This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.
Table of contents
1. Introduction
This document is the installation and operations manual for access on iProtect card readers using an Android or Apple mobile phone with BLE connection.
1.1 Token Authority
To have a secure encrypted connection between the card reader and the mobile phone, a cloud based Token Authority is used. The mobile phone and the card reader must be part of the same Token Authority in order to decrypt the communication between mobile phone and card reader. The iProtect system can support one token authority. How this must be configured, will be described in this manual.
2. Necessities
2.1 iProtect License
To activate IPROTECT Access on the iProtect system a license is required:
Description | Supported from iProtect version | License number |
---|---|---|
IPROTECT Access system | 10.01.37 | 1700 |
External services | 10.01.37 | 47 |
2.2 Mobile phone apps
There are two mobile apps available for IPROTECT Access. These app can be downloaded from Google Play for Android- and in the App Store for Apple devices.
Previously the App was called, Cosmos access or Cosmos config
APP | Description |
---|---|
IPROTECT Access | For everyday use. The app serves as a digital access card |
IPROTECT Config | This app is for the system installers. It is used to assign and de-assign readers to the IPROTECT Access Token Authority (TA) and make reader specific settings |
2.3 Settings to check and which are mandatory
Please check/set the following settings:
The iProtect server needs to have an internet connection (mandatory)
DNS settings needs to be set
The time settings should be set correctly. Use an NTP server.
Set the time zone settings of the system correctly
Port 443 is used to communicate with the Token Authority
Ping to a public IP address. A proper reply is needed!
2.4 Supported hardware and software
Hardware / Software | Description | From version |
iProtect | SMS | 10.01.37 |
Pluto | Reader manager | 05.03.39 |
Orion | Orion firmware | 1.05.18 |
ApolloN | Reader manager | 05.03.39 |
RIO | RIO firmware | Future |
Sirius iX-serie reader | Card reader firmware | 2.5.20 |
Protocol | Clock/Data | |
Wiegand | ||
RS485 |
The versions mentioned above is the version with which Mobile access will be supported. Further developments, adding new functionality or supporting other hardware will change these version numbers. All version will be supplied by iProtect (provisioner).
3. Setup IPROTECT Access
The chapter below describes the steps that are necessary within iProtect.
3.1 Configure the Card configuration (Step 1)
To create a Service / Database link within iProtect for theToken Authority Service, a card configuration is mandatory.
3.1.1 Card data interpretation group
To enable a combination of physical cards and mobile devices, a Card Data Interpretation Group is needed.
In iProtect, browse to menu: Access | Settings | Card coding | Card data interpretation group.
Right click in the search field and choose “add Card data interpretation group”:
Field | Content |
Name | Logical name, e.g IPROTECT Access group |
3.1.2 Card number presentation
Card Number Presentation is needed to determine how to enter- or display the card number.
In iProtect, browse to menu: Access | Settings | Card coding | Card number presentation.
Right click in the search field and choose “add Card number presentation”:
Field | Content |
Name | Logical name, e.g IPROTECT Access |
Format | Alpha numeric |
Calculated length: | 10 |
3.1.3 Card data interpretation
Card data interpretation is needed to determine how to interpret the data from the mobile devices.
In iProtect, browse to menu: Access | Settings | Card coding | Card data interpretation.
Right click on the “Card number presentation” that was just created and choose “add Card data interpretation”.
3.1.3.1 For Clock/data (ABA) and RS485 readers
Field | Content |
Name | Logical name, e.g IPROTECT Access |
Default card data interpretation | Mobile access, click “set” |
Card data interpretation group | IPROTECT Access group |
Tab: Format | Data length: 18 |
Tab: Card | Start: 2 |
Length: 17 |
3.1.3.1 For Wiegand readers
Field | Content |
Name | Logical name, e.g IPROTECT Access-WG |
Default card data interpretation | Wiegand 26, click “set” |
Card data interpretation group | IPROTECT Access group |
Tab: Format | Data length: 66 |
Tab: System code | Start: 1 |
Length: 0 | |
Code: | |
Tab: Card number | Start: 6 |
Length: 60 | |
Modulo: | |
Tab: Parity | Left: Odd |
Right: Odd | |
Left start: 1 | |
Right start: 34 | |
Left length: 33 | |
Right length: 33 |
When both Wiegand, Clock/data (ABA) and/ or RS485 readers are used. In that case Implement both the interpretations under the presentation.
