RSA SecurID Software Token 1 - EMC Community Network

RSA SecurID Software Token 1.0 

for iPhone Devices 

Administrator’s Guide 

Updated, June 19, 2009

Contact Information 

Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com 

Trademarks 

RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the 

most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of 

EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. 

License agreement 

This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may 

be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. 

This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other 

person. 

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any 

unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. 

This software is subject to change without notice and should not be construed as a commitment by RSA. 

Note on encryption technologies 

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption 

technologies, and current use, import, and export regulations should be followed when using, importing or exporting this 

product. 

Distribution 

Limit distribution of this document to trusted personnel. 

© 2009 RSA Security Inc. All rights reserved. 

June 2009

RSA SecurID Software Token 1.0 for iPhone Devices Administrator’s Guide 

Contents 

Preface................................................................................................................................... 5 

About This Guide................................................................................................................5 

RSA SecurID Software Token Documentation .................................................................. 5 

Related Documentation....................................................................................................... 5 

Getting Support and Service ............................................................................................... 6 

Before You Call Customer Support............................................................................. 6 

Chapter 1: System Requirements ........................................................................ 7 

About RSA SecurID Software Token................................................................................. 7 

System Requirements.......................................................................................................... 7 

Supported Software Token Configurations......................................................................... 8 

Clock Settings ..................................................................................................................... 9 

Chapter 2: Installing the Application.................................................................11 

Performing Pre-Deployment Tasks....................................................................................11 

Installation Overview.........................................................................................................11 

Install the Application Directly to a Device .............................................................. 12 

Install the Application by Syncing It Through iTunes .............................................. 13 

Quick Start for Users......................................................................................................... 13 

Chapter 3: Provisioning Software Tokens.................................................... 15 

Prerequisites...................................................................................................................... 15 

Planning the RSA SecurID Authentication Requirement................................................. 15 

PINPad-Style Software Tokens ................................................................................. 16 

Fob-Style Software Tokens ....................................................................................... 17 

Tokens That Do Not Require a PIN........................................................................... 18 

Provisioning Overview ..................................................................................................... 19 

Provisioning Tokens Using Dynamic Seed Provisioning................................................. 19 

Add the iPhone 1.0 Device Definition File................................................................ 21 

Configure the Software Token Record in RSA Authentication Manager 7.1 ........... 21 

Distribute the Token .................................................................................................. 25 

Delivering a Token Using Dynamic Seed Provisioning ................................................... 26 

URL Link Format Requirements ............................................................................... 27 

E-mail Message Format Requirements...................................................................... 27 

Create the URL Link.................................................................................................. 27 

Before You Deliver the Token................................................................................... 28 

Using RSA Credential Manager for Dynamic Seed Provisioning.................................... 28 

Configure RSA Credential Manager.......................................................................... 29 

Request a Token Using the RSA Self-Service Console ............................................ 30 

Approve the Request.................................................................................................. 32 

Provisioning Tokens Using Compressed Token Format .................................................. 33 

Configure the Software Token Record in RSA Authentication Manager 6.1 ........... 34 

Convert the Token File .............................................................................................. 37 

Contents 3


Token Converter Output ............................................................................................ 38 

E-mail Message Format Requirements...................................................................... 38 

Create the URL Link.................................................................................................. 38 

Before You Deliver the Token................................................................................... 38 

Chapter 4: Using the Application ....................................................................... 39 

Before You Begin ............................................................................................................. 39 

Start the Application ......................................................................................................... 39 

Completing First-Time Authentication............................................................................. 39 

Complete First-Time Authentication (Enter PIN Screen) ......................................... 40 

Complete First-Time Authentication (Tokencode Screen)........................................ 43 

Authenticate After the First Time ..................................................................................... 44 

Managing the Application................................................................................................. 45 

View Application and Token Information................................................................. 45 

Mask PIN Entry ......................................................................................................... 46 

View Application Help .............................................................................................. 46 

Close the Application................................................................................................. 46 

Back Up the Application............................................................................................ 46 

Reinstall the Application and Recover Your Token.................................................. 47 

Request a Replacement Token................................................................................... 47 

Uninstall the Application........................................................................................... 48 

Chapter 5: Troubleshooting................................................................................... 49 

Customer Support Information ......................................................................................... 49 

Application Installation Problems..................................................................................... 49 

Token Installation Problems ............................................................................................. 49 

Application Is Not Installed....................................................................................... 50 

Errors Issuing the Token in RSA Authentication Manager....................................... 50 

Invalid Token............................................................................................................. 50 

File Password Errors.................................................................................................. 50 

Token Converter Errors ............................................................................................. 50 

URL Format Errors.................................................................................................... 51 

E-mail Message Format Errors .................................................................................. 51 

Network Communication Errors................................................................................ 51 

Authentication Problems................................................................................................... 51 

User Error .................................................................................................................. 51 

Error Exporting Tokens in RSA Authentication Manager 6.1 .................................. 51 

Time Synchronization Problem ................................................................................. 52 

Expired Token............................................................................................................ 52 

Error Messages .................................................................................................................52 

Index ..................................................................................................................................... 53 

4 Contents


Preface 

About This Guide 

This guide describes how to install and provision RSA SecurID Software Token 

(SecurID token application) for use with iPhone devices in an enterprise environment. 

It is intended for RSA Authentication Manager administrators and IT personnel who 

are responsible for deploying and administering the application. It assumes that these 

personnel have experience using RSA Authentication Manager. Do not make this 

guide available to the general user population. 

RSA SecurID Software Token Documentation 

For more information about the SecurID token application, see the following 

documentation: 

Administrator’s Guide. (This guide.) Provides information for security administrators 

on deploying and provisioning the application. 

Quick Start. Helps users install the application and install a software token. Also 

describes how to use a token to access resources protected by RSA SecurID. 

Help. Describes procedures associated with the application screens. Users can open 

the Help file by tapping the Help (?) icon in the application. 

Release Notes. Provides workarounds for known issues and includes other important 

information about the application. It is intended for administrators. 

Related Documentation 

For more information related to the SecurID token application, see the following: 

RSA SecurID Software Token Converter 2.4 Readme. Describes how to convert a 

token exported as an SDTID file from XML format to a compressed format that can be 

delivered to an iPhone device. 

RSA Authentication Manager 7.1 Administrator’s Guide. Provides information 

about how to administer users and security policy in RSA Authentication 

Manager 7.1. 

