Prepare Migration From a DIGIPASS import file (Authentication Server Framework) (2024)

  • Updated on 01 Oct 2024
  • 9 Minutes to read
  • Print

  • Share

  • Dark

    Light

  • PDF

Authenticator records can be manually imported from Authentication Server Framework to OneSpan Authentication Server using a DIGIPASS import file, i.e. a comma-separated text file (.csv).

For more information about the various migration paths, see Available migration paths for Data Migration Tool (DMT).

To import authenticator records from a DIGIPASS import file

  1. Install the destination OneSpan Authentication Server instance.

  2. Export the authenticator records from the Authentication Server Framework database to a DIGIPASS import file and prepare it accordingly (see DIGIPASS import file format).

  3. Create the domain and organizational unit structure using OneSpan Authentication Server Administration Web Interface.

    For more detailed information, refer to the OneSpan Authentication ServerAdministrator Guide.

  4. Import the authenticator records and import/create the user accounts.

    • Import the authenticator records from the DIGIPASS import file previously created, using Data Migration Tool (DMT).

    • Create user records either manually or automatically in bulk using a user import file with OneSpan Authentication Server Administration Web Interface.

    • Assign the authenticators to user accounts either manually or automatically when creating them from a user import file with OneSpan Authentication Server Administration Web Interface.

    You can do either:

    • Import the authenticator records from the DIGIPASS import file first, then import the user records from a user import file and automatically assign the users to the existing authenticators (by specifying the serial numbers in the user import file).

    • Import the user records from a user import file first, then import the authenticator records from the DIGIPASS import file and automatically assign the authenticators to the existing users (by specifying the user ids and domains in the DIGIPASS import file).

    • Create or import the user records and authenticator records separately (without referring from one to the other), then assign the authenticators to the users manually.

    It's usually less error-prone to import or create the user accounts first and to import and assign the authenticator records afterward.

    For more information about using user import files, refer to the OneSpan Authentication ServerAdministrator Guide, Section "Format of User Import File".

Prepare a DIGIPASS import file with custom keys

If you import from a DIGIPASS import file that has been encrypted with a custom key, you will have to use that same custom key in Data Migration Tool during the data migration process (see Prepare migration from a DIGIPASS import file (Authentication Server Framework)).

DIGIPASS import file format

Authenticator records must be imported from a comma-separated text file. The exact file format depends on whether the file contains regular authenticator records (see DIGIPASS import file contents (standard licensing)) or multi-device licensing (MDL) authenticator records (see DIGIPASS import file contents (multi-device licensing (MDL)).

DIGIPASS import file contents (standard licensing)

Column Name

Data type

Required

Description

Blob

Text (exactly 248 chars)

Yes

Encrypted data block that contains important parameter settings and secrets for an authenticator application.

StaticVectorEx

Text (up to 4096 characters)

Yes

Specific to software authenticators. It is used to generate an encrypted authenticator secret (activation code) This is only present for new software authenticator parameters.

ActivationCount

Unsigned number

No

Specific to software authenticators.

This is directly connected to ActivationLocations.

ActivationLocations

Text (up to 1024 characters)

No

Specific to software authenticators.

This field will be stored in the vdsDPApplication table in the vdsActivLocs column. It specifies the client locations where the authenticator has been activated from via provisioning register commands (as space-separated hash values).

This is directly connected to ActivationCount.

Active

Boolean

No

Flags whether the authenticator application should be imported as active.

If set to 0 (inactive), the authenticator application will be deactivated on import.

Possible values:

  • 0. Flag as inactive.

  • 1. Flag as active.

Default value: 1

BackupVDPEnabled

Text

No

States whether backup Virtual Mobile Authenticator functionality is enabled for this authenticator.

Possible values:

  • Default

  • No

  • Yes - Permitted

  • Yes - Required

  • Yes - Time Limited

The value must exactly conform to one of the above examples.

BackupVDPExpires

Date

No

Used with Yes - Time Limited option above.

