2.3.3. Token Profiles

Just like certificate profiles (Section 2.2.1.2, “Certificate Profiles”), there are different token profiles to format different kinds of tokens. A token profile defines two areas:
  1. The steps to format and enroll the token (sort of like the forms used for certificate profiles)
  2. The configuration of the final enrolled token
The profile configuration to format a smart card identify the authentication mechanisms to use, the LDAP database connection, the CA to use, and which entity generates the keys and the key settings. This also identifies the certificate profile on the CA to use to submit the token request. The profile also includes a mapping entry which provides a mechanism to filter the tokens to identify automatically which profile to use to enroll a token.

Example 2.1. Token Profile for DevKey

op.format.mapping.0.filter.tokenCUID.start=1000000000000000
op.format.mapping.0.filter.tokenCUID.end=1000000000000100
op.format.mapping.0.filter.tokenType=DevKey
op.format.mapping.0.target.tokenType=DevKey

# Profile for DevKey
##########################################################################
op.format.devKey.update.applet.emptyToken.enable=true
op.format.devKey.update.applet.requiredVersion=1.3.427BDDB8
op.format.devKey.update.applet.directory=/usr/share/pki/tps/applets
op.format.devKey.update.applet.encryption=true
op.format.devKey.update.symmetricKeys.enable=false
op.format.devKey.update.symmetricKeys.requiredVersion=1
op.format.devKey.revokeCert=true
op.format.devKey.ca.conn=ca1
op.format.devKey.loginRequest.enable=true
op.format.devKey.tks.conn=tks1
op.format.devKey.auth.id=ldap-dev
op.format.devKey.auth.enable=true
##########################################################################
# LDAP Connection settings for devKey
##########################################################################
auth.instance.0.type=LDAP_Authentication
auth.instance.0.libraryName=/usr/lib/libldapauth.so
auth.instance.0.libraryFactory=GetAuthentication
auth.instance.0.authId=ldap-dev
auth.instance.0.hostport=ldap-dev.example.com:1111
auth.instance.0.SSLOn=false
auth.instance.0.retries=1
auth.instance.0.retryConnect=3
auth.instance.0.baseDN=o=dev
auth.instance.0.ui.title.en=LDAP Authentication
auth.instance.0.ui.description.en=This authenticates user against the DEV
   LDAP directory.
auth.instance.0.ui.id.UID.name.en=LDAP User ID
auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password
auth.instance.0.ui.id.UID.description.en=DEV LDAP User ID
auth.instance.0.ui.id.PASSWORD.description.en=DEV LDAP Password

There are a handful of profile defined for tokens already. New and custom tokens can be created.

Table 2.1. Default Token Types

Token Type Description
cleanToken For operations for any blank token, without any other applied token types.
soKey For operations for generating keys for security officer stations.
soCleanSOToken For operations for blank tokens for security officer stations.
soKeyTemporary For operations for temporary security officer tokens.
soCleanUserToken For operations for blank user tokens for security officers.
soUserKey For operations for security officer user tokens.
tokenKey For operations for generating keys for uses with servers or devices.
userKey For operations for regular user tokens.
userKeyTemporary For operations for temporary user tokens.