Seeds file conversion
1. Overview
In this how-to, we will demonstrate the possible ways to convert token seed files from different formats into WebADM inventory format, allowing you to use third-party hardware tokens with RCDevs security solutions. We will also demonstrate how to re-use software tokens already registered on end-users devices with RCDevs solutions.
2. Seeds Files Format supported by WebADM
2.1 Un-encrypted Inventory
This is the format of an unencrypted RCDevs inventory file which can be imported in WebADM without any conversion:
# CSV import file for RCDevs WebADM
# Generated on April 9, 2019, 4:13 pm
Type, Reference, Description, Data
"OTP Token", "5292530833003", "RCDevs RC200-T6", "TokenKey=tdxn5faLI0joNLIjLrIMjUxaZXc=,TokenType=VE9UUA==,TokenState=MA==,OTPLength=Ng==,TOTPTimeStep=MzA="
As you can see, it is CSV file with four entries for each token:
- Type: Referring to the object type (TOTP, HOTP, OCRA or YUBIKEY)
- Reference: The serial number of the Token
- Description: Brief description of the object
- Data: Configuration data for the token
This information can be seen in WebADM
> Databases
> Inventoried Devices
like this:
As you can see from the above inventory example, the Data field contains multiple items that you need to adjust according to the properties of your tokens.
All entries below must be base64 encoded to be imported into WebADM.
The Data
field contents in RCDevs inventory files are the following:
- TokenKey: Token secret key value.
- TokenType: TOTP (time-based), HOTP (event-based), OCRA or YUBIKEY according to your token type.
- TokenState: This is the time offset value for TOTP and counter value for HOTP tokens. Set to 0 by default. If you are not able to provide the actual value, a Token resynchronization may be required.
- OTPLength: 6, 8 or 10. This setting depends on your OTP length generated by your tokens.
- TOTPTimeStep: 30 or 60 seconds. Useful for TOTP Token. Must match the TOTP Time Step setting of your OpenOTP server.
2.2 Encrypted Inventory
In case you have purchased RCDevs hardware tokens and are using Enterprise Edition of OpenOTP you will receive an encrypted inventory file. To protect the token secrets, the encrypted inventory file can only be imported and decrypted by WebADM running with the correct associated license file. Without the proper enterprise license, you will not be able to import it in WebADM.
An RCDevs encrypted seeds file looks like:
Inventory Import File for RCDevs WebADM
Generated on June 20, 2019, 12:55 pm
Encrypted for use with <CUSTOMER> customer license
MD5: 68bc02730eefba1216570d8f38a4e7bd
No conversion or data extraction is possible with this kind of inventory file. If your objective is to use the RCDevs Tokens with another solution than WebADM, you should contact the RCDevs sales team and ask for Token seeds in standard PSKC format.
3. Seeds Files Conversions for Hardware Token import
To use hardware Tokens from another provider, you have to convert the seeds file from your provider to the format supported by WebADM. The format is described in part 2.1 Un-encrypted inventory. Once the file is adjusted, then you can import your new inventory file into WebADM database.
3.1 Deepnetsecurity Tokens (SafeID/Mini) conversion into WebADM Inventory
This is an example of Deepnet Security inventory file:
In this case, the secret is 1A2B2395A3B45D11AFBADC510FE860035C4ED6925B12064B3B02D6FB99C5519A
in Hexadecimal format (this means that you have to convert first the value from Hexadecimal to Base64 to be managed by WebADM).
- HEXADECIMAL = 1A2B2395A3B45D11AFBADC510FE860035C4ED6925B12064B3B02D6FB99C5519A
Converted to:
- Base64 = GisjlaO0XRGvutxRD+hgA1xO1pJbEgZLOwLW+5nFUZo=
The Serial
value must be used as Reference
value after conversion for WebADM. This value is used for Hardware Token assignation and should not be converted.
After conversion, the seed file looks like this:
Type, Reference, Description, Data
"OTP Token", "12345678", "SafeID/Mini", "TokenKey=GisjlaO0XRGvutxRD+hgA1xO1pJbEgZLOwLW+5nFUZo=,TokenType=VE9UUA==,TokenState=MA==,OTPLength=Ng==,TOTPTimeStep=MzA="
I can now import that file into my WebADM inventory database.