RSA Security Console Help. Describes day-to-day administration tasks performed in 

the RSA Security Console used with RSA Authentication Manager 7.1. To view Help, 

click the Help tab in the Security Console. 

RSA Authentication Manager 6.1 Administrator's Guide. Provides information 

about how to administer users and security policy in RSA Authentication 

Manager 6.1. 

Database Administration application Help. Describes day-to-day administration 

tasks performed in the Database Administration application used with 

RSA Authentication Manager 6.1. 

Preface 5


Getting Support and Service 

RSA SecurCare Online 

Customer Support Information 

RSA Secured Partner Solutions Directory 

https://knowledge.rsasecurity.com 

www.rsa.com/support 

www.rsasecured.com 

RSA SecurCare Online offers a knowledgebase that contains answers to common 

questions and solutions to known problems. It also offers information on new releases, 

important technical news and software downloads. 

Before You Call Customer Support 

Make sure that you have direct access to the iPhone device running the software. 

Please have the following information available when you call: 

Your RSA Customer/License ID. 

SecurID token application version number. 

The model of the iPhone device on which the problem occurs. 

The device operating system version under which the problem occurs. 

6 Preface


1 System Requirements 

This chapter introduces RSA SecurID Software Token (SecurID token application) 

and lists the system requirements and supported software token configurations. 

About RSA SecurID Software Token 

RSA SecurID Software Token is authentication software that transforms an iPhone 

into a SecurID authentication device. The application requires a software-based 

security token. SecurID software tokens generate one-time passwords (OTPs) at 

regular intervals. Users with supported iPhones can use the current OTP, along with 

other security information, to authenticate to resources protected by RSA SecurID. 

For example, with the application, users can gain access to Virtual Private Networks 

(VPNs) and web applications. The application ensures strong security in a single 

handheld application and eliminates the need for the user to carry a separate hardware 

token. 

System Requirements 

Make sure that you meet the following system requirements for installing and 

provisioning the application. 

• An iPhone 3G running the latest RSA supported iPhone OS. For the latest 

supported version, see http://www.rsa.com/iphone. 

• (Optional) A computer running Windows XP SP2, Windows Vista, or Mac OS X 

10.4.10 or later with iTunes 7.7 or later installed. 

• One of the following network authentication servers: 

– RSA Authentication Manager 6.1 

– RSA Authentication Manager 7.1 

– RSA SecurID Appliance 3.0 

• (Optional) RSA Credential Manager, the self-service and provisioning component 

of RSA Authentication Manager 7.1. 

• 2 MB available space on the iPhone device for the application. 

• RSA SecurID Software Token Converter 2.4 running on Windows XP SP2, 

Windows Vista, or Red Hat Linux if you plan to provision software tokens using 

Compressed Token Format. For more information, see “Provisioning Tokens 

Using Compressed Token Format” on page 33. 

1: System Requirements 7


Supported Software Token Configurations 

You can provision each iPhone with one software token. You can issue tokens with the 

following attributes. For more information on setting token attributes, see 

“Provisioning Software Tokens” on page 15. 

Note: You must issue 128-bit (AES) tokens. The SecurID token application does not 

support 64-bit (SID) tokens. 

Token Attributes 

RSA 

Authentication 

Manager 7.1 

RSA 

Authentication 

Manager 6.1 

RSA Credential 

Manager 

128-bit AES 

Time-based 

8-digit tokencode 

6-digit tokencode 

60-second tokencode duration 

30-second tokencode duration 

PINPad style tokens (PIN entry in 

the iPhone device) 

Fob-style tokens (PIN entry in the 

protected resource) 

Tokens that do not require a PIN 

(user authenticates with user 

name and tokencode) 

Token file password 

Unique device identifier (UDID), 

used to bind a token to the iPhone 

device 

8 1: System Requirements


Clock Settings 

The time, the time zone, and Daylight Saving Time must all be set correctly so that 

users can perform RSA SecurID authentication from their iPhones. Instruct users to 

verify the time settings on their iPhone devices before they install the application and 

periodically after installation to make sure that their settings are correct. If the clock 

settings on a user’s device change significantly, they will no longer be synchronized 

with the clock settings on the Authentication Manager host, and the user will not be 

able to be authenticated. Users who cross time zones with their devices need to change 

only the time zone in order to reflect the correct local time. 

For information on iPhone date and time settings, see the iPhone User Guide for 

iPhone and iPhone 3G. 

1: System Requirements 9


2 Installing the Application 

This chapter provides an overview of installing RSA SecurID Software Token 

(SecurID token application) and provides suggestions for preparing users to install and 

use the application. 

Performing Pre-Deployment Tasks 

To prepare to deploy the application in your enterprise, complete the tasks in the 

following table. 

Task 

1. Download the application from the Apple 

App Store. 

See 

“Installation Overview” on page 11 

2. Provision software tokens. “Provisioning Software Tokens” on page 15 

3. Instruct users on downloading the 

application and receiving a token. 

“Quick Start for Users” on page 13 

Installation Overview 

The SecurID token application is available free of charge from the Apple App Store. 

The RSA web site provides the following web link, which you can use to direct users 

to the application: http://www.rsa.com/iphone. You can copy the link into an e-mail 

message and send it to users’ device e-mail program or to their computers. That way 

users do not have to search for the application in the App Store. 

After the users have installed the application, you must provision their devices with a 

software token. For more information, see Chapter 3, “Provisioning Software 

Tokens.” 

2: Installing the Application 11


Users can install the application directly onto their iPhone device from the App Store. 

Or, they can launch the App Store in iTunes, download the application to their 

computer, and then sync it to the device. The following figure illustrates these two 

options. 

Install the Application Directly to a Device 

Use the following procedure to install the application directly onto your iPhone device 

from the App Store. 

To install the application directly to an iPhone device: 

1. Tap the App Store icon on your iPhone. 

2. Browse the Business category and select RSA SecurID Token. 

3. Enter your Apple ID or iTunes account credentials, as prompted. 

The device exits to the Home screen to display the download progress. When the 

download is complete, the application is available on the device. 

12 2: Installing the Application


Install the Application by Syncing It Through iTunes 

Use the following procedure to download the application to your computer and install 

it onto your iPhone device through a sync. 

