Installation Manual | IM-20243110

iProtect Access / Security | Functionalities |

This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.

1. Introduction

This document is the installation and operations manual for access on iProtect card readers using an Android or Apple mobile phone with BLE connection.

1.1 Token Authority

To have a secure encrypted connection between the card reader and the mobile phone, a cloud based Token Authority is used. The mobile phone and the card reader must be part of the same Token Authority in order to decrypt the communication between mobile phone and card reader. The iProtect system can support one token authority. How this must be configured, will be described in this manual.

2. Necessities

2.1 iProtect License

To activate IPROTECT Access on the iProtect system a license is required:

Description	Supported from iProtect version	License number

Description	Supported from iProtect version	License number
IPROTECT Access system	10.01.37	1700
External services	10.01.37	47

2.2 Mobile phone apps

There are two mobile apps available for IPROTECT Access. These app can be downloaded from Google Play for Android- and in the App Store for Apple devices.

Previously the App was called, Cosmos access or Cosmos config

APP	Description

APP	Description
IPROTECT Access	For everyday use. The app serves as a digital access card
IPROTECT Config	This app is for the system installers. It is used to assign and de-assign readers to the IPROTECT Access Token Authority (TA) and make reader specific settings

2.3 Settings to check and which are mandatory

Please check/set the following settings:

The iProtect server needs to have an internet connection (mandatory)
DNS settings needs to be set
The time settings should be set correctly. Use an NTP server.
Set the time zone settings of the system correctly

Port 443 is used to communicate with the Token Authority

Ping to a public IP address. A proper reply is needed!

2.4 Supported hardware and software

Hardware / Software	Description	From version
iProtect	SMS	10.01.37
Pluto	Reader manager	05.03.39
Orion	Orion firmware	1.05.18
ApolloN	Reader manager	05.03.39
RIO	RIO firmware	Future
Sirius iX-serie reader	Card reader firmware	2.5.20
	Protocol	Clock/Data
		Wiegand
		RS485

3. Setup IPROTECT Access

The chapter below describes the steps that are necessary within iProtect.

3.1 Configure the Card configuration (Step 1)

To create a Service / Database link within iProtect for theToken Authority Service, a card configuration is mandatory.

3.1.1 Card data interpretation group

To enable a combination of physical cards and mobile devices, a Card Data Interpretation Group is needed.

In iProtect, browse to menu: Access | Settings | Card coding | Card data interpretation group.
Right click in the search field and choose “add Card data interpretation group”:

Field	Content
Name	Logical name, e.g IPROTECT Access group

3.1.2 Card number presentation

Card Number Presentation is needed to determine how to enter- or display the card number.

In iProtect, browse to menu: Access | Settings | Card coding | Card number presentation.
Right click in the search field and choose “add Card number presentation”:

Field	Content
Name	Logical name, e.g IPROTECT Access
Format	Alpha numeric
Calculated length:	10

3.1.3 Card data interpretation

Card data interpretation is needed to determine how to interpret the data from the mobile devices.

In iProtect, browse to menu: Access | Settings | Card coding | Card data interpretation.
Right click on the “Card number presentation” that was just created and choose “add Card data interpretation”.

3.1.3.1 For Clock/data (ABA) and RS485 readers

Field	Content
Name	Logical name, e.g IPROTECT Access
Default card data interpretation	Mobile access, click “set”
Card data interpretation group	IPROTECT Access group
Tab: Format	Data length: 18
Tab: Card	Start: 2
Tab: Card	Length: 17

3.1.3.1 For Wiegand readers

Field	Content
Name	Logical name, e.g IPROTECT Access-WG
Default card data interpretation	Wiegand 26, click “set”
Card data interpretation group	IPROTECT Access group
Tab: Format	Data length: 66
Tab: System code	Start: 1
	Length: 0
	Code:
Tab: Card number	Start: 6
	Length: 60
	Modulo:
Tab: Parity	Left: Odd
	Right: Odd
	Left start: 1
	Right start: 34
	Left length: 33
	Right length: 33

3.2 Configure the Service / database link (Step 2)

In iProtect, browse to menu: Installation | Settings | Services | Database link:

Right click in the search field and choose “add database link”
Select type: IPROTECT Access

Field	Content	Description
Name	Logical name. e.g IPROTECT Access
Active	“checked”
Tenant ID	The tenant id received from TKH security
Client ID	The client id received from TKH security
Client Secret	The client secret received from TKH security
Time out (sec.)	Default 45 seconds, do not change unless adviced by TKH	Basic interval timer for multiple Token Authority processes. Change of this setting will cause a reboot of the Service.
Auth Domain	The Identity provider received from TKH security	Default: //auth.eu.token-authority.com
Main Domain	The Connection URL received from TKH security	Default: //eu.token-authority.com
Card data interpretation	e.g. IPROTECT Access	Select one of the Card data interpretations that are also grouped. See step 1.
Poll rate (%)	Default 100%. TKH security can advise whether this setting should be changed	How does it work (examples): Poll time at 100% = 45 seconds Poll time at 50% = 90 seconds

