This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.
1 Introduction
This document describes the Charon module in iProtect. It explains its purpose and how it should be configured.
The Charon is a module that can be added to Pluto. The Charon can contain up to 4 SAM (Secure Access Module) cards.
Integrating a SAM into the system makes the system more secure. The SAM handles all key management and cryptography in a secure way.
The Charon is connected via USB with a cable that is supplied with the Charon to a USB port on the Pluto. So it does not take a position of an Orion and therefore still 4 Orions can be used.
The Charon is placed immediately to the right of Pluto
2 Installing the Charon
2.1 License and versions
There is no license involved for the use of the Charon
Charon support:
iProtect version: 10.00 or higher
Reader manager: 5.03.13. or higher
Reader type and reader firmware:
TKH security I30, I80 and I80p with firmware: 1.6.24.1.1
TKH security IX30 with firmware version: 2.0.5.a.1 and higher
2.2 SAM cards
Inside the Charon there are 4 card slots where the SAM card (NXP Mifare SAM AV2) can be placed. It is recommended that you select, place and configure the SAM cards with your project manager.
2.3 Mounting the Charon
The Charon is connected via USB with a cable that is supplied with the Charon to a USB port on the Pluto. So it does not take a position of an Orion and therefore still 4 Orions can be used.
The Charon is placed immediately to the right of Pluto.
3 Programming
3.1 SAM cards in iProtect
In the iProtect application there is nothing to set up, the Charon with its SAMs will be automatically detected and reported to the iProtect database.
SAM cards will be visible under the reader manager and the detail screen shows basic information about the SAM.
Device: The device name (at the Linux level of the Pluto) of this SAM card
Node: The node name this SAM/Charon is connected to.
moduleId: The ID of this SAM card on the node. This ID must be used by the reader toselect this SAM card for the decoding of the card.
Serial number: The unique serial number of this SAM card
Batch number: Production batch number of this SAM card
Production date: The production date of this SAM card
Last update time: The time stamp of the last change on this SAM card (keys stored / changed etc.)
Connected: Shown whether the AM card is online.
3.2 SAM applications
The applications that are present on the SAM cards are listed in:
Menu: Installation | Hardware | Security access module
3.3 SAM events
The following events are shown in the event overview when a Charon is connected to the Pluto and the SAM cards are detected when the nodemanager starts.
• sam event => sam action: sam connected, Node: 001.00, Reader manager,
127.0.0.1, Serial Number: 04333312E85180, Serial port name: /dev/ttyUSB0,
Production date: 05/01/2017
• sam event => sam action: sam found key entry, Node: 001.00, Reader manager,
127.0.0.1, Serial Number: 04333312E85180, Sam key type: PICC(active), df aid: 92f7,
Ver A: 0, Ver B: 0, Ver C: 0, df key number: 1, KeyNoCEK: 5, KeyVCEK: 0, RefNoKUC:
ff, SET: 824, extSET: 1
For every SAM card that is detected by the node manager a SAM Connected event is generated, giving the SAM serial number, port name and production date. The port name indicates in which slot of the Charon the SAM card is found.
For every valid Mifare DESFire key entry that is found on the SAM card the key type and AID of the file are given, along with a number of other key properties. This can be used to verify if it is a Rijkspas SAM or not.
When a Charon is disconnected from the Pluto, a SAM disconnected event is generated:
• sam event => sam action: sam disconnected, Node: 003.00, Reader manager,
127.0.0.1, Serial Number: 042D300AAB3680
4 Reader configuration
To instruct the Readermanager that it should use the keys that are stored in the SAM card, a special reader script must be provisioned to the reader.
4.1 Reader script
The script below tells the Readermanager that this reader should use the SAM card with moduleId 0.
In the above script the command LoadKeystoreKey tells the readermanager to authenticate itself to the SAM with the key “MK” from the keystore (that has been provisioned before to the readermanager).
The following part selectAppl aid=”F79200” checks if the card that is offered to the reader is a configuration card. If that is not the case the samRijkspasScriptwill be executed using the SAM with id=0.