To install the application through a sync: 

1. Connect your iPhone to a USB port on your computer. 

2. Launch the App Store in iTunes. 

3. Browse the Business category and select RSA SecurID Token. 

4. Download the application to your computer. 

5. If prompted, authenticate with your Apple ID or iTunes account credentials. 

6. Instruct iTunes to sync the application onto your device, and apply the changes. 

Quick Start for Users 

Deploying the SecurID token application affects the way that users access secure 

applications in the enterprise. RSA provides a Quick Start document in PDF format to 

help users install and use the application. The Quick Start contains instructions for: 

• Downloading and installing the application 

• Installing a software token 

• Setting a PIN (if required) during the user’s first RSA SecurID authentication 

• Using the application to log on to resources protected by RSA SecurID 

The product documentation is located on the RSA web site at 

http://www.rsa.com/iPhone. RSA recommends that you download the 

documentation and e-mail the Quick Start to users. 

After launching the application, users can access a Help file by tapping the Help (?) 

icon. 

2: Installing the Application 13


3 Provisioning Software Tokens 

This chapter provides the key steps for issuing software tokens in RSA Authentication 

Manager and describes the supported methods for provisioning tokens for use with 

RSA SecurID Software Token (SecurID token application). 

Prerequisites 

Before provisioning tokens, you must: 

• Understand how to issue software tokens in RSA Authentication Manager. 

– For RSA Authentication Manager 7.1 or RSA SecurID Appliance 3.0, use the 

RSA Security Console. For detailed instructions, see the RSA Security 

Console Help. 

– For RSA Authentication Manager 6.1, use the Database Administration 

application. For detailed instructions, see the Database Administration 

application Help. 

• Issue 128-bit (AES) tokens. The application does not support 64-bit (SID) tokens. 

• Plan your authentication requirement, as described in the following section. 

Planning the RSA SecurID Authentication Requirement 

RSA SecurID authentication normally requires using a PIN with the software token. 

The PIN and the tokencode displayed on the device form a passcode, which serves as 

the user’s one-time password (OTP). Entering a PIN in addition to the tokencode is 

known as two-factor authentication. The two factors are something you have (the 

token) and something you know (the PIN). Using two factors delivers a higher level of 

authentication assurance than using a single factor. 

RSA Authentication Manager also supports tokens that do not require entering a PIN. 

If you issue this token type, the user authenticates with the currently displayed 

tokencode (something you have). This option is best used when a system other than 

RSA SecurID is responsible for managing the second factor (something you know), 

such as an existing user name and password. In this scenario, the first factor (user 

name/password) is validated by the external system and the second factor (tokencode) 

is validated by Authentication Manager. 

With RSA Authentication Manager 7.1 and RSA SecurID Appliance 3.0, you can 

issue two types of software tokens that require a PIN: PINPad-style tokens and 

fob-style tokens. Each type offers strong two-factor authentication assurance. The 

SecurID token application recognizes the token type that is installed on the iPhone 

device and displays customized screens accordingly. 

3: Provisioning Software Tokens 15


PINPad-Style Software Tokens 

Note: All supported versions of Authentication Manager support PINPad-style 

software tokens. 

If a PINPad-style token is installed on the user’s iPhone device, the application 

prompts the user to enter a PIN. The user types the PIN using the device keyboard and 

taps the right arrow button to submit it. The SecurID token application then displays 

an OTP, in this case a passcode formed from the PIN and the current tokencode. To 

authenticate, the user enters the OTP in the logon screen of the protected resource (for 

example, a VPN client application). 

This authentication experience is similar to using an RSA SecurID PINPad-style 

hardware token, such as the SD520, where the user enters the PIN on the device’s 

numeric keypad and then enters the displayed OTP (passcode) in the protected 

resource. PINPad-style software tokens require a numeric PIN of 4 to 8 digits. 

The following figure shows the user authentication experience. 

16 3: Provisioning Software Tokens


Fob-Style Software Tokens 

Note: RSA Authentication Manager 7.1 and RSA SecurID Appliance 3.0 support 

fob-style software tokens. RSA Authentication Manager 6.1 does not support 

fob-style tokens. 

If a fob-style token is installed on the user’s iPhone device, the SecurID token 

application displays a tokencode. To authenticate, the user types the PIN in the logon 

screen of the protected resource, and then types the tokencode, without spaces, next to 

the PIN. The combination of the PIN and tokencode forms the OTP (passcode). 

This authentication experience is similar to using an RSA SecurID hardware fob, such 

as the SID700, where the user types the PIN in the protected resource, followed by the 

current tokencode displayed on the fob. Because many users are familiar with RSA 

hardware fobs, issuing fob-style software tokens can simplify the transition from 

using a hardware fob to using a software token. 

Fob-style software tokens used with application require a numeric PIN of 4 to 8 digits. 




Tokens That Do Not Require a PIN 

Note: All supported versions of Authentication Manager support tokens that do not 

require a PIN. 

If the user has been issued a token that does not require a PIN, the SecurID token 

application displays a tokencode. To authenticate, the user types the current tokencode 

in the logon field of the protected resource. 




Provisioning Overview 

You can provision tokens for the application using Dynamic Seed Provisioning or 

using Compressed Token Format. 

RSA recommends that you use Dynamic Seed Provisioning with RSA Authentication 

Manager 7.1 or RSA SecurID Appliance, 3.0. However, you can deliver tokens using 

Compressed Token Format if you prefer. 

If you use RSA Authentication Manager 6.1, you must use Compressed Token 

Format, as version 6.1 does not support Dynamic Seed Provisioning. 

Use the information in the following table to become familiar with authentication 

server requirements for token provisioning, and then click the link to see more 

information on the provisioning method you plan to use. 

Provisioning Method Server Requirement See 

Dynamic Seed Provisioning 

RSA Authentication Manager 

7.1 or RSA SecurID 

Appliance 3.0 

RSA Credential Manager 

“Provisioning Tokens Using 

Dynamic Seed Provisioning” 

on page 19 

“Using RSA Credential 

Manager for Dynamic Seed 

Provisioning” on page 28 

Compressed Token Format 

Required with RSA 

Authentication Manager 6.1 

Also supported with 

RSA Authentication 

Manager 7.1 or RSA SecurID 

Appliance 3.0 

“Provisioning Tokens Using 

Compressed Token Format” 

on page 33 

Provisioning Tokens Using Dynamic Seed Provisioning 

Dynamic Seed Provisioning (also called Remote Token Key Generation) uses the 

RSA Cryptographic Token Key Initialization Protocol (CT-KIP) for the secure 

initialization and configuration of cryptographic tokens. When the protocol is 

executed, it results in the generation of the same shared secret on both the server and 

the token. 

