*iProtect - OSS

Owned by Tom Polman
Last updated: May 01, 2024 by Rob Donker
11 min read

Installation Manual | IM-20210309-TP-19

iProtect Access / Security | Functionalities |

This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.

1 iProtect and OSS

iProtect supports the OSS, standard offline access application by means that it can enroll or update
cards which are confirmed to the standard data on card solution. The OSS offline standard is a data on card
standard in which the access profiles are distributed via the access cards instead of online card readers. This
is also called: “native” or “offline”, because the access rights are defined in the iProtect database itself and are
distributed to the Sirius I Serie update readers.

Supporting OSS does not mean that every lock can be integrated effortless since this part is not standardized.
Please contact your consultant for the latest information about integrated locks.

1.1 System architecture

 

iProtect: The security management system from TKH Security.
Pluto/Orion: The network and door controller from TKH Security.
RS485 reader: The online update reader to manage the cards from TKH Security.
Card: The access control card of the end user.
OSS reader platform The integration/software to program OSS readers (supplier dependent)
OSS compatible card reader The OSS supporting offline reader

1.2 System requirements

IPROTECT

 

IPS-ATL (Mobile access)

= 10.3.xx

Pluto Rootfs

 

>= 5.68a

Readermanager

 

>= 6.00.09.206

Orion

 

>= 1.5.32

Sirius iX

IPS-ON - online card reader license (44)

>= 2.9.4

 

Access Keys

IPS-ACL - number of cards that can be created within the system

 

Supported cards

 

Mifare DESFire

EV1, EV2 and EV3

DOM

ENiQ v2

 IPS-OFF - ofline card reader license (48)

 

Bridge

 

v24.01.31.1231

IPROTECT

 

IPS-ATL (Mobile access)

>= 10.4.xx

Pluto Rootfs

 

>= 6.12.x

Readermanager

 

>= 6.00.09.206

Orion

 

>= 1.5.32

Sirius iX

IPS-ON - online card reader license (44)

>= 2.9.4

Supported cards

 

Mifare DESFire

EV1, EV2 and EV3

 

Access Keys

IPS-ACL - number of cards that can be created within the system

 

DOM

ENiQ v2

 IPS-OFF - ofline card reader license (48)

 

Bridge

 

v24.01.31.1231

2 Setup

2.1 Creating manufacturer

Every manufacturer has got his own features so this must be set.
Installation | Hardware | OSS manufacturer

Add a new manufacturer
Name: a logical name
OSS manufacturer Type: select the desired manufacturer
OSS manufacturer configuration: select the desired manufacturer

If the configuration does not exist add the file in General | Settings | Media element or using the default configuration by selecting the default selection box.

2.2 Creating provisioner elements

For enrolling and updating OSS cards there are specific files needed.

2.2.1 Enroll file

Installation | settings | Provisioner | Provisioner element
Check if there is an element called “OSS enroll” if not create one

Create an new element
Name: an logical name (e.g. OSS enroll)
Type: Sirius iX only (or other reader type recommended is the Sirius iX reader)
Provisioner file: OSS enroll

If the provisioner file does not exist add the file in General | Settings | Media element

2.2.2 Update configuration file

Installation | settings | Provisioner | Provisioner element
Check if there is an element called OSS update if not create one

Create an new element
Name: an logical name (e.g. OSS update)
Type: Sirius iX only (or other reader type. Recommended is the Sirius iX reader)
Provisioner file: OSS update

If the provisioner file does not exist add the file in General | Settings | Media element

2.2.3 Keyfile

the keyfile contains the key to be used to read and write the data to the card for the OSS part. This can be
customer specific. Ask your installer about this.