If there are 4 SAM cards present in a Charon then there will be 4 different reader scripts with samId=0,1,2 and 3. By provisioning these scripts to the readers on the line you can determine which reader uses which SAM, and in this way spread the load. These scripts are called use_SamX.xml with X=0,1,2,3.
For the Reader Manager version 5.03.41 or later, a new command setLed
is available and recommended to be used in the reader script. See the note in the next section below.
4.2 Reader keys
Loading the correct keystore in the SAM and instructing the SAM which generation keys to use is a process that requires a number of steps.
Initially the SAM will contain only one application (with AID 92f7 and TKH Security specific keys).
By provisioning a keystore file that contains the TKH Specific keys (RM-SAM.ktl) to the Readermanager node, the Readermanager has the correct keys to communicate with the SAM. Once this has successfully been provisioned to the Readermanager this provisioning element can be removed from the node.
Now the SAM will accept project specific configuration cards. With these cards the keysets can be configured that are used to read the access cards.
First of all a configuration card must be presented that changes the TKH Security specific keys to Customer/Rijkspas specific keys.
Now the first customer configuration card (G0 G0) can be offered to the reader. The customer specific applications are loaded in the SAM. If you have 4 SAMs in the Charon module connected to a Pluto you will have to present the G0->G0 card to 4 readers to configure all SAMs.
If, in the future it is necessary to start using the next generation keyset on the SAM card, you can offer the G0->G1 configuration card to the corresponding reader.
iProtect will generate an event in case the configuration card changes the keyset.
For the Reader Manager version 5.03.41 or later, and in conjunction with the setLed
command, a visual feedback will be shown when applying a configuration card. During the time the SAM is being programmed, the reader LED will turn blue.
The configuration card should be then applied into the reader as long as this LED keeps being blue, until the usual beep is heard and the reader LED returns to its original color (red in most cases).
If in this situation the card is retired but the LED in the reader keeps blue, a new application of the configuration card is required in order to program the SAM with the new keys.
5 Reader configuration preparation step-by-step
5.1 Set-up Media elements (duality)
Add the needed “elements” to the iProtect database as “media element”
Required;
Reader manager: ≥ 05.03.13
Reader keystore: project specific keystore (example: project-x.ktl)
Reader script per SAM (4x) (example: combi-sam0_v3.xml, combi-sam1_v3.xml,
…)Combi script for duality
Rijkspas only script to disable duality
Reader manager keystore SAM (example: reader-manager_SAM.ktl)
Go to;
General | Settings | Media element
Add “Media element”
Type “Provisioner”
Add specific name (copy name details of the element)
Example;
5.2 Set-up Provisioning elements (duality)
Add the needed “Media elements” to the iProtect database as “Provisioning element”
Required;
Reader manager: ≥ 05.03.13
Reader keystore: project specific keystore (example: project-x.ktl)
Reader script per SAM (4x) (example: combi-sam0_v3.xml, combi-sam1_v3.xml,…)
Reader manager keystore SAM (example: reader-manager_SAM.ktl)
Go to;
Installation | Settings | Provisioner | Provisioner element
Add “Provisioner element”
Reader manager
Type “Reader manager”
Active: Yes
Add specific name (copy name details of the Media element)
Reader keystore
Type “Reader keystore”
Active: Yes
Add specific name (copy name details of the Media element)
Reader script (per SAM, so 4x)
Type “Sirius all”
Active: Yes
Add specific name (copy name details of the Media element)
Reader manager keystore SAM
Type “_SAM update”
Active: Yes
Add specific name (copy name details of the Media element)
5.3 Set-up reader provisioner group (duality)
To create duality (KeyStore reader manager & SAM) a reader provisioner group has to be created.
