IPROTECT Access - DOMBox API-integration

Owned by MB
Last updated: Oct 30, 2024
20 min read

 

Installation Manual | IM-202401XX

iProtect Access / Security | Functionalities

 

Table of contents

1. Introduction

The use of cards or tags with Mifare® DESFire® technology in combination with battery-powered locks, such as door handles or door cylinders, is already widely used. TKH-Security has a close collaboration with DOM and together we have developed a solution to gain access to both wired and battery-powered locks with a Mobile device.

This manual describes only the use of a network-connected DOM controller (Bridge). When using an XML import/export, based on OSS version A1 or B1, please refer to another user manual.
Available in iProtect as of version 10.4.xx

For setting up the system for using access control, in combination with a desfire card and with mobile access, please refer to another user manual. This manual describes how to add DOM (OSS and Mobile Access) to a working system.

1.1 The Solution 

IPROTECT connects to the DOM controller(s) based on a REST API. The connection works in real time, so both systems are always fully synchronized and there is no need to use old-fashioned XML import and export files (although this option will of course still exist).

When using DOM ENIQ hardware, the system is already prepared as standard for the use of "data on card", but also for mobile access. Using a mobile key makes it very flexible and easy. This applies not only to the use, but also to the creation and assignment of rights to locks and persons.

1.2 Features and Benefits DOMBox API-integration

The iProtect - DOM REST API is a new way to connect that greatly improves the A1/B1 setup. It brings new features to help both users and administrators.

It's important to note that switching from A1/B1 to the API is not mandatory.

The A1/B1 setup will still work as it always has. However, the API setup provides many extra benefits and features that can make the overall experience better.

Below are the key benefits of the iProtect - DOM REST API:

  • Support for multiple DOM controllers: Users can manage several DOM controllers at the same time, making security management more flexible and scalable.

  • IPROTECT ACCESS (mobile access): Users can conveniently access the offline devices from their mobile phones, enabling them to utilize a single mobile identifier for both online and offline locks.

  • Compatibility with DOM RF Netmanager: The API works well with the DOM RF Netmanager, making it easy to update lock configurations and send door commands, which improves efficiency.

  • Real-time synchronization of OSS configuration data: Configuration data changes are instantly updated across all systems, minimizing errors and ensuring that everyone has the most current configuration status of the locks.

  • Real-time synchronization of OSS device status: Users can continuously monitor the status of their devices, allowing for quick responses to any problems.

  • Ability to add temporary DOM controller users (APP USERS): Administrators can easily add or remove users who need temporary access, like contractors who need to implement a new lock, improving security without losing convenience.

  • Automation of DOM controller backup and restore processes: Automating these processes helps prevent configuration data loss and ensures backups are regularly maintained.

  • Provisioning of AES DESFire keys to the Bridge: This feature allows for secure sharing of encryption keys. It sends the encryption keys and configurations from the iProtect system to the bridge, with the key encrypted in a KTL file (keystore).

  • Installation of discovery function processes: The API can automatically find new devices from the bridge and link those devices to the correct readers, making the setup process easier and faster.

In summary, the A1/B1 setup remains unchanged, but the iProtect - DOM REST API introduces key enhancements that improve functionality, security, and user experience.

2. Support

2.1 Hardware and licence

Below is an overview of support for both the hardware and the software, including the necessary license:

Support

Hardware

License number

Minimum version

Support

Hardware

License number

Minimum version

IPROTECT Access

 

IPS-ATL (Mobile access)

>= 10.4.xx

Pluto rootFS

 

>= 6.12.x

Reader manager (OSS Update/Enrollment reader)

 

>= 6.00.11

Orion (USB)

 

>= 1.5.34

Sirius iX (RS485)

IPS-ON - online card reader license (44)

>= 2.9.6

 

Access Keys

IPS-ACL - number of cards that can be created within the system

 

DOM

  • DOM ENiQ Pro v2

  • DOM ENiQ Guard

  • DOM ENiQ LoQ

  • ENiQ RF NetManager V2

 IPS-OFF - ofline card reader license (48)

 >= v5.9

Bridge

 

>= v24.07.31

2.2 RFID card type support

The supported NXP rfid cards and tags are listed below:

MIFARE DESFIRE

SUPPORT

PIC MASTERKEY

TYPE

CARDNUMER LENGTH

TAG

CARD

SIZE

MIFARE DESFIRE

SUPPORT

PIC MASTERKEY

TYPE

CARDNUMER LENGTH

TAG

CARD

SIZE

EV1

NO

 

 

 

 

 

 

EV2 / EV3

YES

3DES / AES

CARDNR

12 digits

70pF

17 / 70pf

4k / 8k

UID

7 byte

70pF

17 / 70pf

4k / 8k

2.3 Supported features

The following features are supported:

DESCRIPTION

COMMENT

DESCRIPTION

COMMENT

Offline access control support (data on card based on OSS)

 

Set unlock time in seconds

 

Set alternate unlock time in seconds

 

Office mode (Mobile access and data on card)

 

Reader access rights: Determ access authorisation, based on reader group(s)

 

SideID dependency, adjustable per reader

Max 1000 locations

Semi online access control support based on mobile devices (BLE)

 

Physical Controllers linked to one IPROTECT system

Max. 32 controllers

Online and real-time synchronisation with the DOM Controller

 

Discover function of new devices

 

Automatically add new DOM devices to none existing readers

 

Automatically add new DOM devices existing readers

 

Provisioning DOM controller configuration

 

Provisioning of OSS manufacturer settings

 

General BLE transmit setting per DOM controller

 

Automatic backup of DOM controller into iProtect

 

Restore DOM controller configuration

 

Change default password after first loging from iProtect to the DOM controller

 

Determine for each reader whether it should also support IPROTECT Access

 

When a reader is assigned for IPROTECT Access, determine the interaction:

  • All in background

  • Scan & Go device unlocked

  • Scan & Go in background

2.4 Known not supported features

The following features are NOT supported (yet):

DESCRIPTION

STATUS

DESCRIPTION

STATUS

Card card group limitation

Not available

Holidays

Not available

Intervention card / Firefighter card

Not available for mobile device

Office mode (Mobile Access)

Using UTC time and not Local time.