Installation | settings | Provisioner | Provisioner element
Check if there is an element called OSS keys if not create one

Create an new element
Name: an logical name (e.g. OSS key)
Type: Reader keystore
Provisioner file: OSS default key

2.3 Creating provisioner groups

2.3.1 Provisioner enroll group

Installation | settings | Provisioner | Provisioner group
Check if there is an element called OSS enroll if not create one

Create an new group
Name: an logical name (e.g. OSS enroll)
Type: reader config
Select for this group
• OSS enroll
• OSS key
Optional it is possible to add an led setting if desired

2.3.2 Provisioner update group

Installation | settings | Provisioner | Provisioner group
Check if there is an element called OSS update if not create one

Create an new group
Name: an logical name (e.g. OSS update)
Type: reader config
Select for this group
• OSS update
• OSS key
Optional it is possible to add an led setting if desired

3 Configuring iProtect for Update/Enrollment

iProtect needs to be configured before a card reader can be used as enrollment or update reader.

  • An enrollment reader is used to create the OSS application on the card.

  • An update reader is used for updating the access rights and collect transactions.


The difference is made in the interpretation. In total there are three different interpretation needed in a system:
all three must be placed under 1 presentation Mifare DESFire presentation

  • Mifare DESFire default interpretation (for regular readers)

  • Enrollment interpretation (for enrollment readers)

  • Update interpretation (for update readers)


Please notice that OSS can be approached in two different manners:

  1. The card does not contain the OSS application (default approach)

  2. The OSS application is already available on the card (some parts can be ignored)

3.1 Configuring the Card presentation

This chapter assumes that the default Mifare DESFire card from TKH Security is used. If another card, with
other data formats are used, the card number settings can be different from the default settings.

  1. Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation.

  2. Right-click in the browse window and press on “Add card number presentation”.

  3. Enter the following data:
    o Name: Specify a logical name (TKH Desfire)
    o Calculated length: 0

  4. Save the data

3.1.1 Card interpretation for Update

  1. Click in iProtect™ Aurora on the menu item Access | settings | card coding | card card number presentation

  2. Right-click in the browse window on the presentation made in 3.1 and press on “Add card data
    interpretation”

  3. select as “default card data interpretation” OSS TKH Desfire”

  4. press on “ok”

  5. Enter the following data:
    o Name: Specify a logical name (e.g. OSS update)
    o Cardtype: None

  6. Click on the created interpretation and go to “system code”. Enter the following data:
    o Start: 5
    o Length: 6
    o Code: the DESFire system code

  7. Click on the created interpretation and go to “facility”. Enter the following data:
    o Start: 21
    o Length: 4
    o Code: The from TKH Security received code

  8. Click on the created interpretation and go to “Card number”. Enter the following data:
    o Start: 11
    o Length: 10
    o Modulo: empty
    o Offset: empty

  9. Click on the created interpretation and go to “interpretation selection”. Enter the following data:
    o Reader start: 25
    o Reader length: 2
    o Reader code: 1

  10. Click on Validity
    o Validity period: enter the desired validity (max 8766 hours)
    o Validity update after: enter the time after which a new update will be generated

  11. Save the data

3.1.2 Card interpretation for enrollment (if needed)

Please notice, enrollment is only mandatory if the OSS application is not available on the card yet.

  1. Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation

  2. Right-click in the selection window on the presentation made in 3.1 (default Desfire presentation) and press on “Add card data interpretation”

  3. Select as “default card data interpretation” TKH Desfire”

  4. Enter the following data:
    o Name: Specify a logical name
    o Format cardype: none
    o Format Data length: 14

  5. Click on the created interpretation and go to “interpretation selection”. Enter the following data:
    o Reader start: 13
    o Reader length: 2
    o Reader code: 1

  6. Click on the created interpretation and go to “offline validity”. Enter the following data:
    o Validity period: enter the desired validity (max 8766 hours)
    o Validity update after: enter the time after which a new update will be generated

  7. Save the data

3.1.3 Card data interpretation for TKH DESFire (access)

  1. Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation.