3.3.2 Overall functional state

The functional state shows the connection with the Token Authority:

Functional state	Description	Description
Service fully functional	System is running properly
Service partly functional	System is not running properly	Service cannot connect with Token Authority
Service partly functional	System is not running properly	iProtect cannot connect to the Service
Service in calamity mode	It will recover automatically after some time (could be hours)	There is too much traffic between iProtect and the Token Authority. This can occur with bulk import or with too many pending requests such as assign/revoke invitations or tasks.
Service in calamity mode		Polling for status updates is postponed Reader status Accesskey status
Service not functional	There is no connection with the Token Authority	Check the internet connection Check the setting

3.3 Configure card reader for IPROTECT Access (step 3)

We assume that a card reader is already implemented in the iProtect system and works with conventional “RFID” cards or tags.

3.3.1 Search the reader

Browse to menu: Installation | Hardware | Reader.
Select the reader you want to use with IPROTECT Access.

3.3.2 Activate IPROTECT Access on the reader

The option to activate IPROTECT Access will be available when a Card data interpretation is selected who is part of the IPROTECT Access group, created in step 1.

After IPROTECT Access is activated on a reader, additional options and status are displayed within minutes:

Entity state	Description	Description
To be assigned	Reader needs to be added to the Token Authority and must be provided with a IPROTECT Access token	IPROTECT Config app required
To be unassigned	The IPROTECT Access token needs to be deleted from the reader and the Token Authority	IPROTECT Config app required
Assigned	Access can be granted by using a mobile device	IPROTECT Access app required

3.3.3 Reader provisioner group (RS485 card reader only)

By enabling IPROTECT Access on a reader, a new type of identification is activated.

The system must know what to do with the data and how to handle it when a mobile device is presented. This information is described in a Reader provisioner file and needs to be set by every reader.

The following provisioner group must be selected in the readerdialog, see table below:

Used (RFID) card technology	Provisioner group
TKH default Mifare or Desfire	Use: Pluto SiriusIX MifareSec, Desfire and BLE (system default)
UID 4 bytes (10 dec)	Use: Pluto SiriusIX Serial 10 digits and BLE (system default)
UID 7 bytes (17 dec)	Use: Pluto SiriusIX Serial 17 digits and BLE (system default)

3.3.4 App Interaction options

In basic there are two types of granting access to the reader when using the IPROTECT Access app.

Selection	Description
TScan & Go	Presenting the mobile device nearby the reader to get access
Select & Go	Nearby readers can be selected and opened in the app at the touch of a button (e.g. like parking barriers)

Besides the behavior, the use of the mobile device by a specific reader can be set:

Selection	Description
All - In background	The mobile device does not need to be unlocked before it is presented to the reader. When opening the app nearby readers can be selected and opened in the app at the touch of a button
Select & Go	Nearby readers can be selected and opened in the app at the touch of a button
Scan & Go - In background	The mobile device does not need to be unlocked before it is presented to the reader.
Scan & Go and Select & Go	Mobile device needs to be unlocked before presenting it to the reader. Select & Go can also be used for this reader.
Scan & Go - Device unlocked	Mobile device needs to be unlocked before presenting it to the reader. Select & Go cannot be used for this reader.

3.3.5 Assign a reader to the Token Authority

After IPROTECT Access is activated on a reader, the reader needs to be assigned to the Token Authority by using the IPROTECT Config app. These readers will have the entity state: “To be assigned”.

iProtect checks for status changes in the Token Authority to see if the reader has already been (un)assigned.

Time after (un)assigning	Description
0 – 10 minutes	Every 45 seconds it will be checked
10 min – 1 hour	Every 180 seconds it will be checked
1 hour – to invinity	Every 300 seconds it will be checked

Follow the instructions in the app to Assign the reader. The reader will be available on the assign list. After this action, the reader can be used for IPROTECT Access.

3.3.6 Unassign a reader from the Token Authority

This action must be performed to remove the card reader from the IPROTECT Access Token Authority, when the reader should not work with IPROTECT Access anymore.

When the IPROTECT Access checkbox is deactivated, the entity state at the reader becomes “To be unassigned”. The reader needs to be Unassigned using the IPROTECT Config app.

Follow the instructions in the app to Unassign the reader. The reader will be available on the Unassign list.
After this action, the reader cannot be used anymore for IPROTECT Access until it is assigned again.

