Single Kluis Token secured by Token PIN may be used by Corporate Groups, wherein there is a need to have Certificates (Private Keys) of more than one person with the possibility to exercise full control by the person over his Private Keys stored on HSM using OTP Authentication for Private Key use such as signing and/or encryption.
The OPTIONAL OTP Key Authentication may be enabled from Enroll Certificate page by clicking on the 'Security' (Lock Image) button against the listed certificate in the table listing token contents. The Private Key Security Config dialog has the following settings:
Require OTP for Private Key checkbox to enable OTP Authentication for the Private Key related with the Certificate.
OTP Valid for Mins to indicate time allowed between Generate OTP and Set OTP API calls. If there is delay in submitting OTP, OTP would expire.
Auth Expires after Mins to indicate time based expiry for Private Key Authorization. New OTP needs to be generated and set after this period is lapsed. Setting this value to zero will disable time based authorization.
Auth valid for number of uses indicates that OTP Authorization is valid for given number of uses. Once private key is used for given number of times, OTP needs to be generated and set again.
Note: Above two settings biz. Auth Expiery Minutes and Auth Valid for number of uses may be used singly or together. When both values are set, time as well as key use count both would be checked before allowing key use.
Restrict Key Use For App Profiles setting may be used to restrict key uses from given AppProfileName only. Multiple Profiles may be provided separated by comma.
Key Authorization API for Generating OTP and Submitting OTP is detailed in the further sections.