I can assign this token to a user using the Token Reference. Have a look on the following documentation for Hardware Token Assignation.
The Token may require resynchronization to be used correctly. Have a look on part Resync Hardware or Software Tokens to perform the token resynchronization.
3.2 PSKC Files conversion into WebADM Inventory
If you already have a standard PSKC file from your Token provider, then you can use the following script on your WebADM instance to convert your PSKC file into a WebADM inventory file:
[root@webadm ~]# /opt/webadm/websrvs/openotp/bin/pskc2inv
WebADM Inventory converter for OATH PSKC files
Usage: pskc2inv <pskc-file> <inventory-file> [<decryption-key>]
Here is an example of PSKC seeds file who can be provided by RCDevs (PSKC format is only provided by RCDevs if asked by the customer):
[root@webadm bin]# cat pskc.csv
<?xml version="1.0" encoding="UTF-8"?>
OATH PSKC import file for RCDevs WebADM
Generated on April 9, 2019, 4:13 pm
<KeyContainer Version="1.0" xmlns="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:ds="" xmlns:xenc="">
<Model>RCDevs RC200-T6</Model>
<Key Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:totp" Id="5292530833003">
<ResponseFormat Length="6" Encoding="DECIMAL"/>
To convert it into a WebADM inventory file, I use the pskc2inv script like below:
[root@webadm bin]# ./pskc2inv pskc.csv webadm_inv.csv
Successfully converted 1 PSKC tokens.
[root@webadm bin]#
The new WebADM inventory file has been created and can be imported through WebADM admin GUI.
[root@webadm bin]# cat webadm_inv.csv
# OpenOTP Inventory export for OATH PSKC
# Generated by OpenOTP on January 3, 2020 10:03 am
"Type", "Reference", "Description", "Data"
"OTP Token", "5292530833003", "RCDevs RC200-T6", "TokenType=VE9UUA==,TokenKey=tdxn5faLI0joNLIjLrIMjUxaZXc=,OTPLength=Ng==,TOTPTimeStep=MzA="
3.3 Safenet/Gemalto Seeds File conversion into WebADM Inventory
RCDevs also provides a script to convert Safenet seeds file into a WebADM inventory file:
[root@webadm ~]# /opt/webadm/websrvs/openotp/bin/safenet2inv
WebADM Inventory converter for SafeNet files
Usage: safenet2inv <safenet-file> <inventory-file> <token-type>
Token type can be TOTP or HOTP
4. Software Tokens Migration from another Solution to WebADM
If you already have software Tokens registered on end-user devices, the token can be re-used with WebADM and OpenOTP if you still have the secret keys of the registered tokens. This can be done by Manual Token Registration on a user account through WebADM Admin GUI, API or Self-Services.
For Manual Token Registration through WebADM GUI, go to WebADM GUI
> MFA Authentication Server
> Register/Unregister OTP Tokens
> I use another Token (Manual Registration)
and provide information regarding your token.
This is the API method and description which can be used to do the same thing:
For example, I can re-use my Token registered on my Google Authenticator if I know the following information regarding my Token:
- Token Type: TOTP, HOTP or OCRA.
- Key Algorithm: SHA1, SHA256, SHA512. (SHA1 by default)
- Key Format: Hexadecimal, Base32, Base64
- Secret Key: The secret key of your current Token.
The secret key size depends on the chosen key algorithm. By default, the size of the accepted keys have the following length:
- SHA1 - 20 bytes
- SHA256 - 32 bytes
- SHA512 - 64 bytes
To allow non-standard key sizes, the SHA1 algorithm is assumed for all other key sizes in the WebADM.
5. Resynchronize Hardware or Software Tokens
To resynchronize a Token, the Token must be assigned to a user account. Once the Token is assigned to a user, click on that user account through WebADM GUI > Application Actions
> MFA Authentication Server
> Resynchronize Tokens
. Enter the current OTP provided by the Token and click the Resync
You should have a message like below if the synchronization process worked:
Event-based tokens can be resynchronized either by providing the counter value or by generating two sequential OTP’s and providing them in the resynchronization page.