Expected format 'YYYY/MM/DD'

BackupVDPUsesLeft

Unsigned number

No

Used with Yes - Permitted option above.

Description

Text (up to 255 characters)

No

Descriptive text for the authenticator.

May not contain any of the following characters: /\:;,|'"<>[]&@=+*?#

DirectAssignOnly

Boolean

No

Flags the authenticator as unavailable for auto-assignment and bulk assignment processes.

Possible values:

  • 0. Available for auto and bulk assignment.

  • 1. Available for direct assignment only.

Default value: 0

Domain

Text

No

The domain to import the authenticator to. The domain must already exist. If UserID is specified, the respective user account must exist in the domain.

Default value: master

MessageVector

Text (26 characters)

No

The message vector is a string containing configuration settings for the message generation. This field is extracted during the initial DPX import process to the Authentication Server Framework database.

This field is applicable (and required) for specific, pre-provisioned hardware authenticators with Secure Channel capabilities only!

Number

Number

No

This field defines the application index number and will be stored in the vdsDPApplication table in the vdsApplNo column. It’s used for audit and trace messages and as reference when an operation was using a specific authenticator application.

If defined in the DIGIPASS import file, this number should be unique across the applications for a particular authenticator. It is recommended to order the authenticator applications always in the same way, e.g. as they are defined in the static vector. Usually, the application order should be the same across authenticators of the same initial configuration (DPX).

If this field is not supplied, DMT will automatically generate it based on the order of the authenticator applications found in the DIGIPASS import file.

OrganizationalUnit

Text

No

The organizational unit to import the authenticator to. The organizational unit must already exist.

The organizational unit name is sufficient. '//' should only be used to designate an organizational unit path, not included as part of an OU name.

If the authenticator is assigned to a user in a different organizational unit, the authenticator record will be moved to the user's organizational unit.

Default value: <empty>

PayloadKeyBlob

Text (up to 256 characters)

No

Payload keys to protect the confidentiality and authenticity of the payload of a message. It is shared by the authenticator license and authenticator instance, it is however, defined separately for each one in the DIGIPASS import file.

This field is applicable (and required) for specific, pre-provisioned hardware authenticators with Secure Channel capabilities only!

UserID

Text

No

The user ID the authenticator is assigned to. Only required, if the authenticator is assigned.

DIGIPASS import file contents (multi-device licensing (MDL))

Column Name

Data type

Required

Description

Blob

Text (exactly 248 characters)

Yes

Encrypted data block that contains important parameter settings and secrets for an authenticator application.

MessageVector

Text (26 characters)

Yes

The message vector is a string containing configuration settings for the message generation, including the activation process and the optional Secure Channel process. This field is extracted during the initial DPX import process to the Authentication Server Framework database.

It is applicable for the following authenticator categories:

  • Software or hardware authenticators compliant with multi-device activation (in context of multi-device licensing (MDL)

  • Software or hardware authenticators able to perform operations based on the Secure Channel protocol

PayloadKeyBlob

Text (up to 256 characters)

Yes

Payload keys to protect the confidentiality and authenticity of the payload of a message. It is shared by the authenticator license and authenticator instance, it is however, defined separately for each one in the DIGIPASS import file.

ProvisioningActivationCount

Number

Yes

The number of activations made by provisioning commands, meaning activations usually performed by the users themselves. If the exact number is unknown, set this value to 0.

StaticVectorEx

Text (up to 4096 characters)

Yes

Specific to software authenticators. It is used to generate an encrypted authenticator secret (activation code) This is only present for new software authenticator parameters.

SequenceNumberThreshold

Unsigned Number (1–99)

Only for authenticator license

Maximum number of authenticator instances that can be activated with the authenticator license. By design it is not possible to create more than 99 instances of a license. This field is mandatory for the authenticator license, for authenticator instances the value will be NULL.

This value is configured by OneSpan at the time of order and extracted during the initial DPX import process to the Authentication Server Framework database.

