentation made in 3.1 and press on “Add card data interpretation”
select as “default card data interpretation” “TKH Desfire”
Enter the following data:
Name: Specify a logical name
Format Data length: 14
Click on the created interpretation and go to “interpretation selection”.
Enter the following data:
Reader start: 13
Reader length: 2
Reader code: 2
Click on the created interpretation and go to “offline validity”.
Enter the following data:
Validity period: enter the desired validity (max 8766 hours)
Update period before expiring: enter the desired time before expiry when a new update can be done.
Save the data
From iProtect version 10.00.xx also a provisioner group must be chosen:
When using iProtect 10.00.xx and lower select: Pluto Simon Voss enroll (system default)
When using iProtect 10.01.xx with Smartintego VCN version 2.1 or version 3.0 with the SmartIntego II card configuration select: Pluto SV VCN SI2 enroll (system default)
When using iProtect 10.01.xx with Smartintego VCN version 3.0 and the SmartIntego AX card configuration select: Pluto SV VCN AX enroll (system default)
When using older iProtect versions the card data interpretation is called KP Desfire
3.1.2 Card interpretation for TKH DESFire
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card data interpretation
Right-click in the browse window on the presentation made in 3.1 and press on “Add card data interpretation”
Select as “default card data interpretation” “TKH Desfire”
Enter the following data:
Name: Specify a logical name
Format Data length: 12
Click on the created interpretation and go to “system code”.
Enter the following data:
Start: 1
Code: “the DESFire system code”
Save the data
From iProtect version 10.00.xx also a provisioner group must be chosen, select: Pluto Sirius MifareSec 8 digits and Desfire 12 Digits (system default)
When using older iProtect versions the card data interpretation is called KP Desfire
3.2 Configuring the Pluto
Make sure all connections are in accordance with the technical drawing and connect the Pluto to the network.
Open the Explorer and browse to the following address: https://192.168.1.195. The login screen appears.
Enter “controller” as username. The default password is “Pluto”.
On the maintenance page select “Network settings” and enter the desired information like IP address and IP address gateway.
Select “Hardware” and activate “Diagnostics”. Diagnostics enables automatic detection of devices connected to the Pluto and testing of it. Deactivate diagnostics after successful test.
Select “Tools” and verify the connection with iProtect™ by entering the IP address of the iProtect™ server together with port number 20100 at Netcat and press the “Test” button.
3.3 Configuring the line
Click in iProtect™ Aurora on the menu item Installation | Hardware | Line.
Right-click in the browse window and select “Add line‟. The detail window opens.
Enter the following data:
Name: “specify a logical name”
Type: “network device”
Provisioner group: “Pluto”
Active: (check)
Active with node: (check)
Function of the line “Keyprocessor”
IP address: “enter the IP address of the Pluto”
Click on the “Save” button.
Press the button “Send new Keystore”.
When having the connection between iProtect™ and the Pluto in place, automatically the latest software update will be installed on the Pluto. This may take a few minutes. When finished, the “Current status” will be “Idle”.
After the Pluto has communicated with iProtect™, the standard password will be changed. The new password will be displayed in the “Line details” screen.
Click on the “read in” button. The Pluto will automatically detect and configure connected nodes.
Activate connected reader by presenting twice an access card. The reader LED should be blinking.
3.3.1 Configuring the enrollment reader
Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.
Click on the “Search” button and select the Reader that is planned for card enrolment.
Enter the following data:
Name: Specify a logical name
Card data interpretation: Enter the enrolment card data interpretation which is made in chapter 3.1.1
From iProtect 10.04, the Update card data interpretation must be used instead of the Enrollment interpretation at the Enrollment readers.
Save the data.
Before a card can be enrolled, an offline access profile bust be created. For more information of the availability see chapter 6.2.3.
3.3.2 Configuring the update reader
Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.
Click on the “Search” button and select the Reader that is planned for card update.
Enter the following data:
Name: Specify a logical name
Card data interpretation: Enter the Update card data interpretation which is made in chapter 3.1
Save the data.