3.2 Configure the Service / database link (Step 2)
In iProtect, browse to menu: Installation | Settings | Services | Database link:
Right click in the search field and choose “add database link”
Select type: IPROTECT Access
Field | Content | Description |
Name | Logical name. e.g IPROTECT Access | |
Active | “checked” | |
Tenant ID | The tenant id received from TKH security | |
Client ID | The client id received from TKH security | |
Client Secret | The client secret received from TKH security | |
Time out (sec.) | Default 45 seconds, do not change unless adviced by TKH | Basic interval timer for multiple Token Authority processes. Change of this setting will cause a reboot of the Service. |
Auth Domain | The Identity provider received from TKH security | Default: //auth.eu.token-authority.com |
Main Domain | The Connection URL received from TKH security | Default: //eu.token-authority.com |
Card data interpretation | e.g. IPROTECT Access | Select one of the Card data interpretations that are also grouped. See step 1. |
Poll rate (%) | Default 100%. TKH security can advise whether this setting should be changed | How does it work (examples):
|
3.3.2 Overall functional state
The functional state shows the connection with the Token Authority:
Functional state | Description | Description |
Service fully functional | System is running properly |
|
Service partly functional | System is not running properly | Service cannot connect with Token Authority |
iProtect cannot connect to the Service | ||
Service in calamity mode | It will recover automatically after some time (could be hours) | There is too much traffic between iProtect and the Token Authority. This can occur with bulk import or with too many pending requests such as assign/revoke invitations or tasks. |
Polling for status updates is postponed
| ||
Service not functional | There is no connection with the Token Authority |
|
3.3 Configure card reader for IPROTECT Access (step 3)
We assume that a card reader is already implemented in the iProtect system and works with conventional “RFID” cards or tags.
3.3.1 Search the reader
Browse to menu: Installation | Hardware | Reader.
Select the reader you want to use with IPROTECT Access.
IPROTECT Access is only supported by IX readers and connected to a Pluto-Orion (RS485 or USB).
3.3.2 Activate IPROTECT Access on the reader
The option to activate IPROTECT Access will be available when a Card data interpretation is selected who is part of the IPROTECT Access group, created in step 1.
After IPROTECT Access is activated on a reader, additional options and status are displayed within minutes:
Entity state | Description | Description |
To be assigned | Reader needs to be added to the Token Authority and must be provided with a IPROTECT Access token | IPROTECT Config app required |
To be unassigned | The IPROTECT Access token needs to be deleted from the reader and the Token Authority | IPROTECT Config app required |
Assigned | Access can be granted by using a mobile device | IPROTECT Access app required |
Bluetooth is by default 10 minutes activated on the reader after reboot.
When assigning a new reader, please reboot- OR present an installer card to the reader. After one of theses actions, you have 10 minutes time to assign the reader with the IPROTECT Config app to the Token Autority.
3.3.3 Reader provisioner group (RS485 card reader only)
By enabling IPROTECT Access on a reader, a new type of identification is activated.
The system must know what to do with the data and how to handle it when a mobile device is presented. This information is described in a Reader provisioner file and needs to be set by every reader.
The following provisioner group must be selected in the readerdialog, see table below:
Used (RFID) card technology | Provisioner group |
TKH default Mifare or Desfire | Use: Pluto SiriusIX MifareSec, Desfire and BLE (system default) |
UID 4 bytes (10 dec) | Use: Pluto SiriusIX Serial 10 digits and BLE (system default) |
UID 7 bytes (17 dec) | Use: Pluto SiriusIX Serial 17 digits and BLE (system default) |
3.3.4 App Interaction options
In basic there are two types of granting access to the reader when using the IPROTECT Access app.
Selection | Description |
TScan & Go | Presenting the mobile device nearby the reader to get access |
Select & Go | Nearby readers can be selected and opened in the app at the touch of a button (e.g. like parking barriers) |
Besides the behavior, the use of the mobile device by a specific reader can be set:
Selection | Description |
All - In background | The mobile device does not need to be unlocked before it is presented to the reader. When opening the app nearby readers can be selected and opened in the app at the touch of a button |
Select & Go | Nearby readers can be selected and opened in the app at the touch of a button |
Scan & Go - In background | The mobile device does not need to be unlocked before it is presented to the reader. |
Scan & Go and Select & Go | Mobile device needs to be unlocked before presenting it to the reader. Select & Go can also be used for this reader. |
Scan & Go - Device unlocked | Mobile device needs to be unlocked before presenting it to the reader. Select & Go cannot be used for this reader. |
3.3.5 Assign a reader to the Token Authority
After IPROTECT Access is activated on a reader, the reader needs to be assigned to the Token Authority by using the IPROTECT Config app. These readers will have the entity state: “To be assigned”.
iProtect checks for status changes in the Token Authority to see if the reader has already been (un)assigned.
Time after (un)assigning | Description |
0 – 10 minutes | Every 45 seconds it will be checked |
10 min – 1 hour | Every 180 seconds it will be checked |
1 hour – to invinity | Every 300 seconds it will be checked |
To be able to (un)assign a reader with the IPROTECT Config app to the Token Autority, a card with config rights needs to be created within iProtect.
Follow the instructions in the app to Assign the reader. The reader will be available on the assign list. After this action, the reader can be used for IPROTECT Access.
3.3.6 Unassign a reader from the Token Authority
This action must be performed to remove the card reader from the IPROTECT Access Token Authority, when the reader should not work with IPROTECT Access anymore.
When the IPROTECT Access checkbox is deactivated, the entity state at the reader becomes “To be unassigned”. The reader needs to be Unassigned using the IPROTECT Config app.
Follow the instructions in the app to Unassign the reader. The reader will be available on the Unassign list.
After this action, the reader cannot be used anymore for IPROTECT Access until it is assigned again.