To use Dynamic Seed Provisioning, you configure and issue a token in Authentication 

Manager, selecting CT-KIP as the distribution method. You must then format a URL 

link to the CT-KIP server. You send an e-mail message containing the URL link to the 

server to the user’s iPhone device. In the iPhone Mail program, the user taps the URL 

link to install the token. 



Dynamic Seed Provisioning requires a numeric or alphanumeric activation code 

generated in Authentication Manager to complete the token installation. You can 

include the token activation code as part of the URL link. If you prefer to deliver the 

activation code separately, through an out-of-band mechanism, you can omit the 

activation code from the link. In that case, the user must manually enter the activation 

code on the iPhone keyboard to complete the token installation. If the user forgets the 

activation code, you can communicate it again, and the user can tap the URL link 

again to retry. 

The figure below provides an overview of Dynamic Seed Provisioning, and the 

following sections describe the provisioning steps in detail. 



Dynamic Seed Provisioning requires RSA Authentication Manager 7.1 or 

RSA SecurID Appliance 3.0. The following table lists the provisioning steps, and the 

following sections describe each step. 

Task 

See 

1. Add the iPhone device definition file 

to the Authentication Manager server. 

“Add the iPhone 1.0 Device Definition File” on 

page 21 

2. Configure the software token record. “Configure the Software Token Record in RSA 

Authentication Manager 7.1” on page 21 

3. Distribute the token. “Distribute the Token” on page 25 

4. Deliver the token to the user’s iPhone 

device. 

“Delivering a Token Using Dynamic Seed 

Provisioning” on page 26 

Add the iPhone 1.0 Device Definition File 

Software tokens issued using RSA Authentication Manager 7.1 or RSA SecurID 

Appliance 3.0 must be associated with a device definition file. This is an XML file 

that specifies the supported capabilities and attributes of tokens used with the 

application. The device definition file specifies the supported tokencode length, type, 

and duration, as well as the attributes that you can use to bind a software token to a 

specific iPhone device. The iPhone 1.0 device definition file is included with the 

product documentation at http://www.rsa.com/iphone. 

Before you issue software tokens to use with the SecurID token application, you must 

add the device definition file to RSA Authentication Manager 7.1. This adds the 

iPhone 1.0 entry to the Software Token Device Type drop-down list on the Edit 

Token page. When you select iPhone 1.0 from the device type list, the page displays 

the software token attributes that you can configure. For more information, see the 

following section, “Configure the Software Token Record in RSA Authentication 

Manager 7.1.” 

To add the device definition file: 

1. Save the device definition file, iPhone-1.0-swtd.xml, provided in the installation 

kit to a folder on your computer. 

2. In the RSA Security Console, click Authentication > Software Token Device 

Types > Import Token Device Type. 

3. Click Browse to locate the iPhone 1.0 device definition file, and select the file. 

4. Click Submit. 

Configure the Software Token Record in RSA Authentication Manager 7.1 

This guide assumes that you have imported software tokens into Authentication 

Manager, assigned them to users, and are ready to configure them in the Security 

Console. The following sections highlight key steps for configuring token records for 

use with the SecurID token application. For more information on configuring token 

records, see the Security Console Help. 



Step 1: Access the Edit Token page: 

To access the Edit Token page: 

1. Log on to the Security Console. 

2. Click Authentication > SecurID Tokens > Manage Existing. 

3. Select the token that you want to edit. 

4. Click the drop-down arrow next to the token serial number, and select Edit. 

Step 2: Select the User Authentication Requirement 

In the SecurID PIN Management section, do one of the following: 

• Select Require PIN during authentication if you want the user to authenticate 

with a passcode (PIN plus tokencode). 

• Select Do not require PIN (only tokencode) if you want the user to authenticate 

with a tokencode only (no PIN). 

Step 3: Select the Software Token Device Type 

From the Software Token Device Type drop-down list, select iPhone 1.0. 

Selecting the device type displays the Device Specific Attributes section, which lists 

the attributes that you can assign to tokens used with iPhone devices. 

If you want to bind the token to the user’s device, you enter the unique device 

identifier (UDID) for the device in the DeviceSerialNumber field. This ensures that 

the token can be installed only on the device for which it is intended. To obtain the 

UDID and bind the token, see “Step 5: Obtain the UDID for Binding the Token” on 

page 24 and “Step 6: Bind the Token” on page 25. 

You can optionally assign a nickname to the token in the Nickname field. However, 

the token nickname is not displayed in the application. 



Step 4: Select the Software Token Settings 

In the Software Token Settings section, select the software token settings. The 

following figure shows the settings available for the SecurID token application, and 

the table explains each setting. 

Option 

Displayed Value 

Tokencode Length 

Tokencode Type 

Tokencode Duration 

Choices 

Displayed Value options are available if you selected “Require 

PIN during authentication” as the user authentication requirement. 

If you selected “Do not require PIN (only tokencode),” the 

Displayed Value field automatically defaults to “Tokencode.” (In 

that case, the parenthetical text after the Tokencode option does 

not apply.) 

Select Passcode (PIN incorporated into tokencode) to issue a 

PINPad-style software token. 

Select Tokencode (PIN entered followed by tokencode during 

authentication) to issue a fob-style software token. For more 

information on these token types, see “Planning the RSA SecurID 

Authentication Requirement” on page 15. 

Select either 6-Digits or 8-Digits. 

Time Based is automatically selected, indicating that the 

tokencode changes at a regular interval. The application does not 

support event-based tokens. 

Select either Display next tokencode every 30 seconds or 

Display next tokencode every 60 seconds. 



Step 5: Obtain the UDID for Binding the Token 

For added security, RSA recommends that you bind the token to the unique device 

identifier (UDID) of the user’s iPhone device. The UDID consists of a sequence of 40 

letters and numbers that is device specific. Binding a token to a UDID associates it 

with a specific device and provides the means for verifying that the device is the 

correct destination for the token. If the user attempts to install the token on a different 

device, an error message is displayed, and the token is not installed. 

Before you can bind a token to a specific device, you must obtain the UDID from the 

user. The user can obtain the UDID from iTunes or from the Info screen in the 

installed SecurID token application. The user can then send you the UDID in a secure 

e-mail message. 

If you want users to obtain their UDIDs from iTunes, instruct them as follows. 