4 Configuring iProtect for SimonsVoss
4.1 Configuration SimonsVoss line
Open menu Installation | Hardware | Line
Right-click to “add a new line”
Enter the following data:
Name: specify a logical name
Type: “Server”
Active: (check)
active with nodes: (check)
Modus: “Virtual line”
Save the data.
4.1.1 Configuring SimonsVoss node
Click in iProtect Aurora on the Virtual line which is created in 4.1
Right-click in the browse window and select “Add node‟. The detail window opens.
Enter the following data:
Name: Specify a logical name
Active: (check)
Node type: “SimonsVoss VCN”
Save the data.
4.1.2 Configuring offline reader
Click in iProtect Aurora on the menu item Installation | Hardware | Reader.
Right-click in the browse window and select “Add Reader‟. The detail window opens.
Enter the following data:
Name: Specify a logical name
Card data interpretation: the card data interpretation made at chapter 3.1
(Time Anti): The area where the reader belongs to
Modus: standard
Buzzer enabled: (check)
Save the data.
When the card data interpretation needs to be changed after programming the locks. This must be done using the wizard (right klick the Simons Voss VCN node)
4.1.3 Configuring offline reader groups
Click in iProtect Aurora on the menu item Access | Settings | Reader group.
Right-click in the browse window and select “Add Reader group‟. The detail window opens.
Enter the following data:
Name: Specify a logical name
Group type: Offline reader
Node: “The name of the SimonsVoss VCN node created at chapter 4.1.1
Save the data.
Add the desired VCN locks to the reader list. If needed more reader groups can be created in the same way. Use a “admittance” to create a complete access profile.
When offline reader groups are changed the involved VCN locks need to be reprogrammed.
5 Exchanging the configurations
To configure the locks with the in iProtect configured settings, an export is needed once.
5.1 iProtect to VCN
Click in iProtect Aurora on the menu item Installation | Hardware | Node.
Select at “Export” all if the whole configuration needs to be exported, or Non synchronized if only the changed readers need to be exported.
Click on “Export” and save the .XML file.
Go to the SimonsVoss VCN tool and open the project made at chapter 2.
Go to File | import | VCN configuration and select the saved .XML file.
Execute the tasks and save the project.
5.2 VCN to iProtect
If all desired tasks are executed, the configuration can be exported.
Click on VCN configuration at the SimonsVoss VCN tool at file | export
Save the .XML file
Click in iProtect Aurora on the menu item Installation | Hardware | Node
Click on “upload” and select the saved .XML file
Click on “Import”
All readers are now synchronized with the latest available information.
The export ID between the iProtect to VCN and VCN to iProtect .XML files should always be the same.
6 Supported features
This chapter will describe the supported functionalities and features.
6.1 Offline door features
The following features and settings can be used on the offline doors.
6.1.1 Name
Logical name of the card reader.
Type: Text
Default: empty
The name is mandatory.
Max value: 32 characters
6.1.2 Transaction storage enabled
Setting if the offline events must be stored in the reader or not.
Type: Checkbox
If selected.
Offline transactions will be stored in the lock as long as possible based on first in first out.
If not selected
Offline transactions will be not stored in the lock.
6.1.3 Status
Fields with information gained from the offline lock:
Type: information.
Offline synchronization status:
Reader is not synchronized
Reader is programmed (ok)
Reader is in error
Reader is deactivated
Retrieving access list from reader
Emergency open
Version:
Lock: firmware in the lock, presented as X.X.XX
Reader: firmware in the reader, presented as X.XX.XX
6.1.4 Unlock time
Default door open time used when a valid card is presented.
Type: Time setting
Step size: 1 second.
Max value: 25
Default value: 3
6.1.5 Alternate door unlock time
Depending on card settings an alternate door <unlock time> can be used.
Commonly used for logistic employees, persons with disabilities or other persons who needs more time to pass a door.
Type: Time setting
Step size: 1 second.
Max value: 25
Default value: 5
6.1.6 Offline reader modus
Setting which determine if a lock can be set in office mode or not.
Type: Selection box
Standard:
Reader cannot be set in office mode.
Office:
Reader can be set in office mode.
From iProtect version 10.01 office mode will only be activated if at the timezone settings the checkbox “office mode Offline locks” Is activated. This timezone will then also determine the automatic end of the office mode.
