*iProtect - OSS
- 1 1 iProtect and OSS
- 2 2 Setup
- 3 3 Configuring iProtect for Update/Enrollment
- 3.1 3.1 Configuring the Card presentation
- 3.2 3.1.1 Card interpretation for Update
- 3.3 3.1.2 Card interpretation for enrollment (if needed)
- 3.4 3.1.3 Card data interpretation for TKH DESFire (access)
- 3.5 3.2 Configuring the Pluto
- 3.6 3.3 Configuring the line
- 3.7 3.3.1 Configuring the enrollment reader (if needed)
- 3.8 3.3.2 Configuring the update reader
- 4 4 Configuring iProtect for OSS readers
- 5 5 Supported features
- 6 6 Support of functions versus manufacturer
This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.
1 iProtect and OSS
iProtect supports the OSS, standard offline access application by means that it can enroll or update
cards which are confirmed to the standard data on card solution. The OSS offline standard is a data on card
standard in which the access profiles are distributed via the access cards instead of online card readers. This
is also called: “native” or “offline”, because the access rights are defined in the iProtect database itself and are
distributed to the Sirius I Serie update readers.
Supporting OSS does not mean that every lock can be integrated effortless since this part is not standardized.
Please contact your consultant for the latest information about integrated locks.
1.1 System architecture
iProtect: The security management system from TKH Security.
Pluto/Orion: The network and door controller from TKH Security.
RS485 reader: The online update reader to manage the cards from TKH Security.
Card: The access control card of the end user.
OSS reader platform The integration/software to program OSS readers (supplier dependent)
OSS compatible card reader The OSS supporting offline reader
1.2 System requirements
IPROTECT |
| IPS-ATL (Mobile access) | = 10.3.xx |
Pluto Rootfs |
| >= 5.68a | |
Readermanager |
| >= 6.00.09.206 | |
Orion |
| >= 1.5.32 | |
Sirius iX | IPS-ON - online card reader license (44) | >= 2.9.4 | |
| Access Keys | IPS-ACL - number of cards that can be created within the system |
|
Supported cards |
| Mifare DESFire | EV1, EV2 and EV3 |
DOM | ENiQ v2 | IPS-OFF - ofline card reader license (48) |
|
Bridge |
| v24.01.31.1231 |
IPROTECT |
| IPS-ATL (Mobile access) | >= 10.4.xx |
Pluto Rootfs |
| >= 6.12.x | |
Readermanager |
| >= 6.00.09.206 | |
Orion |
| >= 1.5.32 | |
Sirius iX | IPS-ON - online card reader license (44) | >= 2.9.4 | |
Supported cards |
| Mifare DESFire | EV1, EV2 and EV3 |
| Access Keys | IPS-ACL - number of cards that can be created within the system |
|
DOM | ENiQ v2 | IPS-OFF - ofline card reader license (48) |
|
Bridge |
| v24.01.31.1231 |
2 Setup
2.1 Creating manufacturer
Every manufacturer has got his own features so this must be set.
Installation | Hardware | OSS manufacturer
Add a new manufacturer
Name: a logical name
OSS manufacturer Type: select the desired manufacturer
OSS manufacturer configuration: select the desired manufacturer
If the configuration does not exist add the file in General | Settings | Media element or using the default configuration by selecting the default selection box.
2.2 Creating provisioner elements
For enrolling and updating OSS cards there are specific files needed.
2.2.1 Enroll file
Installation | settings | Provisioner | Provisioner element
Check if there is an element called “OSS enroll” if not create one
Create an new element
Name: an logical name (e.g. OSS enroll)
Type: Sirius iX only (or other reader type recommended is the Sirius iX reader)
Provisioner file: OSS enroll
If the provisioner file does not exist add the file in General | Settings | Media element
2.2.2 Update configuration file
Installation | settings | Provisioner | Provisioner element
Check if there is an element called OSS update if not create one
Create an new element
Name: an logical name (e.g. OSS update)
Type: Sirius iX only (or other reader type. Recommended is the Sirius iX reader)
Provisioner file: OSS update
If the provisioner file does not exist add the file in General | Settings | Media element
2.2.3 Keyfile
the keyfile contains the key to be used to read and write the data to the card for the OSS part. This can be
customer specific. Ask your installer about this.
Installation | settings | Provisioner | Provisioner element
Check if there is an element called OSS keys if not create one
Create an new element
Name: an logical name (e.g. OSS key)
Type: Reader keystore
Provisioner file: OSS default key
2.3 Creating provisioner groups
2.3.1 Provisioner enroll group
Installation | settings | Provisioner | Provisioner group
Check if there is an element called OSS enroll if not create one
Create an new group
Name: an logical name (e.g. OSS enroll)
Type: reader config
Select for this group
• OSS enroll
• OSS key
Optional it is possible to add an led setting if desired
2.3.2 Provisioner update group
Installation | settings | Provisioner | Provisioner group
Check if there is an element called OSS update if not create one
Create an new group
Name: an logical name (e.g. OSS update)
Type: reader config
Select for this group
• OSS update
• OSS key
Optional it is possible to add an led setting if desired
3 Configuring iProtect for Update/Enrollment
iProtect needs to be configured before a card reader can be used as enrollment or update reader.