  2. Right-click in the browse window on the presentation made in 3.1 and press on “Add card data
    interpretation”

  3. select as “default card data interpretation” “TKH Desfire”

  4. Enter the following data:
    o Name: Specify a logical name

  5. Click on the created interpretation and go to “system code”. Enter the following data:
    o Code: the DESFire system code

3.2 Configuring the Pluto

  1. Make sure all connections are in accordance with the technical drawing and connect the Pluto to the
    network.

  2. Open the Explorer and browse to the following address: https://192.168.1.195. The login screen appears.

  3. Enter “controller” as username. The default password is “Pluto”.

  4. On the maintenance page select “Network settings” and enter the desired information like IP address and
    IP address gateway.

  5. Select “Hardware” and activate “Diagnostics”. Diagnostics enables automatic detection of devices
    connected to the Pluto and testing of it. Deactivate diagnostics after successful test.

  6. Select “Tools” and verify the connection with iProtect™ by entering the IP address of the iProtect™
    server together with port number 20100 at Netcat and press the “Test” button.

3.3 Configuring the line

  1. Click in iProtect™ Aurora on the menu item Installation | Hardware | Line.

  2. Right-click in the browse window and select “Add line‟. The detail window opens

  3. Enter the following data:
    o Name: “specify a logical name”
    o Type: “network device”
    o Provisioner group: “Pluto”
    o Active: (check)
    o Active with node: (check)
    o Function of the line “Keyprocessor”
    o IP address: “enter the IP address of the Pluto”

  4. Click on the “Save” button.

  5. Press the button “Send new Keystore”.

When having the connection between iProtect™ and the Pluto in place, automatically the latest
software update will be installed on the Pluto. This may take a few minutes. When finished, the
“Current status” will be “Idle”.

  1. Click on the “discover” button. The Pluto will automatically detect and configure connected nodes.

  2. Activate connected reader by presenting twice an access card. The reader LED should be blinking.

  3. Be sure the reader manager contains the correct reader files.

3.3.1 Configuring the enrollment reader (if needed)

Only a RS485 reader can be configured as enrollment reader.

  1. Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.

  2. Click on the “Search” button and select the correct Reader.

  3. Enter the following data:
    o Name: Specify a logical name
    o Card data interpretation: Enter the enrollment card data interpretation which is made in chapter 3.1.2
    o Provisioner group: select “OSS enroll” which is made in chapter 2.3.1

  4. o Subnumber: Enter the reader port number where the reader is attached to. This must be a RS485
    reader.
    4. Save the data.

3.3.2 Configuring the update reader

Only a RS485 reader can be configured as update reader.

  1. Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.

  2. Click on the “Search” button and select the correct Reader.

  3. Enter the following data:
    o Name: Specify a logical name
    o Card data interpretation: Enter the enrollment card data interpretation which is made in chapter 3.1.1
    o Provisioner group: select “OSS update” which is made in chapter 2.3.2
    o Subnumber: Enter the reader port number where the reader is attached to.

  4. Save the data.

4 Configuring iProtect for OSS readers

4.1 Configuration OSS line

  1. Open menu Installation | Hardware | Line

  2. Right-click to “add a new line”

  3. Enter the following data:
    o Name: specify a logical name
    o Type: “Server”
    o Active: (check)
    o active with nodes: (check)
    o Modus: “Virtual line”

  4. Save the data.
    Note: License number 44: Offline readers is mandatory

4.1.1 Configuring OSS node

  1. Click in iProtect Aurora on the Virtual line which is created in 4.1

  2. Right-click in the browse window and select “Add node‟. The detail window opens.

  3. Enter the following data:
    o Name: Specify a logical name
    o Active: (check)
    o Function: “OSS”
    o Other
    o Card data interpretation: OSS update
    o Time out: empty
    o Max validity: empty
    o Battery threshold: empty
    o

