Userlist for OTP, TOTP, FIDO2 and Authorization
A list of users must be stored in the file OTPlist.csv (the directory must be the same as for the routing table). Fields are (separated by ;):
OTPlist.csv is loaded at start of ApplicGate or via the command LoadOT.
The keyword OTPUPD must be defined at manage and status connections to enable creation and update of OTP entries via web.
New entries can be created using the link New User Entry.
If OTPlist.csv does not exist it will be created when the first user entry is defined via web.
Existing entries can be updated or deleted using the links provided in the ID field of the User List.
When OTPlist.csv is updated via the web interface the original file will be renamed to a new name with timestamp included (yyyy-MM-dd_HHmmss_OTPlist.csv).
Column widths are taken from the original file.
Note when TOTP is activated:
To avoid conflicts all changes to OTPlist.csv should be done via the web interface because OTPlist.csv will be written when a new secret has been generated.
Example of OTPlist.csv: eMail ;securityID ;phoneNumber ;Expiration ;OTPgroups ;responsibleEmail;Comment;SecretDate;Secret
test@aon.at ;12321 ;07324711 ;2016.12.31 ; ;max.mayr@aon.at ;
sam@aon.at ;99887 ; ;2016.12.31 ;APP1,APP2 ;max.mayr@aon.at ;
emailaddress ... used as key (must be unique and lowercase) and for mail delivery
.................. a trailing identifier separated by # can be specified, e.g. test@aon.at#2
.................. this is useful to specify a secondary phone number for OWA with CERTMATCH:OWA.
securityID ... string to protect usage of this entry, to disable unauthorized sending of SMS and mail, usually 5 digits
phoneNumber ... number to send SMS (optional), if not specified: the user can be notified via email only
Expiration ... date when entry expires (optional), time part will be removed (if any). After this date this entry is no more valid. Expiration will be checked during load of OTPlist.csv and at midnight.
.................. Sending of expiration mails is controlled by the keyword TEXO in the group Notify
OTPgroups ... optional list of OTPgroups (separated by , ), to be used for authentication instead of Email Addresses
responsibleEmail . email address of the person responsible for this entry (optional), may be a list separated by "," and may include groups. These are the receivers of the expiration mail.
Comment ... any comment (optional)
SecretDate ... date/time when the shared secret for TOTP has been initialized.
Secret ... shared secret for TOTP, a 16 character Base32 string, if encrypted this string starts with "=".
FIDO2idDate ... date/time when the public key for FIDO2 has been initialized.
FIDO2id ... id to request authorization by the security token (FIDO2).
FIDO2pubKey ... public key to check signature received from the security token (FIDO2).
Lines with leading # are ignored.
Backup Application Gateways will synchronize the file from the primary using the same schema as for routing and group table.