Example:

Amsterdam = UTC +1

Daylight saving time = +1

Office timezone = UTC + 2

2.5 Data on card and Mobile access

2.5.1 MIFARE DESFire RFID

DESCRIPTION

COMMENT

DESCRIPTION

COMMENT

Supported OSS events (enable/disable per event type)

See chapter: 2.6-OSS-Events

Office mode support

 

Access card authorisation

Based on card group(s) and reader(s) with time zone

Supported OSS black list cards

 

Firefighter (intervention) option per card

  • A tag with intervention mode can successfully open a device with a battery warning level 3 (battery dead)

  • Blok list check: yes

  • Expire date check: No

  • Access right check: Yes

  • Event write back on card: No

 

2.5.1.1 Standard OSS Application

OSS TYPE

 NUMBER

DESCRIPTION

DATA

69

No. of door or door-group (69-255)

8

Number of DayTimeSchedules (8-15)

4

Number of DayID per DayTimeSchedule (4-4)

2

Number if TimePeriods per DayID (2-4)

EVENT

18

Number if Events (18-18)

BLOCKLIST

5

 Number if Blocklisted cards (5-5)

Total

1792kB

Written on the card incl. backup file, conform OSS standard

2.5.2 Mobile device

DESCRIPTION

COMMENT

DESCRIPTION

COMMENT

Per card an overview of assigned reader(s) with a Mobile key

 

Per reader an overview of assigned persons with a Mobile key

 

Office mode support

 

Offline access rights synchronized automatically with mobile device

 

Semi online: All events (types) will be sent from Mobile device to iProtect.

See chapter: 2.6-OSS-Events

Support IPROTECT Access app.

IOS and ANDROID support

2.6 OSS Events

Possible OSS events are described below:

EVENT TYPE

DESCRIPTION

EVENT TYPE

DESCRIPTION

Internal error

Lock has detected an internal error. Several internal event types (memory error, power on test failure etc.) could be represented by this event when written to credential. The EventInfo field is used to supply ock manufacturer specific event codes

Access granted

Access granted

Access denied

No access. Possibility may be that the card needs to be updated.

Blocked card list full

tbt

Battery replaced

The batteries are replaced.

Failed to unlock

tbt

Blocklist

tbt

Lock jammed

tbt

Replace battery

Battery low event with the info bit from 1 to 3 depending on the level of alert

System event

General placeholder for lock events not detected as errors by the lock Intended use is for troubleshooting. The EventInfo field is used to supply lock manufacturer specific event codes.

Tampering

tbt

2.7 System architecture

3. DOM Service app

4. IPROTECT

iProtect supports the OSS, standard offline access application by means that it can enroll or update
cards which are confirmed to the standard data on card solution. The OSS offline standard is a data on card
standard in which the access profiles are distributed via the access cards instead of online card readers. This
is also called: “native” or “offline”, because the access rights are defined in the iProtect database itself and are
distributed to the Sirius i-Serie update readers.

Supporting OSS does not mean that every lock can be integrated effortless since this part is not standardized. This manual only describes the DOM OSS manufacturer.

4.1 Presets

To begin the installation, you must first have the correct key and configuration files.

Items required before the steps below can be performed:

File type

Type

Comment

File type

Type

Comment

OSS update.xml

Reader provisioner

Card number based on AID or UID

OSS enroll.xml

Reader provisioner

PMK dependency (AES, 3DES) and card number based on AID or UID

OSS.xml

Node provisioner

Customer specific, supplied by TKH-Security B.V.

OSS.ktl

Node and reader provisioner

Customer specific, supplied by TKH-Security B.V.

4.2 Provisioner

A provisioner group consists of one or more elements. These elements can be configurations, key files or firmware.
The sections below describe the required combinations.

4.3 Card coding

4.4 Hardware used for update and enrollment of OSS cards

4.5 Add the DOM controller

 

4.6 Add offline device

Using DOM OSS, the device is always linked to a door (a card reader in iProtect). Access rights are then associated with the card reader.

DOM devices such as ENIQPro or ENIQGuard, for example, are added to the system using the DOM Service app.

4.7 Lock sensor

4.8 Add online device

To change the offline device into an online device, a RF-NetManager is required.

The RF-NetManager needs to be configured using the DOMPloy software, please consult the DOMConnect manual and go to next chapter "Configure and deploy a RFNM".

5. Configuration management

5.1 Offline devices

The following section uses the DOM Service App

5.2 Online devices

The following section uses the RF-NetManager. The DOM service app is not needed.

6. Migrating from A1/B1 to DOM API-implementation

To take advantage of the new API-implementation and hereby the benefits (see Chapter 1.2), the OSS configuration in IPROTECT must be changed.

7. Extensive information

7.1 Reader dialog details

7.2 DOMConnect Manual