  4. Save the data.

4.1.2 Configuring offline reader manually.

  1. Click in iProtect Aurora on the menu item Installation | Hardware | Reader.

  2. Right-click in the browse window and select “Add Reader‟. The detail window opens.

  3. Enter the following data:
    o Name: Specify a logical name
    o Node: select the OSS node as configured in 4.1.1
    o Manufacturer: select the manufacturer name of the lock
    o Subnumber: is filled in automatically and is changeable if desired (is reference lock number within
    OSS)
    o Device address /PHI : specify the device number / address / PHI of the lock this is manufacturer
    different

  4. Save the data

  5. Manufacturer specific settings will be shown if available like
    o Unlock time
    o Alternate unlock time

4.2 DOM specific procedure for readers

If DOM is selected as manufacturer the most used work flow is as follows.

4.2.1 First setup

  1. Install the DOMbox and configure all the locks in the DOMploy application with the DOM service app on a mobile.

  2. Create all the offline locks in DOMPloy as OSS doors
    a. Use for all locks the same site ID (in iProtect the facility code selected in de ”card data
    interpretation”
    b. Use an unique number for Door ID (will be the sub number in the reader dialog)

  3. Export all OSS doors (DOMploy)

  4. Select in iProtect the OSS Node

  5. Select the DOM as manufacturer

  6. Upload the OSS doors export from DOMploy

  7. Press the import button
    a. All locks who are exported from the DOMploy are now added in iProtect

  8. If needed modify the reader settings (like open time etc)

  9. Select the readergroups belonging to the off line readers for each reader

  10. Go back to the OSS node

  11. Check if the right manufacturer is selected (DOM)

  12. Press the export button
    a. An export (export.xml) is created and downloaded

  13. Import this file into the DOMploy application
    a. Now the creation of the readers is iProtect is completed and the door groups are added.

  14. Update the offline readers
    Now the readers are setup and ready to use

4.2.2 Modify an reader setting or reader group

If there is an change needed

  1. Modify the reader settings if desired

  2. Modify the readergroups if desired

  3. Go back to the OSS node

  4. Check if the right manufacturer is selected (DOM)

  5. Press the export button
    a. An export (export.xml) is created and downloaded

  6. Import this file into the DOMploy application
    a. The changes have now been made in DOMploy

  7. Update the offline readers

5 Supported features

5.1 Offline door features

The features which are supported at the offline door, depends on the implemented supplier.

5.2 Card features

This chapter describes the features which can be used

5.2.1 Transaction storage

The amount of transactions depends on the card settings. The default amount of OSS transactions is 16. There is no difference between transaction types. Full is full.

5.2.2 Transaction settings

Per card, the stored transaction can be set. This can be found at: Access | Card | offline reader

5.2.3 Firefighter card

This function determines whether a card is a firefighter card or not.

Type: checkbox
o If selected
o The card will become a firefighter card which means that there is no validity or expiration
date. When presented the door will stay permanently open
o If not selected
o The card will become a normal access card

5.2.4 Expiration date

Shows the offline expiration date.

Type: information

5.2.5 Status

Shows the status of the offline access profile.

Normal: card does not need an update
Update available: offline access profile is available, and the card can be updated.
Error: to many time zones are selected for the specific card

5.2.6 Blocklist

This function will block the affected card and this information will be spread to all locks with all cards which are in use for the offline locks.

Type: checkbox
o If selected
o Card is block-listed
o If not selected
o Card is not block-listed

5.2.7 Force update

This button will after be being pressed, directly generate a new access profile in the database.

5.2.8 Alternate door unlatch time

This function determines if the normal, or alternate door unlock time will be used.

Type: checkbox
o If selected
o Alternate unlock time will be used
o If not selected
o Normal unlock time will be used

5.2.9 Activate office mode

This function determines if the card may use the office mode functionality or not.

Type: checkbox
o If selected
o Office mode can be used
o If not selected
o Office mode cannot be used

Please be aware that the office mode must also be activated on the lock (depending on manufacturer)

6 Support of functions versus manufacturer