To obtain the UDID from iTunes: 

1. Launch iTunes and connect your iPhone. 

2. In the Summary tab in the right pane, locate the Serial Number field. 

3. Click Serial Number to reveal the Identifier field. 

This field displays the UDID. 

4. In the iTunes menu bar, select Edit > Copy to copy the UDID to your clipboard. 



5. In your e-mail program, select Edit > Paste to paste the UDID into an e-mail. 

6. Send the e-mail to your administrator. 

Step 6: Bind the Token 

In the Software Token Device Type section, enter the UDID in the 

DeviceSerialNumber field, as shown in the following figure. 

Distribute the Token 

After you configure the user’s software token record, you must specify the token 

distribution method and select an attribute to use for the token activation code. The 

activation code can contain a maximum of 40 numeric or alphanumeric characters. 

You can specify the UDID that you used to bind the token as the activation code. If 

you did not bind the token, Authentication Manager automatically generates an 

activation code. 

To distribute the token: 

1. In the Security Console, click Authentication > SecurID Tokens > Manage 

Existing. 

2. Use the search fields to find the token that you want to distribute. 

3. From the search results, click the token that you want to distribute. 

4. From the Context menu, click Edit. 

5. From the Software Token Device Type drop-down menu, select iPhone 1.0 as 

the device type. 

6. Click Save & Distribute Token. 



7. In the Basics section, next to Distribution Method, select Generate CT-KIP 

Credentials for Web Download. 

8. Under Options, do one of the following: 

• If you bound the token to a UDID, and you want to use the UDID as the token 

activation code, select DeviceSerialNumber. 

• If you did not bind the token to the UDID, select System Generated Code. 

9. Click Next to save the configuration and view the token delivery details. 

Delivering a Token Using Dynamic Seed Provisioning 

To deliver a token using Dynamic Seed Provisioning, you send an e-mail message 

containing a specially formatted URL link to the user’s iPhone device. The user 

installs the token by tapping the URL link. 

If you include the activation code in the URL link, the user does not have to enter the 

activation code. If you deliver the activation code separately (for example, through 

internal corporate e-mail), the user is prompted to type the activation code in the 

SecurID token application to complete the token installation. 

If you use a self-signed certificate in your Authentication Manager CT-KIP 

deployment, the application displays a warning that the certificate is not trusted and 

prompts the user to accept or reject the certificate. To complete the token installation, 

the user must accept the certificate. 



URL Link Format Requirements 

The URL link must be in the format: 

com.rsa.securid.iphone://ctkip?url=https://customer_ctkip_s 

erver_url 

where customer_ctkip_server_url is your CT-KIP server-side URL 

To include the activation code, append it to the string, as follows: 

com.rsa.securid.iphone://ctkip?url=https://customer_ctkip_se 

rver_url&activationCode=activation_code 

You can use either https or http protocol. 

The following example shows a properly formatted URL link that does not include an 

activation code: 

com.rsa.securid.iphone://ctkip?url=https://ctk-server123.you 

rco.com:7004/ctkip/services/CtkipService 

The following example shows a properly formatted URL link that includes an 

activation code: 

com.rsa.securid.iphone://ctkip?url=https://ctk-server123.you 

rco.com:7004/ctkip/services/CtkipService 

&activationCode=123456789012 

E-mail Message Format Requirements 

To deliver the token, you must send an e-mail message containing the formatted URL 

link to the user’s device. If you use Microsoft Outlook to create the link, under certain 

circumstances Microsoft Outlook inserts a slash character into the URL link that 

causes the SecurID token application to reject the token as invalid. To avoid this 

problem, set the message format as follows: 

• For Microsoft Outlook 2007, set the message format to Rich Text. 

• For Microsoft Outlook 2003, make sure that Microsoft Word is not selected as 

your default editor, and set the message format to HTML. 

• For e-mail clients other than Microsoft Outlook, set the message format to HTML. 

Create the URL Link 

To create the URL link: 

1. Compose a brief e-mail message, using text similar to the following in the 

message body: 

Tap this link to install your token. When done, delete 

this message. 

2. Select the text to use as the hyperlink, for example, “Tap this link,” and create a 

link to the URL that contains the token information. 

For detailed instructions, see the Help for your e-mail client. 



Before You Deliver the Token 

After you have created the e-mail message with the URL link, you are ready to deliver 

the token to the user’s iPhone device. Before delivering the token: 

• Make sure that the user has installed the SecurID token application. 

• Provide the activation code to the user if you did not include it in the formatted 

URL link. 

• Instruct the user to delete the e-mail message containing CT-KIP server 

information as soon as the token has been installed. This measure helps prevent an 

unauthorized user who might have access to the device from wrongfully obtaining 

the token. 

Using RSA Credential Manager for Dynamic Seed Provisioning 

You can use RSA Credential Manager for Dynamic Seed Provisioning. Credential 

Manager is the self-service and provisioning component of RSA Authentication 

Manager 7.1 and shares the RSA Security Console. You can allow users to sign up to 

access the built-in Self-Service Console, where they can request a new token or a 

replacement token. 

To use Credential Manager for Dynamic Seed Provisioning, you must perform the 

tasks in the following table. 

Task 

1. Install the device definition file for 

iPhone. 

2. Configure Credential Manager to 

allow users to request a token to use 

with the iPhone application. 

3. Instruct users on making the proper 

selections when requesting a software 

token for iPhone through the 

Self-Service Console. 

See 

“Add the iPhone 1.0 Device Definition File” on 

page 21 

“Configure RSA Credential Manager” on page 29 

“Request a Token Using the RSA Self-Service 

Console” on page 30 



Configure RSA Credential Manager 

The following figure shows sample console configuration settings for the iPhone 

application. Use the following procedure to configure the settings you want. 

Note: Credential Manager does not support token configurations other than the 

standard settings (8-digit, 60-second, with or without a PIN). To issue tokens with 

other settings, including fob-style tokens, you must use RSA Authentication Manager. 

To configure Credential Manager to allow users to request a token: 

1. From the Credential Manager Home page, under Token Provisioning, click 

Manage Tokens. 

2. On the Manage Tokens page, under Software Token Types Available for 

Request, scroll to iPhone 1.0, and click Allow users to request iPhone 1.0 

software tokens. 

The Display Name, Image location, and Description fields are automatically 

populated and provide a display name, an application description, and an image to 

be displayed in the Self-Service Console. 