Activation vector

Text (up to 1024 characters)

No

A data string containing license-specific encrypted activation data necessary for the activation process. This field is extracted during the initial DPX import process to the Authentication Server Framework database.

ActivationChallenge

Text (16 characters)

No

The challenge (numeric or hexadecimal) initially used to generate the Activation Message 1.The same challenge is used to validate the device code.

If no challenge was initially used, this field can be omitted.

If the activation challenge is required, but missing, subsequent activations of authenticator instances will fail!

ActivationCount

Number

No

The number of activations made either by administration or provisioning commands. Applies to authentication licenses only. Is also encoded in the BLOB and cannot be reset (only during new activations).

Active

Boolean

No

Flags whether the authenticator application should be imported as active.

If set to 0 (inactive), the authenticator application will be deactivated on import.

Possible values:

  • 0. Flag as inactive.

  • 1. Flag as active.

Default value: 1

Description

Text (up to 255 characters)

No

Descriptive text for the authenticator.

May not contain any of the following characters: /\:;,|'"<>[]&@=+*?#

DirectAssignOnly

Boolean

No

Flags the authenticator as unavailable for auto-assignment and bulk assignment processes.

Possible values:

  • 0. Available for auto and bulk assignment.

  • 1. Available for direct assignment only.

Default value: 0

Domain

Text

No

The domain to import the authenticator to. The domain must already exist. If UserID is specified, the respective user account must exist in the domain.

Default value: master

LastActivationTime

DateTime

No

This field is required when the authenticator license is assigned and activated. It is required to prevent reactivation. If it is not required, the field is left blank.

This is set by provisioning commands and reset by certain administration commands, i.e. Delete User, Unassign Digipass, and Reset Activation.

Expected format 'YYYY/MM/DD HH:MM:SS'.

Number

Number

No

This field defines the application index number and will be stored in the vdsDPApplication table in the vdsApplNo column. It’s used for audit and trace messages and as reference when an operation was using a specific authenticator application.

If defined in the DIGIPASS import file, this number should be unique across the applications for a particular authenticator. It is recommended to order the authenticator applications always in the same way, e.g. as they are defined in the static vector. Usually, the application order should be the same across authenticators of the same initial configuration (DPX).

If this field is not supplied, DMT will automatically generate it based on the order of the authenticator applications found in the DIGIPASS import file.

OrganizationalUnit

Text

No

The organizational unit to import the authenticator to. The organizational unit must already exist.

The organizational unit name is sufficient. '//' should only be used to designate an organizational unit path, not included as part of an OU name.

If the authenticator is assigned to a user in a different organizational unit, the authenticator record will be moved to the user's organizational unit.

Default value: <empty>

UserID

Text

No

The user ID the authenticator is assigned to. Only required, if the authenticator is assigned.

For more information about individual fields, refer to the Authentication Server FrameworkProduct Guide.

For more information about the actual migration process, see Migrate data.

DIGIPASS import file migration restrictions

Several restrictions apply for the import of authenticator records via a DIGIPASS import file:

  • One authenticator application per line. If an authenticator has more than one authenticator application, it will take up multiple lines in the import file.

  • Headings should be included at the top of the file, using the exact field names provided in the table above.

  • Commas should not be added to any field, as this will be interpreted as the end of the data for that field and the beginning of data for the next field.

  • When migrating from Authentication Server Framework-based installations to OneSpan Authentication Server, multi-device licensing (MDL) authenticators can be migrated.

  • Only fully activated authenticator instances can be migrated.

  • Temporary data used for activation is not migrated and will be lost.

DIGIPASS import file examples

The Data Migration Tool setup includes working DIGIPASS import file samples for reference. You can find the sample files in the following folder:

  • %PROGRAMFILES%\VASCO\Data Migration Tool 3.26\samples (Windows)

  • /opt/vasco/dmt/samples (Linux)

Was this article helpful?

What's Next
  • Prepare the Destination System
Prepare Migration From a DIGIPASS import file (Authentication Server Framework) (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Manual Maggio

Last Updated:

Views: 6200

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.