6.1.7 Buzzer enabled
Setting if the buzzer is enabled or not.
Type: checkbox
If selected
Reader buzzer is enabled
If not selected
Reader buzzer is disabled
6.1.8 Create lock tasks
It is possible to create lock specific tasks by pressing on the task buttons.
Replace:
This function will copy/past all the settings into a new lock. This can be used for replacing a new lock for a (broken) lock.
Read access list:
This function makes it possible to collect the access transactions from the specific lock. The lock transactions uploaded to iProtect by the XML file will be stored as “offline reader information” transactions.
Emergency open:
This function makes it possible to open the door from iProtect with the Smart.CD.
Tasks can be executed from the SimonsVoss VCN software by importing the XML file, use the steps described in chapters 5.1 and 5.2.
6.2 Card features
This chapter describes the features which concerns the offline locks.
6.2.1 Transaction and event storage
The following transactions and events will be stored on the card:
Amount | Type | Description |
10 | Access transaction | Regular access transaction |
2 | Access denied transaction | Regular access denied transaction with reason why the access is denied. |
10 | Prio events | Event for lock information and battery statuses. |
10 | Status events | Event with status information for e.g. hotlist and other operations |
Transactions are stored on the card with an offset timestamp from the expiration date, this offset has a maximum of 21 days. So, when the validity period is set to long the offline transactions will have an incorrect timestamp. We advise a maximum validity period of 24:00.
6.2.2 Expiration date
Shows the offline expiration date.
Type: information
The offline validity can be set in the card data interpretation of the enrolment/update reader see chapter 3.1.1 and 3.1.2.
6.2.3 Status
Shows the status of the offline access profile.
Normal:
card does not need an update
Update available:
offline access profile is available and the card can be update
6.2.4 Alternate door unlatch time
This function determines if the normal, or alternate door unlock time will be used.
Type: checkbox
If selected
Alternate unlock time will be used
If not selected
Normal unlock time will be used
6.2.5 Activate office mode
This function determines if the card may use the office mode functionality or not
Type: checkbox
If selected
Office mode can be used
If not selected
Office mode cannot be used
From iProtect version 10.01 office mode will only be activated if at the timezone settings the checkbox “Offline lock office mode” Is activated. This timezone will then also determine the automatic end of the office mode.
6.2.6 blocklist
This function will block the affected card and this information will be spread to all locks with the cards which are in use for the offline locks.
Type: checkbox
If selected.
Card is block-listed.
If not selected
Card is not block-listed or removed from blocklist.
Things to know about blocklist:
This function is specifically designed for stolen and lost cards.
A block listed card is deactivated for use on offline locks when presented at the first offline lock that “knows” the card is block listed.
When a block listed card is removed from the blocklist it needs an update before it can work again
If a card is removed from the blocklist it cannot remove itself from the blocklist of a lock (that will only deactivate the card again for use on offline locks) only another card can remove a block listed card.
A maximum of 10 block listed cards can be programmed on an access card.
A maximum of 500 block listed cards can be programmed on an offline lock.
To prevent that the maximum amount is reached on a card or on a lock a block listed card will have an end of blocklist time. That is the Expiration date of the card plus a week.
6.2.7 Technical monitoring
To monitor the technical status of a lock, an analogue input is automatically created for the lock battery status. The battery status is updated to the iProtect system by the access cards using the update reader(s)
Battery status:
Input name | Available levels |
Battery status | OK |
Replace battery (30 days left) | |
Alarm (20 days left) | |
No status available |
6.3 Online reader features
This chapter describes the features of the online enrollment and update reader.
6.3.1 Enrolment reader
The enrolment reader is able to create the SimonsVoss VCN application at the Mifare DESFire card. After creating the application, the application will be updated with the offline access rights.
The enrolment process contains the following steps:
Present card
Reader LED changes from RED to BLUE
Create SV VCN application at the card
Update SV VCN application at the card
Enrollment finished. LED changes from BLUE to GREEN
Error feedback from the reader:
Feedback | Meaning |
LED blinks GREEN/RED | Card has no valid access profile on the enrollment reader |
Beeps twice | Error beep. Card update fails |
Please notice that during an error, a transaction is created in iProtect. This transaction contains more detailed information.