3. In the Require User to Authenticate With field, select the authentication 

requirement: 

• Select Passcode to provision a PINPad-style token. 

• Select Tokencode to provision a token that does not require a PIN. 

4. In the Supported Token Distribution Methods field, select Generate CT-KIP 

Credentials for Web Download. 



5. In the Client Application URL field, enter your server-side CT-KIP URL in the 

following format: 

com.rsa.securid.iphone://ctkip?url=https://customer_ctkip 

_server_url 

where customer_ctkip_server_url is your CT-KIP server-side URL. 

For example: 

com.rsa.securid.iphone://ctkip?url=https://ctk-server123. 

yourco.com:7004/ctkip/services/CtkipService 

Note: Because the setting for Client Application URL is the same for all 

users, you cannot include an activation code as part of the URL. Credential 

Manager automatically generates a different activation code for each user and 

delivers it in the e-mail that is sent to the user’s device when the token request 

is approved. The user is prompted to enter the activation code to complete the 

token installation. 

6. (Optional) To make iPhone the default token type for all token requests, select 

Make this token type the default option for all token requests. 

7. (Optional) In the Attribute Details field, select Allow users to edit token 

attribute details. 

Selecting this option allows the user to enter a device-specific attribute when 

requesting a token from the Self-Service Console. Instruct the user to enter the 

UDID associated with the device to bind the token to the device. The user can 

obtain the UDID from iTunes, as described in “To obtain the UDID from iTunes:” 

on page 24, or from the installed application. 

8. Select Save. 

Request a Token Using the RSA Self-Service Console 

Before a user can request a token using the RSA Self-Service Console, the user must 

request an account. After you have approved the account request, the user can create 

an account and request a token. Make sure that the user has obtained the UDID before 

requesting a token. 

To ensure that the user fills out the token request correctly, provide the following 

instructions. 

To request a software token using the RSA Self-Service Console: 

Note: You must know your device UDID before requesting a token. 

1. Log on to the Self-Service Console URL. 

2. In the My SecurID Tokens section, click Request a Token. 



3. In the Request a Token drop-down box, select Software, and then select I need a 

specific software token. 

The Token Type section is displayed. 

4. In the TokenType section, scroll to and select iPhone_1.0. 

5. Under Provide Your Token Details, in the DeviceSerialNumber field, enter 

your device UDID. 

You must enter the UDID to ensure that the token you are requesting cannot be 

installed on another device. 

6. Under Create Your PIN, create and confirm a PIN for your token. 

This field is displayed if your administrator requires a PIN with your token. 

Memorize your PIN. If you forget your PIN, you can reset it using the 

Self-Service Console. 

7. In the Reason for Token Request box, enter the reason for your request. For 

example: “To access the corporate VPN from my iPhone.” 

8. Click Submit Request. 



Approve the Request 

After you approve the user’s request for a token, an e-mail message containing 

instructions for installing the token is sent automatically to the user’s device e-mail 

address. The message contains several hyperlinks. The user must tap the “Download 

the SecurID Application” link to install the token. To ensure that the user selects the 

correct link, you can enter administrator comments when you approve the user’s 

request, as shown in step 2 below. The comments become part of the e-mail message. 

To approve the request: 

1. In the Security Console, click Administration > Provisioning. 

2. In the Comment to User field, enter a comment similar to the following: 

Note: The “Download the SecurID Application” link contains the user’s 

token. It does not contain the SecurID token application. 

3. Click Approve Requests. 

The e-mail message sent to the user looks similar to the following figure: 



Provisioning Tokens Using Compressed Token Format 

As an alternative to Dynamic Seed Provisioning, you can provision a token using 

Compressed Token Format. This provisioning method is required for organizations 

using RSA Authentication Manager 6.1. 

You first configure the token record in any supported version of Authentication 

Manager and issue it as an SDTID file. You then use the RSA SecurID Software 

Token Converter 2.4 command line utility to convert the SDTID file from XML 

format to an 81-digit numeric string and output a text file that contains the numeric 

string appended to a specially formatted URL link. You send the URL link to the 

user’s device in an e-mail message. The user opens the iPhone Mail program and taps 

the URL link to install the token. 

If you password protect the token in Authentication Manager, the user must enter the 

password to complete the process. If the user forgets the password, you can 

communicate it again, and the user can tap the hyperlink again to retry. Once the user 

correctly enters the password, the password is not used again. 

The following figure shows token provisioning using Compressed Token Format. 



Provisioning tokens using Compressed Token Format involves the following steps, 

which are detailed in the following associated sections. 

Task 

1. Configure the software token record 

and generate the token file (SDTID 

file). 

2. Convert the token file to Compressed 

Token Format. 

See 

“Configure the Software Token Record in 

RSA Authentication Manager 6.1” on page 34 

“Convert the Token File”on page 37 

3. Set the e-mail message format “E-mail Message Format Requirements” on 

page 38 

Configure the Software Token Record in RSA Authentication Manager 6.1 

This section highlights key steps in using RSA Authentication Manager 6.1 to 

configure token records for use with the SecurID token application. For more 

information, see the Database Administration application Help. 

Note: To configure a token record in RSA Authentication Manager 7.1, see 

“Configure the Software Token Record in RSA Authentication Manager 7.1” on 

page 21. 

RSA Authentication Manager 6.1 supports the following software token 

characteristics: 

• 8-digit tokencode length 

• 60-second, time-based tokencode 

• Passcode authentication (PIN plus tokencode) 

• Tokencode authentication (no PIN required) 

Note: RSA Authentication Manager 6.1 does not support fob-style tokens (PIN entry 

in protected resource). 



To configure a token record in RSA Authentication Manager 6.1: 

1. Open the Database Administration application, and select Tokens > Issue 

Software Tokens. 

2. Accept the default algorithm (AES SDTID 3.0). 

3. Under Options, leave Enable Copy Protection selected, and select Edit 

Extension Data. 

4. If you want to protect the token file with a password, select Password Protect, 

and then enter and confirm a static password of up to 24 case-sensitive characters, 

or select another password protection option. For information on other password 

protection options, click the Help button at the bottom right of the screen. 

5. Under Output, in the Target Directory field, browse to the directory on your 

system to which you want the token file to be exported. 

6. Under Output, select One Token Per File. 



7. Click Next, and select One user. 

8. Click Next, and select the user for whom you want to issue the token. Click OK, 

and then click Next. 

9. Do one of the following: 

• To require passcode authentication, leave Do not change selected or select 

User authenticates with passcode. 

