Off Topic : Provisioning a Multi Purpose RSA Soft Token for the Blackberry and iPhone.
Written by Marcos Velez:
RSA SecurID is a great two-factor authentication solution currently in use by many companies. In fact, most of the companies I work with nowadays have RSA deployed within their infrastructure as an added security feature for their remote access solutions. One particular useful feature of RSA SecurID is their software-based tokens, which allow end-users to make use of the RSA solution without having to carry around a physical token. Traditionally, soft tokens are deployed to BlackBerry devices, but they can also be used in other ways. RSA SecurID soft tokens can be used on Windows devices by installing the RSA SecurID Software Token for Windows Application, or by making use of the RSA Toolbar for Internet Explorer. Recently, RSA has also made it possible to use their soft tokens on iPhone and iPod Touch devices.
This document will help an RSA administrator to deploy soft tokens that can be used in any of the following platforms and/or devices:
- BlackBerry
- iPhone / iPod Touch (OS 2.2, or later)
- RSA Software Token for Windows Application
- RSA Toolbar for Internet Explorer (IE6 and IE7)
In order to succeed at using a single soft token across all four platforms listed above, you will need to generate soft tokens in a very specific manner. To issue a soft token, you will need admin-level access to an RSA server. You will also need to download the RSA Software Token Converter tool in order to use the provisioned token on an iPhone.
Keep in mind that this article is in no way a tutorial on how to use any of the RSA applications mentioned, nor will it help you in setting up and deploying an RSA environment or how to carry out the everyday administration of such an environment. This guide is meant to be used by RSA administrators who are already familiar with their environment and only wish to learn how to provision a token in a simple and efficient manner.
For download links to all of the programs and applications mentioned in this article, refer to the last section.
Without further delay, here are the steps to provisioning a multi-purpose RSA soft token.
- Log into the RSA Server.
- Launch RSA Authentication Manager.
- Click on User > Edit User.
- Enter the search criteria and locate the user you wish to edit.
- Double-click on the intended user.
- Select a soft token, if one is already assigned, or complete the steps to assign a soft token before continuing.
- Click on Edit Assigned Token…
- Click on Edit Token Extension Data…
- On the Edit Token Extension Data dialog window, you will want to add several entries. Keep in mind that all entries consist of key/value pairs. In this particular example, I created the following entries:
- Nickname
- TOOLBAR_SITEURL1
- TOOLBAR_SITEURL2
The Nickname entry is an optional entry, but it is helpful for users that may need to install, or use, multiple tokens on the same device. The TOOLBAR_SITEURL entries are meant for tokens that will be used with the RSA IE Toolbar product. When a token is to be used with the RSA IE Toolbar, you MUST specify at least one URL for which a token is valid. Otherwise, the token will never be activated for any site. This is a particular nifty feature of the RSA IE Toolbar product that allows administrators to restrict the use of a token to particular URLs.
You should also notice that the DeviceSerialNumber entry is purposely left blank. The reason for this is to make it possible for a single token to be used in multiple devices or products. If you specify a device serial number as part of a token’s extension data, you will effectively "marry" the token to a particular device and the end-user will not be able to use in other device or product until it is re-issued.
- Once you have created the desired entries, click on Exit.
- You should now find yourself back at the Edit Token screen. Click on Re-Issue Software Token…
- You should now see an information dialog box asking you to commit any token changes. Click Yes.
- At this point, you should find yourself at the Issue RSA SecurID Software Tokens screen. Un-check the Enable Copy Protection checkbox as well as the Password Protect checkbox. Make sure you select the One Token Per File option and then click on Next >.
- If necessary, select the token you modified from the Verify RSA SecurID Software Token Issuing List screen and click on Next >.
- You will be prompted to confirm the issuance of the token. Click on Yes to issue the soft token.
- If prompted to overwrite a previously issued token file, click on Yes.
- You should now be prompted to save the results of the issuance operation to a file. Click on No, unless you wish to retain the results of this operation for review at a later time.
