IPROTECT Access

Installation Manual | IM-20243110

iProtect Access / Security | Functionalities |

 

This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.

Table of contents

1. Introduction

This document is the installation and operations manual for access on iProtect card readers using an Android or Apple mobile phone with BLE connection.

1.1 Token Authority

To have a secure encrypted connection between the card reader and the mobile phone, a cloud based Token Authority is used. The mobile phone and the card reader must be part of the same Token Authority in order to decrypt the communication between mobile phone and card reader. The iProtect system can support one token authority. How this must be configured, will be described in this manual.

2. Necessities

2.1 iProtect License

To activate IPROTECT Access on the iProtect system a license is required:

Description

Supported from iProtect version

License number

Description

Supported from iProtect version

License number

IPROTECT Access system

10.01.37    

1700

External services

10.01.37

47       

2.2 Mobile phone apps

There are two mobile apps available for IPROTECT Access. These app can be downloaded from Google Play for Android- and in the App Store for Apple devices.

Previously the App was called, Cosmos access or Cosmos config

APP

Description

APP

Description

IPROTECT Access

For everyday use. The app serves as a digital access card

IPROTECT Config

This app is for the system installers. It is used to assign and de-assign readers to the IPROTECT Access Token Authority (TA) and make reader specific settings

2.3 Settings to check and which are mandatory

Please check/set the following settings:

  • The iProtect server needs to have an internet connection (mandatory)

  • DNS settings needs to be set

  • The time settings should be set correctly. Use an NTP server.

  • Set the time zone settings of the system correctly

Port 443 is used to communicate with the Token Authority

Ping to a public IP address. A proper reply is needed!

2.4 Supported hardware and software

Hardware / Software

Description

From version

iProtect

SMS

10.01.37

Pluto

Reader manager

05.03.39

Orion

Orion firmware

1.05.18

ApolloN

Reader manager

05.03.39

RIO

RIO firmware

Future

Sirius iX-serie reader

Card reader firmware

2.5.20

Protocol

Clock/Data

Wiegand

RS485

3. Setup IPROTECT Access

The chapter below describes the steps that are necessary within iProtect.

3.1 Configure the Card configuration (Step 1)

To create a Service / Database link within iProtect for theToken Authority Service, a card configuration is mandatory.

3.1.1 Card data interpretation group

To enable a combination of physical cards and mobile devices, a Card Data Interpretation Group is needed.

  • In iProtect, browse to menu: Access | Settings | Card coding | Card data interpretation group.

  • Right click in the search field and choose “add Card data interpretation group”:

Field

Content

Name

Logical name, e.g IPROTECT Access group

3.1.2 Card number presentation

Card Number Presentation is needed to determine how to enter- or display the card number.

  • In iProtect, browse to menu: Access | Settings | Card coding | Card number presentation.

  • Right click in the search field and choose “add Card number presentation”:

Field

Content

Name

Logical name, e.g IPROTECT Access

Format

Alpha numeric

Calculated length:

10

3.1.3 Card data interpretation

Card data interpretation is needed to determine how to interpret the data from the mobile devices.

  • In iProtect, browse to menu: Access | Settings | Card coding | Card data interpretation.

  • Right click on the “Card number presentation” that was just created and choose “add Card data interpretation”.

3.1.3.1 For Clock/data (ABA) and RS485 readers

Field

Content

Name

Logical name, e.g IPROTECT Access

Default card data interpretation

Mobile access,  click “set

Card data interpretation group

IPROTECT Access group

Tab: Format

Data length: 18

Tab: Card

Start: 2

Length: 17

3.1.3.1 For Wiegand readers

Field

Content

Name

Logical name, e.g IPROTECT Access-WG

Default card data interpretation

Wiegand 26,  click “set

Card data interpretation group

IPROTECT Access group

Tab: Format

Data length: 66

Tab: System code

Start: 1

Length: 0

Code:

Tab: Card number

Start: 6

Length: 60

Modulo:

Tab: Parity

Left: Odd

 

Right: Odd

 

Left start: 1

 

Right start: 34

 

Left length: 33

 

Right length: 33

3.2 Configure the Service / database link (Step 2)

In iProtect, browse to menu: Installation | Settings | Services | Database link:

  • Right click in the search field and choose “add database link”

  • Select type: IPROTECT Access

Field

Content

Description

Name

Logical name. e.g IPROTECT Access

 

Active

“checked”

 

Tenant ID

The tenant id received from TKH security

 

Client ID

The client id received from TKH security

 

Client Secret

The client secret received from TKH security

 

Time out (sec.) 

Default 45 seconds, do not change unless adviced by TKH

Basic interval timer for multiple Token Authority processes. Change of this setting will cause a reboot of the Service.