• To issue a token that does not require a PIN, select User authenticates with 

tokencode only. 

10. Click Next, and then click Yes. 

The Edit Token Extension Data screen opens. Use the instructions in the following 

section to bind the token to the user’s iPhone device. 

Bind the Token to a Device 

For added security, RSA recommends that you bind the token to the UDID of the 

user’s device. The UDID consists of a sequence of 40 letters and numbers that is 

device specific. Binding a token to a UDID associates it with a specific device and 

provides the means for verifying that the device is the correct destination for the 

token. If the user attempts to install the token on a different device, an error message is 

displayed, and the token is not installed. The user must contact the administrator to 

request a token. 

Before you bind a token, you must obtain the UDID from the user. The user can copy 

the UDID from iTunes and paste it into an e-mail message. Alternatively, the user can 

obtain the UDID from the Info screen in the SecurID token application. 

Note: If you want users to obtain their UDID from iTunes, see “To obtain the UDID 

from iTunes:” on page 24. 



To bind a token to a device: 

1. In the Key field, enter DeviceSerialNumber. 

2. In the Data field, enter the UDID. 

3. Click Save, and click Exit. 

The result should look similar to the following figure. 

Convert the Token File 

After issuing the token file (SDTID file), you must convert it to a format that can be 

installed on the device. This requires using the RSA SecurID Software Token 

Converter. The Token Converter is a free command line utility that converts a 

software token record that has been issued as an SDTID file from XML format to a 

Compressed Token Format consisting of an 81-digit string. 

To convert a token file (SDTID file): 

1. Download the RSA SecurID Software Token Converter 2.4 from 

http://www.rsa.com/node.aspx?id=1313. 

2. Follow the instructions in the Token Converter Readme, making sure to observe 

the following requirements: 

• Convert only one token file at a time. You cannot convert multiple token files 

at a time. 

• Use the -iphone option to specify that the output of the Token Converter will 

be a specially formatted hyperlink (URL) containing the converted token. You 

must deliver the hyperlink to the user’s iPhone device in an e-mail message, 

as described in “E-mail Message Format Requirements” on page 38. 

• Use the -o filename option to output the hyperlink containing the converted 

token to a text file that you can send to the user. If you do not use the -o 

option, the output is written to the screen. 

• Use the -p password option if you password protected the token file in 

Authentication Manager. 



Token Converter Output 

• Do not use the -f option. This application ignores the -f option. 

• You do not need to use the -v option. When you use the -iphone option, the -v 

2 option is implemented automatically. 

When you convert a token using the -iphone and -o filename options, the output is a 

text file containing a specially formatted URL link that contains token data. The link 

format signals the device that the link contains data relevant to the application. 

The URL link will look similar to the following example. 

com.rsa.securid.iphone://ctf?ctfData=00206816463136011170432 

7744610766317206477164632456201026172002115044627167126500 

E-mail Message Format Requirements 

To deliver the token, you must send an e-mail message containing the formatted URL 

link to the user’s device. If you use Microsoft Outlook to create the link, under certain 

circumstances Microsoft Outlook inserts a slash character into the URL link that 

causes the SecurID token application to reject the token as invalid. To avoid this 

problem, set the message format as follows: 



your default editor, and set the message format to HTML. 


Create the URL Link 

To create the URL link: 

1. Compose a brief e-mail message, using text similar to the following in the 

message body: 

Tap this link to install your token. When done, delete 

this message. 

2. Select the text to use as the hyperlink, for example, “Tap this link,” and create a 

link to the URL that contains the token information. 

For detailed instructions, see the Help for your e-mail client. 

Before You Deliver the Token 

After you have created the e-mail message with the URL link, you are ready to deliver 

the token to the user’s iPhone device. Before delivering the token: 

• Make sure that the user has installed the SecurID token application. 

• If you protected the token with a password, provide the password to the user. 

• Instruct the user to delete the e-mail containing the token data as soon as the token 

has been installed. This measure helps prevent an unauthorized user who might 

have access to the device from wrongfully obtaining the token. 



4 Using the Application 

This chapter contains information for users on how to use RSA SecurID Software 

Token (SecurID token application), and contains information about managing the 

application. 

Before You Begin 

Verify the following before attempting to use the application. 

Before starting the SecurID token application: 

1. Verify that the iPhone device is configured to allow additional applications to be 

executed. 

2. Ensure that a token has been installed on the device. 

Start the Application 

When you start the application, the screen displayed depends on the type of token 

installed on your iPhone device. 

To start the application: 

On your iPhone device, tap the RSA SecurID application icon. 

If you were issued a PINPad-style software token, the application displays the Enter 

PIN screen. 

If you were issued a fob-style software token or a token that does not require a PIN, 

the application displays the Tokencode screen. A tokencode is displayed for either 60 

seconds or 30 seconds, depending on the token configuration. The screen displays the 

number of seconds remaining before the tokencode changes. 

Completing First-Time Authentication 

Note: If you were issued a token that does not require a PIN, skip this section and go 

to “Authenticate After the First Time” on page 44. 

If the token you were issued requires a PIN, you are normally required to set up your 

PIN the first time that you use the token to authenticate when accessing a protected 

resource. In the examples shown in the following sections, the protected resource is a 

VPN client that resides on the computer. 

4: Using the Application 39


When you start the SecurID token application, the application recognizes the token 

type stored on your iPhone device and presents the appropriate screen. 

• If your device displays the Enter PIN screen, follow the instructions in the 

following section, “Complete First-Time Authentication (Enter PIN Screen).” 

• If your device displays the Tokencode screen, follow the instructions in 

“Complete First-Time Authentication (Tokencode Screen)” on page 43. 

Complete First-Time Authentication (Enter PIN Screen) 

Use the following procedure if the SecurID token application on your iPhone displays 

the Enter PIN screen. 

To complete your first SecurID authentication: 

1. On your computer, connect to your VPN client. 

2. Enter your user name, and leave the logon screen open. 

40 4: Using the Application


3. On your iPhone, leave the Enter PIN field blank, and tap the right arrow button. 

A tokencode is displayed. 

4. In the VPN client logon screen, in the Passcode field, enter the tokencode from 

your device, without spaces. 

You are prompted to create a PIN. Your PIN must contain four to eight digits, and 

it cannot begin with a zero. Be sure to memorize your PIN. 

5. Enter and confirm your new PIN. 

You are prompted for a passcode. 