Add the needed “Provisioning elements” to a iProtect “Provisioner group”
Provisioner group type: reader config
Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-1”
Needed elements;
Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)
Sirius all: Reader script duality (example: combi-sam0_v3.xml”)
Provisioner group type: reader config
Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-2”
Needed elements;
Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)
Sirius all: Reader script duality (example: combi-sam1_v3.xml”)
Provisioner group type: reader config
Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-3”
Needed elements;
Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)
Sirius all: Reader script duality (example: combi-sam2_v3.xml”)
Provisioner group type: reader config
Provisioner group name: for example “project-x_and_Rijkspas_Orion_x-4”
Needed elements;
Reader KeyStore: provisioner file: “Reader KeyStore: project-x.ktl”)
Sirius all: Reader script duality (example: combi-sam3_v3.xml”)
5.4 Set-up reader provisioner group (Rijkspas only)
To eliminate duality later on and create “Rijkspas only” (via SAM) a reader provisioner group has to be created.
Add the needed “Provisioning elements” to a iProtect “Provisioner group”
Provisioner group type: reader config
Provisioner group name: for example “Rijkspas-only_Orion_x-1”
Needed element;
Sirius all: Reader script duality (example: static-rijkspas-sam0.xml”)
Provisioner group type: reader config
Provisioner group name: for example “Rijkspas-only_Orion_x-2”
Needed element;
Sirius all: Reader script duality (example: static-rijkspas-sam1.xml”)
Provisioner group type: reader config
Provisioner group name: for example “Rijkspas-only_Orion_x-3”
Needed element;
Sirius all: Reader script duality (example: static-rijkspas-sam2.xml”)
Provisioner group type: reader config
Provisioner group name: for example “Rijkspas-only_Orion_x-4”
Needed element;
Sirius all: Reader script duality (example: static-rijkspas-sam3.xml”)
5.5 Set-up node provisioner group (RM-SAM) KeyStore
By provisioning a keystore file that contains the TKH Specific keys (RM-SAM.ktl) to the Readermanager node, the Readermanager has the correct keys to communicate with the SAM. Once this has successfully been provisioned to the Readermanager this provisioning element can be removed from the node.
Add the needed “Provisioning element” to a iProtect “Provisioner group”
Provisioner group type: node
Provisioner group name: for example “SAM_KS.ktl”
Needed element;
_SAM update: (example: reader-manager_SAM.ktl”)
6 Commissioning
6.1 Commissioning duality
First make sure that the Pluto, Orion and readers are operating correctly with iProtect
Make sure that the Mifare DESFire accesscard of the project is read correctly
Attach the reader config provisioner group “project-x_and_Rijkspas_Orion_x-1” to one or
both readers connected to Orion x-1.and for the reader(s) on Orion x-2 with provisioner group “projectx_
and_Rijkspas_Orion_x-2”and for the reader(s) on Orion x-3 with provisioner group “projectx_
and_Rijkspas_Orion_x-3”and for the reader(s) on Orion x-4 with provisioner group “projectx_
and_Rijkspas_Orion_x-4”Make sure that all the readers can still read the project Mifare DESFire accesscards
Connect Charon with Pluto by using the USB cable and USB ports on the both devices
Make sure that all the SAM’s are recognized and are visible in iProtect
o SAM’s are visible under the reader manager node of the Pluto lineProvision the reader manager node with the “RM-SAM.ktl” via the provisioner group
The reader manager will restart after provisioning (see overview “Last events”)
After successful provisioning the reader manager with the “SAM-KS.ktl” this provisioner group should be set “blanco” at the reader manager node.
Then reset the Pluto line
The Charon SAM’s are now ready to be configured with the Rijkspas key’s
Note: it is possible to analyse the configuration process via Putty (SSH). SSH has to be enabled in the Pluto serverbox and on the network.
6.2 Commissioning “Rijkspas only”
When duality is no longer needed and should be irreversible removed, the following steps should be followed.
Provision the reader(s) with the “Rijkspas-only” reader config files.
This way the reader project KeyStore and the duality script will be removed.
Now the reader configuration can only access the SAM with which the Rijkspas can be read.
After all the readers are set to “Rijkspas-only” and they are tested for correct operation. The project specific KeyStore (project-x.ktl) should be removed as provisoner element and media element on the iProtect server.