Auth Domain

The Identity provider received from TKH security

Default: //auth.eu.token-authority.com

Main Domain

The Connection URL received from TKH security

Default: //eu.token-authority.com

Card data interpretation

e.g. IPROTECT Access

Select one of the Card data interpretations that are also grouped. See step 1.

Poll rate (%)

Default 100%.

TKH security can advise whether this setting should be changed

 

How does it work (examples):

  • Poll time at 100% = 45 seconds

  • Poll time at 50% = 90 seconds

 

3.3.2 Overall functional state

The functional state shows the connection with the Token Authority:

Functional state

Description

Description

Service fully functional

System is running properly

 

Service partly functional

System is not running properly

Service cannot connect with Token Authority

iProtect cannot connect to the Service

Service in calamity mode

It will recover automatically after some time (could be hours)

There is too much traffic between iProtect and the Token Authority. This can occur with bulk import or with too many pending requests such as assign/revoke invitations or tasks.

Polling for status updates is postponed

  • Reader status

  • Accesskey status

Service not functional

There is no connection with the Token Authority

  • Check the internet connection

  • Check the setting

3.3 Configure card reader for IPROTECT Access (step 3)

We assume that a card reader is already implemented in the iProtect system and works with conventional “RFID” cards or tags.

3.3.1 Search the reader

  • Browse to menu: Installation | Hardware | Reader.

  • Select the reader you want to use with IPROTECT Access.

3.3.2 Activate IPROTECT Access on the reader

The option to activate IPROTECT Access will be available when a Card data interpretation is selected who is part of the IPROTECT Access group, created in step 1.

After IPROTECT Access is activated on a reader, additional options and status are displayed within minutes:

Entity state

Description

Description

To be assigned

Reader needs to be added to the Token Authority and must be provided with a IPROTECT Access token

IPROTECT Config app required

To be unassigned

The IPROTECT Access token needs to be deleted from the reader and the Token Authority

IPROTECT Config app required

Assigned

Access can be granted by using a mobile device

IPROTECT Access app required

3.3.3 Reader provisioner group (RS485 card reader only)

By enabling IPROTECT Access on a reader, a new type of identification is activated.

The system must know what to do with the data and how to handle it when a mobile device is presented. This information is described in a Reader provisioner file and needs to be set by every reader.

The following provisioner group must be selected in the readerdialog, see table below:

Used (RFID) card technology

Provisioner group

TKH default Mifare or Desfire

Use: Pluto SiriusIX MifareSec, Desfire and BLE (system default)

UID 4 bytes (10 dec)

Use: Pluto SiriusIX Serial 10 digits and BLE (system default)

UID 7 bytes (17 dec)

Use: Pluto SiriusIX Serial 17 digits and BLE (system default)

3.3.4 App Interaction options

In basic there are two types of granting access to the reader when using the IPROTECT Access app.

Selection

Description

TScan & Go   

Presenting the mobile device nearby the reader to get access

Select & Go

Nearby readers can be selected and opened in the app at the touch of a button (e.g. like parking barriers)

Besides the behavior, the use of the mobile device by a specific reader can be set:

Selection

Description

All - In background

The mobile device does not need to be unlocked before it is presented to the reader. When opening the app nearby readers can be selected and opened in the app at the touch of a button

Select & Go

Nearby readers can be selected and opened in the app at the touch of a button

Scan & Go - In background

The mobile device does not need to be unlocked before it is presented to the reader.

Scan & Go and Select & Go

Mobile device needs to be unlocked before presenting it to the reader. Select & Go can also be used for this reader.

Scan & Go - Device unlocked

Mobile device needs to be unlocked before presenting it to the reader. Select & Go cannot be used for this reader.

3.3.5 Assign a reader to the Token Authority

After IPROTECT Access is activated on a reader, the reader needs to be assigned to the Token Authority by using the IPROTECT Config app. These readers will have the entity state: “To be assigned”.

iProtect checks for status changes in the Token Authority to see if the reader has already been (un)assigned.

Time after (un)assigning

Description

0 – 10 minutes

Every 45 seconds it will be checked

10 min – 1 hour

Every 180 seconds it will be checked

1 hour – to invinity

Every 300 seconds it will be checked

Follow the instructions in the app to Assign the reader. The reader will be available on the assign list. After this action, the reader can be used for IPROTECT Access.

3.3.6 Unassign a reader from the Token Authority

This action must be performed to remove the card reader from the IPROTECT Access Token Authority, when the reader should not work with IPROTECT Access anymore.

When the IPROTECT Access checkbox is deactivated, the entity state at the reader becomes “To be unassigned”. The reader needs to be Unassigned using the IPROTECT Config app.

Follow the instructions in the app to Unassign the reader. The reader will be available on the Unassign list.
After this action, the reader cannot be used anymore for IPROTECT Access until it is assigned again.