3.3.7 Installer rights system user

A system user with installer right has more rights in iProtect. This gives the person more status fields but also has rights to remove a defective reader from the Token Authority.

In iProtect, browse to menu: Installation | Authorization | System user
Search the system user where the ‘Installer rights’ should be activated and enable this. After enabling, please log-out and log-in again.

What does the Installer gets more:

Dialog	Added	Description
Card	Synchonization status	Undefined Mobile ID sent Mobile ID and access rights sent
Reader	Synchonization status	Undefined Reader ID sent Reader ID and tokens sent
Reader	Force remove button	When reader cannot be unassigned (broken), it will remove the reader from the Token Autority. Be aware! When doing this action and the reader will be re-used again for IPROTECT Access, the reader must be sent back to TKH-Security.

4. Maintenance and statuses

This chapter describes the maintenance that can be performed on the Token Authority using iProtect.

4.1 Status of IPROTECT Access cards

Browse to iProtect menu: Access | Overviews | Status | Card token authority status.

In this dialogue the status is shown of all IPROTECT Access cards. It is possible to search for “Registered” (accepted invites) and “Not registered” (not accepted invites).

4.2 Status of IPROTECT Access card readers

Browse to iProtect menu: Installation | Overviews | Status | Reader token authority status.

In this dialogue the status is shown of all IPROTECT Access card readers. It is possible to search for “Registered” (Assigned readers) and “Not registered” (unassigned readers).

4.3 Debug logging Token Authority

In case debug logging is needed this can be activated in the database link dialogue

In iProtect, browse to menu: Installation | Settings | Services | Database link. Search and select the IPROTECT Access service. Click the button “Enable”.

The extensive logging will be enabled for 10 minutes. The log is written in the “Catalina” log file. The logfile can be read and downloaded in the iProtect maintenance page, dialogue: Logging | User interface.

4.4 Iconsistency between iProtect IPROTECT Access readers and the Token authority readers

Inconsistency can occur in some situations, for example: an old iProtect backup is used where some readers where not assigned yet to the Token Authority. In that case, the Token Authority has assigned readers that do not have the assigned status in iProtect. This can be corrected.

In iProtect, browse to menu: Installation | Settings | Services | Database link. At the dialogue “Unknown readers in token authority” click “Fetch”, in the result screen readers that are in the Token Authority but not in the iProtect system will be shown. When selected they can be removed from the Token Authority.

When reader(s) needs to be assigned again to the Token Authority, this can be done as is described at the chapter “configuration”.

4.5 Rate limmeter

The number of messages from iProtect to the Token Autority is limited in number and time. The number of available messages is reported to iProtect. If the number of messages became lower than 5%, a rate limmeter will start do it’s function. When the limiter is active actions initiated by a user are still executed, there is are however no synchronization calls so statuses will not change. When after some time there is space again (>5%) the synchronization calls will be sent again. If the rate limiter starts, an event will be created in the iProtect log.

5. Mobile Access

Mobile access can be activated as an extra functionality at the Sirius iX reader. This allows the user to use a mobile device and an identifier besides the supported access cards. The Mobile Access solution has two Mobile applications (iOS and Android):

IPROTECT Access, for the end user.
IPROTECT Config, for the installer to configure the Sirius iX reader.

5.1 Configuration

Every Sirius iX reader must be assigned to the Mobile Access project it belongs to. This must be done with the IPROTECT Config application which is available at the app stores. The IPROTECT Config application has three functionalities:

Assign
To add a Sirius iX reader to a Mobile Access environment. A Sirius iX reader can be assigned 10 minutes after its booted. To reactivate the ‘assign’ processes a reboot of the Sirius iX reader is required or an installer card needs to be presented. The Assign functionality is always started via the access control system (iProtect).
Unassign
To remove a Sirius iX reader from a Mobile Access environment so it is factory default again. Once it is in factory default, it can be assigned again to any other mobile access system. The ‘unassign’ functionality is always started via the access control system (iProtect).
Edit
To change the Signal output of the Sirius iX reader. The Sirius iX reader can be edited 10 minutes after assigning or afterwards via the IPROTECT Config app edit modus.
• 0 dBm maximum distance
• -16 dBm office mode (+/= 15 cm distance)

Assigning with installer card

After powering the reader, it will broadcast a unique identification for 10 minutes. The reader can only be discovered by the IPROTECT Config app during broadcast.
By presenting an installer card, the broadcasting can be re-enabled again. The installer card is not available, a power cycle or soft reboot (reset) will also re-enable the 10-minute broadcast. Every time the installer card is presented, the time will be extended for another 10 minutes.

For more detailed information please check the IPROTECT Config and IPROTECT Access documentation.

Knowledge Base

IPROTECT Access

Table of contents