3.3.7 Installer rights system user
A system user with installer right has more rights in iProtect. This gives the person more status fields but also has rights to remove a defective reader from the Token Authority.
In iProtect, browse to menu: Installation | Authorization | System user
Search the system user where the ‘Installer rights’ should be activated and enable this. After enabling, please log-out and log-in again.
What does the Installer gets more:
Dialog | Added | Description |
Card | Synchonization status |
|
Reader | Synchonization status |
|
Force remove button | When reader cannot be unassigned (broken), it will remove the reader from the Token Autority. Be aware! When doing this action and the reader will be re-used again for IPROTECT Access, the reader must be sent back to TKH-Security. |
When a reader needs to assigned to a new system / Token Authority, unassign the reader from the Token Authority first. Now the reader can be assigned to any other system / Token Authority.
When a reader needs to be replaced, unassign the reader from the Token Authority first. After the reader is replaced it needs to be assigned to the Token Authority again.
Version > =10.03 When the reader has the status “To be (un)assinged” for longer than 48 hours, a reader event will be generated “Task timed out”.
4. Maintenance and statuses
This chapter describes the maintenance that can be performed on the Token Authority using iProtect.
4.1 Status of IPROTECT Access cards
Browse to iProtect menu: Access | Overviews | Status | Card token authority status.
In this dialogue the status is shown of all IPROTECT Access cards. It is possible to search for “Registered” (accepted invites) and “Not registered” (not accepted invites).
4.2 Status of IPROTECT Access card readers
Browse to iProtect menu: Installation | Overviews | Status | Reader token authority status.
In this dialogue the status is shown of all IPROTECT Access card readers. It is possible to search for “Registered” (Assigned readers) and “Not registered” (unassigned readers).
4.3 Debug logging Token Authority
In case debug logging is needed this can be activated in the database link dialogue
In iProtect, browse to menu: Installation | Settings | Services | Database link. Search and select the IPROTECT Access service. Click the button “Enable”.
The extensive logging will be enabled for 10 minutes. The log is written in the “Catalina” log file. The logfile can be read and downloaded in the iProtect maintenance page, dialogue: Logging | User interface.
4.4 Iconsistency between iProtect IPROTECT Access readers and the Token authority readers
Inconsistency can occur in some situations, for example: an old iProtect backup is used where some readers where not assigned yet to the Token Authority. In that case, the Token Authority has assigned readers that do not have the assigned status in iProtect. This can be corrected.
In iProtect, browse to menu: Installation | Settings | Services | Database link. At the dialogue “Unknown readers in token authority” click “Fetch”, in the result screen readers that are in the Token Authority but not in the iProtect system will be shown. When selected they can be removed from the Token Authority.
When reader(s) needs to be assigned again to the Token Authority, this can be done as is described at the chapter “configuration”.
4.5 Rate limmeter
The number of messages from iProtect to the Token Autority is limited in number and time. The number of available messages is reported to iProtect. If the number of messages became lower than 5%, a rate limmeter will start do it’s function. When the limiter is active actions initiated by a user are still executed, there is are however no synchronization calls so statuses will not change. When after some time there is space again (>5%) the synchronization calls will be sent again. If the rate limiter starts, an event will be created in the iProtect log.
5. Mobile Access
Mobile access can be activated as an extra functionality at the Sirius iX reader. This allows the user to use a mobile device and an identifier besides the supported access cards. The Mobile Access solution has two Mobile applications (iOS and Android):
IPROTECT Access, for the end user.
IPROTECT Config, for the installer to configure the Sirius iX reader.
5.1 Configuration
Every Sirius iX reader must be assigned to the Mobile Access project it belongs to. This must be done with the IPROTECT Config application which is available at the app stores. The IPROTECT Config application has three functionalities:
Assign
To add a Sirius iX reader to a Mobile Access environment. A Sirius iX reader can be assigned 10 minutes after its booted. To reactivate the ‘assign’ processes a reboot of the Sirius iX reader is required or an installer card needs to be presented. The Assign functionality is always started via the access control system (iProtect).Unassign
To remove a Sirius iX reader from a Mobile Access environment so it is factory default again. Once it is in factory default, it can be assigned again to any other mobile access system. The ‘unassign’ functionality is always started via the access control system (iProtect).Edit
To change the Signal output of the Sirius iX reader. The Sirius iX reader can be edited 10 minutes after assigning or afterwards via the IPROTECT Config app edit modus.
• 0 dBm maximum distance
• -16 dBm office mode (+/= 15 cm distance)
Assigning with installer card
After powering the reader, it will broadcast a unique identification for 10 minutes. The reader can only be discovered by the IPROTECT Config app during broadcast.
By presenting an installer card, the broadcasting can be re-enabled again. The installer card is not available, a power cycle or soft reboot (reset) will also re-enable the 10-minute broadcast. Every time the installer card is presented, the time will be extended for another 10 minutes.
After the reader has been assigned to IPROTECT Access, the card reader will no longer respond to the IPROTECT Access Installer card.
For more detailed information please check the IPROTECT Config and IPROTECT Access documentation.