An enrollment reader is used to create the OSS application on the card.
An update reader is used for updating the access rights and collect transactions.
The difference is made in the interpretation. In total there are three different interpretation needed in a system:
all three must be placed under 1 presentation Mifare DESFire presentation
Mifare DESFire default interpretation (for regular readers)
Enrollment interpretation (for enrollment readers)
Update interpretation (for update readers)
Please notice that OSS can be approached in two different manners:
The card does not contain the OSS application (default approach)
The OSS application is already available on the card (some parts can be ignored)
3.1 Configuring the Card presentation
This chapter assumes that the default Mifare DESFire card from TKH Security is used. If another card, with
other data formats are used, the card number settings can be different from the default settings.
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation.
Right-click in the browse window and press on “Add card number presentation”.
Enter the following data:
o Name: Specify a logical name (TKH Desfire)
o Calculated length: 0Save the data
3.1.1 Card interpretation for Update
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card card number presentation
Right-click in the browse window on the presentation made in 3.1 and press on “Add card data
interpretation”select as “default card data interpretation” OSS TKH Desfire”
press on “ok”
Enter the following data:
o Name: Specify a logical name (e.g. OSS update)
o Cardtype: NoneClick on the created interpretation and go to “system code”. Enter the following data:
o Start: 5
o Length: 6
o Code: the DESFire system codeClick on the created interpretation and go to “facility”. Enter the following data:
o Start: 21
o Length: 4
o Code: The from TKH Security received codeClick on the created interpretation and go to “Card number”. Enter the following data:
o Start: 11
o Length: 10
o Modulo: empty
o Offset: emptyClick on the created interpretation and go to “interpretation selection”. Enter the following data:
o Reader start: 25
o Reader length: 2
o Reader code: 1Click on Validity
o Validity period: enter the desired validity (max 8766 hours)
o Validity update after: enter the time after which a new update will be generatedSave the data
3.1.2 Card interpretation for enrollment (if needed)
Please notice, enrollment is only mandatory if the OSS application is not available on the card yet.
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation
Right-click in the selection window on the presentation made in 3.1 (default Desfire presentation) and press on “Add card data interpretation”
Select as “default card data interpretation” TKH Desfire”
Enter the following data:
o Name: Specify a logical name
o Format cardype: none
o Format Data length: 14Click on the created interpretation and go to “interpretation selection”. Enter the following data:
o Reader start: 13
o Reader length: 2
o Reader code: 1Click on the created interpretation and go to “offline validity”. Enter the following data:
o Validity period: enter the desired validity (max 8766 hours)
o Validity update after: enter the time after which a new update will be generatedSave the data
3.1.3 Card data interpretation for TKH DESFire (access)
Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation.
Right-click in the browse window on the presentation made in 3.1 and press on “Add card data
interpretation”select as “default card data interpretation” “TKH Desfire”
Enter the following data:
o Name: Specify a logical nameClick on the created interpretation and go to “system code”. Enter the following data:
o Code: the DESFire system code
3.2 Configuring the Pluto
Make sure all connections are in accordance with the technical drawing and connect the Pluto to the
network.Open the Explorer and browse to the following address: https://192.168.1.195. The login screen appears.
Enter “controller” as username. The default password is “Pluto”.
On the maintenance page select “Network settings” and enter the desired information like IP address and
IP address gateway.Select “Hardware” and activate “Diagnostics”. Diagnostics enables automatic detection of devices
connected to the Pluto and testing of it. Deactivate diagnostics after successful test.Select “Tools” and verify the connection with iProtect™ by entering the IP address of the iProtect™
server together with port number 20100 at Netcat and press the “Test” button.
3.3 Configuring the line
Click in iProtect™ Aurora on the menu item Installation | Hardware | Line.
Right-click in the browse window and select “Add line‟. The detail window opens
Enter the following data:
o Name: “specify a logical name”
o Type: “network device”
o Provisioner group: “Pluto”
o Active: (check)
o Active with node: (check)
o Function of the line “Keyprocessor”
o IP address: “enter the IP address of the Pluto”Click on the “Save” button.
Press the button “Send new Keystore”.
When having the connection between iProtect™ and the Pluto in place, automatically the latest
software update will be installed on the Pluto. This may take a few minutes. When finished, the
“Current status” will be “Idle”.
Click on the “discover” button. The Pluto will automatically detect and configure connected nodes.
Activate connected reader by presenting twice an access card. The reader LED should be blinking.
Be sure the reader manager contains the correct reader files.
3.3.1 Configuring the enrollment reader (if needed)
Only a RS485 reader can be configured as enrollment reader.
Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.
Click on the “Search” button and select the correct Reader.
Enter the following data:
o Name: Specify a logical name
o Card data interpretation: Enter the enrollment card data interpretation which is made in chapter 3.1.2
o Provisioner group: select “OSS enroll” which is made in chapter 2.3.1o Subnumber: Enter the reader port number where the reader is attached to. This must be a RS485
reader.