- At the Edit Token screen, click on OK to close the window.
- At the Edit User screen, click OK to close the window.
- Close the RSA Authentication Manager window.
Congratulations! You have completed the first steps to generating a token file that can be used in any of the platforms mentioned at the beginning of this article. Now, we must work with this file to make it suitable for use in each of those platforms. Continue reading the remaining sections to learn how to use the token file in the platforms that may be of interest to you.
BlackBerry Devices
- Using Notepad, open the file that was generated and inspect its content. You will notice that the token file is nothing more than an XML file. Close the file and make a copy of it.
- Rename a copy of the token file by pre-pending x-rimdevice to its current filename. This is necessary because the RSA BlackBerry application "listens" for email attachments that have the extension sdtid and which names start with x-rimdevice.
- Using your preferred email client, send the newly renamed token file to the intended end-user as an attachment to an email message.
- The recipient need only open your email and should be able to import the token by clicking on the BlackBerry menu button and then selecting the option that reads Import RSA Token.
RSA SecurID Software Token for Microsoft Windows
- The intended end-user must download and install this application from the RSA website.
- Once the application has been installed, send a copy of the original token file to the end-user in question and instruct that person to copy the file to the Desktop.
- Once the file is copied to the Desktop, the user can launch the RSA application and it will automatically import the token. This is a neat functionality that saves the user time by automatically importing any files located on the Desktop which have an SDTID extension.
RSA Toolbar for IE
- The intended end-user must download and install this application from the RSA website. Please note that, as of this writing, the RSA Toolbar for IE is only compatible with IE7 and IE6. IE8 is not supported. In my limited testing, I haven’t been able to get the toolbar to work with IE8.
- Once the application has been installed, send a copy of the original token file to the end-user in question and instruct that person to copy the file to the Desktop.
- Once the file is copied to the Desktop, the user can launch IE and the RSA toolbar application should automatically import the token. If the token is not automatically imported, the user can click on the IE RSA toolbar and navigate the menu options to import a token manually.
RSA SecurID Software Token for iPhone and iPod Touch
- The intended end-user must download and install the application from the iTunes App Store.
- Once the application has been installed, you must convert the software token that was generated during the first part of this article into a format that can be understood by the iPhone application.
- To convert the token file, the administrator must download the Software Token Converter tool from the RSA site. Once downloaded, copy the token file to the same location as the converter tool executable.
- Open up a command prompt window and navigate to the folder where the files are located.
- Type in the following command:
tokenconverter240 %TOKEN_FILE_NAME% -iphone -o url.txt
The command line above instructs the RSA Token Converter tool to convert the specified token file to an iPhone format and to save the results of the conversion to a text file name url.txt.
- Once the operation has completed, close the command prompt and, using your preferred text editor, open the newly created file.
- The contents of the file should look similar to this.
com.rsa.securid.iphone://ctf?ctfData=200010461486101361407421544275032616407630164625276666404172122526573036671675254
As you may have noticed, this is a specially formatted hyperlink.
- Using your preferred email client, create an HTML format email message and insert the contents of the file generated in step #5 above.
- Before sending the message, make sure that the inserted link is showing up as a hyperlink. If it isn’t, make the necessary corrections to make sure that it does. Otherwise, the end-user will not be able to import the token. If you are using Outlook 2003, highlight the pasted text and click on Insert > Hyperlink. At the resulting window, choose (Other) from the drop-down list, and paste the link text into the URL text field. If using Outlook 2007, highlight the text, click on Insert then click on the Hyperlink icon in the Links section of the ribbon toolbar. At the resulting dialog window, paste the link text into the Address text field. Once the text is showing up as a hyperlink, send your message to the intended end-user.
- The end-user in question will need to open your email message from within his/her iPhone and then click on the hyperlink. The RSA application will be invoked by the iPhone OS and the token will be automatically imported.
Download Links