3.3.7 Installer rights system user

A system user with installer right has more rights in iProtect. This gives the person more status fields but also has rights to remove a defective reader from the Token Authority.

  • In iProtect, browse to menu: Installation | Authorization | System user

  • Search the system user where the ‘Installer rights’ should be activated and enable this. After enabling, please log-out and log-in again.

What does the Installer gets more:

Dialog

Added

Description

Card

Synchonization status

  • Undefined

  • Mobile ID sent

  • Mobile ID and access rights sent

Reader

Synchonization status

  • Undefined

  • Reader ID sent

  • Reader ID and tokens sent

Force remove button

When reader cannot be unassigned (broken), it will remove the reader from the Token Autority.

Be aware! When doing this action and the reader will be re-used again for IPROTECT Access, the reader must be sent back to TKH-Security.

4. Maintenance and statuses

This chapter describes the maintenance that can be performed on the Token Authority using iProtect.

4.1 Status of IPROTECT Access cards

Browse to iProtect menu: Access | Overviews | Status | Card token authority status.

In this dialogue the status is shown of all IPROTECT Access cards. It is possible to search for “Registered” (accepted invites) and “Not registered” (not accepted invites).

4.2 Status of IPROTECT Access card readers

Browse to iProtect menu: Installation | Overviews | Status | Reader token authority status.

In this dialogue the status is shown of all IPROTECT Access card readers. It is possible to search for “Registered” (Assigned readers) and “Not registered” (unassigned readers).

4.3 Debug logging Token Authority

In case debug logging is needed this can be activated in the database link dialogue

  • In iProtect, browse to menu: Installation | Settings | Services | Database link. Search and select the IPROTECT Access service. Click the button “Enable”.

The extensive logging will be enabled for 10 minutes. The log is written in the “Catalina” log file. The logfile can be read and downloaded in the iProtect maintenance page, dialogue: Logging | User interface.

4.4 Iconsistency between iProtect IPROTECT Access readers and the Token authority readers

Inconsistency can occur in some situations, for example: an old iProtect backup is used where some readers where not assigned yet to the Token Authority. In that case, the Token Authority has assigned readers that do not have the assigned status in iProtect. This can be corrected.

  • In iProtect, browse to menu: Installation | Settings | Services | Database link. At the dialogue “Unknown readers in token authority” click “Fetch”, in the result screen readers that are in the Token Authority but not in the iProtect system will be shown. When selected they can be removed from the Token Authority.

When reader(s) needs to be assigned again to the Token Authority, this can be done as is described at the chapter “configuration”.

4.5 Rate limmeter

The number of messages from iProtect to the Token Autority is limited in number and time. The number of available messages is reported to iProtect. If the number of messages became lower than 5%, a rate limmeter will start do it’s function. When the limiter is active actions initiated by a user are still executed, there is are however no synchronization calls so statuses will not change. When after some time there is space again (>5%) the synchronization calls will be sent again. If the rate limiter starts, an event will be created in the iProtect log.

5. Mobile Access

Mobile access can be activated as an extra functionality at the Sirius iX reader. This allows the user to use a mobile device and an identifier besides the supported access cards. The Mobile Access solution has two Mobile applications (iOS and Android):

  • IPROTECT Access, for the end user.

  • IPROTECT Config, for the installer to configure the Sirius iX reader.

5.1 Configuration

Every Sirius iX reader must be assigned to the Mobile Access project it belongs to. This must be done with the IPROTECT Config application which is available at the app stores. The IPROTECT Config application has three functionalities:

  • Assign
    To add a Sirius iX reader to a Mobile Access environment. A Sirius iX reader can be assigned 10 minutes after its booted. To reactivate the ‘assign’ processes a reboot of the Sirius iX reader is required or an installer card needs to be presented. The Assign functionality is always started via the access control system (iProtect).

  • Unassign
    To remove a Sirius iX reader from a Mobile Access environment so it is factory default again. Once it is in factory default, it can be assigned again to any other mobile access system. The ‘unassign’ functionality is always started via the access control system (iProtect).

  • Edit
    To change the Signal output of the Sirius iX reader. The Sirius iX reader can be edited 10 minutes after assigning or afterwards via the IPROTECT Config app edit modus.
    • 0 dBm maximum distance
    • -16 dBm office mode (+/= 15 cm distance)

Assigning with installer card

After powering the reader, it will broadcast a unique identification for 10 minutes. The reader can only be discovered by the IPROTECT Config app during broadcast.
By presenting an installer card, the broadcasting can be re-enabled again. The installer card is not available, a power cycle or soft reboot (reset) will also re-enable the 10-minute broadcast. Every time the installer card is presented, the time will be extended for another 10 minutes.

For more detailed information please check the IPROTECT Config and IPROTECT Access documentation.

 

Related pages