Enrolling a card with a Smartintego 2 config programmed, with an enroll reader set to AX will damage the card. For migration use a migration update reader.
When no programming action is required for the card the led of the enrolment reader will not turn blue, it will show the green led.
6.3.2 Update reader
The update reader is able to update the access rights, validity or retrieving transactions.
Present card
Reader LED changes from RED to BLUE
Update SV VCN application at the card and retrieve transactions
Update finished. LED changes from BLUE to GREEN
Error feedback from the reader:
Feedback | Meaning |
LED blinks GREEN/RED | Card has no valid access profile on the update reader |
Beeps twice | Error beep. Card update fails |
Please notice that during an error, a transaction is created in iProtect. This transaction contains more detailed information.
7 Update iProtect and Smartintego
7.1 Update iProtect
In basis a iProtect update can be performed using the iProtect update manual, In most cases no extra preparation and steps are needed. However when updating from a iProtect version prior to 10.01.xx to iProtect version 10.01.xx or higher extra care is needed.
Because of an improved time handling system, it is necessary to reprogram the locks. When this action is not performed there will be time difference in access to a lock and transactions of a lock.
It is understandable that more time is needed to reprogram all the locks, and no problem with access is desired In that case it is possible to grant cards 24/7 access to the lock(s). Access will than work, offline transactions will than not have the correct time stamp. Before this action is performed we advise to discuss this with the person responsible for security.
7.2 Update Smartintego VCN version, 2.6 to 3.0
From iProtect version 10.01.xx Smartintego version 3.0 can be used. Smartintego 3.0 uses however another key set to communicate with the card, AX locks will only work with this key set. For this reason, a migration is needed when Smartintego is updated from version 2.6. to 3.0. This chapter describes the migration steps.
7.2.1 Migrate the existing cards to the new AX config.
To achieve this a “update migration” reader script is needed to migrate the existing (Smartintego II) config to the new (Smartintego AX) config. This script is by default added as a reader provisioner group in iProtect version from 10.01.xx and can be selected at an individual card reader or at the card data interpretation. The new AX card configuration is compatible with the old configuration, so migrated cards will still work on locks that are not migrated.
Select at the update reader (for individual) or at the update reader card data interpretation (for all) the “Pluto SV VCN AX migration update (system default)” provisioner group. This will activate the migration for cards on the update reader(s)
Select at the enroll reader (for individual) or at the enroll reader card data interpretation (for all) the "Pluto SV VCN AX enroll (system default)" provisioner group. This will activate the AX enroll reader script to enroll new cards with the new AX config.
Before changing all update readers to “Pluto SV VCN AX migration update (system default)” first test on a single reader/ lock the migration process.
When a card is already migrated the “Pluto SV VCN AX migration update (system default)” will do a normal card update.
Enrolling a card with a Smartintego II config programmed, with an enroll reader set to AX will damage the card. For migration use a migration update reader.
7.2.2 Migrate Smartintego VCN and the locks
When all accesscards are migrated (chapter 7.1) the VCN software can be updated.
Update or new install Smartintego VCN version 3.0 and open the existing project (.ikp) file.
The software will detect that it is a “old” project and will automatically open it with the “old” Smartintego II card configuration. The system can still be used with the Smartintego II card configuration, AX locks will however not work.
Make a backup of the project to ensure a roll-back possibility.
In the Smartintego VCN software at card configuration press the “Migration to AX” button and read/ confirm the questions that follow.
Setup the Smartintego AX card setup, change the next settings:
Application ID: 16064888 (TKH security default)
Lock Gateway Key: The read /write key, please contact your consultant or the TKH service and support department for the key information.
Lock Gateway Key No: 3
Save the project
From this moment the Smartintego II card configuration cannot be used anymore, every lock that is (re)programmed will receive the new AX key set. Because the accesskey is compatible with Smartintego II and Smartintego AX the system will still work normally. It is however advised to migrate all locks to AX, this can be done by reprogramming the locks.