4. Save the data.
3.3.2 Configuring the update reader
Only a RS485 reader can be configured as update reader.
Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.
Click on the “Search” button and select the correct Reader.
Enter the following data:
o Name: Specify a logical name
o Card data interpretation: Enter the enrollment card data interpretation which is made in chapter 3.1.1
o Provisioner group: select “OSS update” which is made in chapter 2.3.2
o Subnumber: Enter the reader port number where the reader is attached to.Save the data.
4 Configuring iProtect for OSS readers
4.1 Configuration OSS line
Open menu Installation | Hardware | Line
Right-click to “add a new line”
Enter the following data:
o Name: specify a logical name
o Type: “Server”
o Active: (check)
o active with nodes: (check)
o Modus: “Virtual line”Save the data.
Note: License number 44: Offline readers is mandatory
4.1.1 Configuring OSS node
Click in iProtect Aurora on the Virtual line which is created in 4.1
Right-click in the browse window and select “Add node‟. The detail window opens.
Enter the following data:
o Name: Specify a logical name
o Active: (check)
o Function: “OSS”
o Other
o Card data interpretation: OSS update
o Time out: empty
o Max validity: empty
o Battery threshold: empty
oSave the data.
4.1.2 Configuring offline reader manually.
Click in iProtect Aurora on the menu item Installation | Hardware | Reader.
Right-click in the browse window and select “Add Reader‟. The detail window opens.
Enter the following data:
o Name: Specify a logical name
o Node: select the OSS node as configured in 4.1.1
o Manufacturer: select the manufacturer name of the lock
o Subnumber: is filled in automatically and is changeable if desired (is reference lock number within
OSS)
o Device address /PHI : specify the device number / address / PHI of the lock this is manufacturer
differentSave the data
Manufacturer specific settings will be shown if available like
o Unlock time
o Alternate unlock time
4.2 DOM specific procedure for readers
If DOM is selected as manufacturer the most used work flow is as follows.
4.2.1 First setup
Install the DOMbox and configure all the locks in the DOMploy application with the DOM service app on a mobile.
Create all the offline locks in DOMPloy as OSS doors
a. Use for all locks the same site ID (in iProtect the facility code selected in de ”card data
interpretation”
b. Use an unique number for Door ID (will be the sub number in the reader dialog)Export all OSS doors (DOMploy)
Select in iProtect the OSS Node
Select the DOM as manufacturer
Upload the OSS doors export from DOMploy
Press the import button
a. All locks who are exported from the DOMploy are now added in iProtectIf needed modify the reader settings (like open time etc)
Select the readergroups belonging to the off line readers for each reader
Go back to the OSS node
Check if the right manufacturer is selected (DOM)
Press the export button
a. An export (export.xml) is created and downloadedImport this file into the DOMploy application
a. Now the creation of the readers is iProtect is completed and the door groups are added.Update the offline readers
Now the readers are setup and ready to use
4.2.2 Modify an reader setting or reader group
If there is an change needed
Modify the reader settings if desired
Modify the readergroups if desired
Go back to the OSS node
Check if the right manufacturer is selected (DOM)
Press the export button
a. An export (export.xml) is created and downloadedImport this file into the DOMploy application
a. The changes have now been made in DOMployUpdate the offline readers
5 Supported features
5.1 Offline door features
The features which are supported at the offline door, depends on the implemented supplier.
5.2 Card features
This chapter describes the features which can be used
5.2.1 Transaction storage
The amount of transactions depends on the card settings. The default amount of OSS transactions is 16. There is no difference between transaction types. Full is full.
5.2.2 Transaction settings
Per card, the stored transaction can be set. This can be found at: Access | Card | offline reader
5.2.3 Firefighter card
This function determines whether a card is a firefighter card or not.
Type: checkbox
o If selected
o The card will become a firefighter card which means that there is no validity or expiration
date. When presented the door will stay permanently open
o If not selected
o The card will become a normal access card
5.2.4 Expiration date
Shows the offline expiration date.
Type: information
5.2.5 Status
Shows the status of the offline access profile.
Normal: card does not need an update
Update available: offline access profile is available, and the card can be updated.
Error: to many time zones are selected for the specific card
5.2.6 Blocklist
This function will block the affected card and this information will be spread to all locks with all cards which are in use for the offline locks.
Type: checkbox
o If selected
o Card is block-listed
o If not selected
o Card is not block-listed
5.2.7 Force update
This button will after be being pressed, directly generate a new access profile in the database.
5.2.8 Alternate door unlatch time
This function determines if the normal, or alternate door unlock time will be used.
Type: checkbox
o If selected
o Alternate unlock time will be used
o If not selected
o Normal unlock time will be used
5.2.9 Activate office mode
This function determines if the card may use the office mode functionality or not.
Type: checkbox
o If selected
o Office mode can be used
o If not selected
o Office mode cannot be used
Please be aware that the office mode must also be activated on the lock (depending on manufacturer)
6 Support of functions versus manufacturer