6. On your iPhone, tap the left arrow button located at the top left of the Tokencode 

screen to return to the Enter PIN screen. 



7. Enter your newly created PIN, and tap the right arrow button. 

A passcode is displayed. 

8. In the VPN client logon screen, in the Passcode field, enter the passcode, without 

spaces. Click OK. 



Complete First-Time Authentication (Tokencode Screen) 

Use the following procedure if the SecurID token application on your iPhone displays 

the Tokencode screen. 

To complete your first SecurID authentication: 

1. On your computer, connect to your VPN client. 

2. Enter your user name. 

3. In your VPN client, in the Passcode field, enter the tokencode from your device, 

without spaces. 

You will now be prompted to create a PIN. Your PIN must contain four to eight 

digits. Be sure to memorize your PIN. 

4. Enter and confirm your new PIN. 

You are prompted for a passcode. 

5. On your iPhone, wait for the tokencode to change. 

The application displays the time remaining before the code changes. 



6. When the tokencode changes, return to the VPN client logon screen. In the 

Passcode field, enter your newly created PIN, followed immediately by the 

tokencode that is displayed by the SecurID token application. Click OK. 

Authenticate After the First Time 

Use the following procedure to log on to a protected resource after you have created a 

PIN or if your token does not require a PIN. The resource protected by SecurID may 

reside on your computer, or you may be able to access it from your device. In the 

following example, the protected resource is a VPN client that resides on your 

computer. 

To log on to a protected resource: 

1. On your computer, open the protected resource, for example, connect to your 

VPN client. 

2. Enter your user name, and leave the logon screen open. 

3. On your iPhone, start the SecurID token application. 

4. Do one of the following: 

• If the application displays the Enter PIN screen, enter your PIN, and tap OK. 

The application displays a passcode. In the VPN client, in the Passcode field, 

enter the passcode, without spaces. Click OK. 

• If the application displays a tokencode, and your token requires a PIN, in the 

VPN client, in the Passcode field, enter your PIN, immediately followed by 

the tokencode displayed by the SecurID token application. Click OK. 

• If your token does not require a PIN, in the VPN client, in the Passcode field, 

enter the tokencode displayed by the SecurID token application, without 

spaces. Click OK. 



Managing the Application 

This section describes application features and tasks that you may need to perform. 

View Application and Token Information 

You can view information about the application and the installed token on the Info 

screen. To view information, tap the Information (i) icon. 

Field 

Application Version 

UDID 

Mask PIN Entry 

GMT 

Serial Number 

Expiration Date 

Description 

The version of RSA SecurID Software Token. 

The unique device identifier of the iPhone. Used to bind the 

token to the device. 

Allows the user to mask the PIN or show the PIN as it is being 

entered. The default is ON (mask PIN). 

Displays the current Greenwich Mean Time. For more 

information, see “Clock Settings” on page 9. 

The serial number that identifies the token to 

RSA Authentication Manager. 

Date when the installed token will expire. The date appears in 

the regional format that the user has selected for the device. 

Software tokens expire on the expiration date at 00:00:01. 



Mask PIN Entry 

View Application Help 

Close the Application 

By default, when you enter your PIN in the application, the entry is masked (displayed 

as bullet symbols). 

To display the PIN as readable numbers: 

Tap the Information (i) icon and, under Settings, tap OFF. 

To view the Help file associated with the application: 

Tap the question mark icon (?) in the application. 

To close the application: 

Press the Home button. 

Back Up the Application 

You may want to perform both a sync and a backup through iTunes as soon as you 

install a token on your device. By doing so, you ensure that you will be able to recover 

your token in case you delete the SecurID token application from your device in the 

future. 

Use the following procedure to create a backup that iTunes will not overwrite. 

To back up the application: 

1. Connect your iPhone device to the computer that you normally sync with. 

2. In iTunes, select your device in the sidebar, and click the Summary tab in the 

window to the right. 

3. From the Summary screen, select Restore. 

4. Click Back Up (this creates a backup of all data on your device). 

Note: If you are not prompted to back up your device before the next step, 

select Cancel, disconnect your device, and go back to step 1. 

5. Click Restore (this erases all data on your device). 

6. On the Set Up Your iPhone screen, select Restore from the backup of, and then 

select the backup that features the date and time when this restore process was 

started. Record this backup date and time, because you will use it in the future to 

recover your token. 

7. Right-click your device from the sidebar, and select Sync. 



Reinstall the Application and Recover Your Token 

If you remove the SecurID token application after performing both a sync and a 

backup, you can use the following procedure to reinstall the application and recover 

your token. However, doing so will cause you to lose any changes that you have made 

on your device since creating your backup. 

To reinstall the application and recover your token: 

1. Connect your iPhone device to the computer you that you normally sync with. 

2. In iTunes, select your device in the sidebar, and click the Summary tab in the 

window to the right. 

3. From the Summary screen, select Restore. 

4. Click Back Up (this creates a backup of all data on your device). 

Note: If you are not prompted to back up your device before the next step, 

select Cancel, disconnect your device, and go back to step 1. 

5. Click Restore (this erases all data on your device). 

6. On the Set Up Your iPhone screen, select Restore from the backup of, and then 

select the backup that you recorded in the preceding procedure, “To back up the 

application:.” 

7. Right-click your device from the sidebar, and select Sync. 

For more information, go to http://support.apple.com/kb/HT1766. 

Request a Replacement Token 

Normally, you do not need to replace the software token stored on your iPhone device. 

However, you must request a replacement token if your token expires or if instructed 

to do so by your administrator. When a token expires, the application displays a 

“Token expired” message on the Passcode or Tokencode screen. 

Token expiration occurs at the first second of the token death date Coordinated 

Universal Time (UTC). That is, at 12:00:01 a.m. UTC of the death date, a token will 

cease generating valid OTPs. 

When you install a replacement token, your original token is removed. You cannot 

delete a token from your device manually. 

To request a replacement token: 

Do one of the following: 

• If your administrator issued your original token, contact your administrator to 

request a replacement token. 

• If you requested your original token using the RSA Self-Service Console, access 

the Self-Service Console to request a replacement token. 



Uninstall the Application 

You can uninstall the SecurID token application from your iPhone device and from 

iTunes. Uninstalling the application from your device does not remove it from your 

iTunes library. If you uninstall the application from iTunes but not from the device, 

and then you sync, the application will still be available on the device. This section 

describes how to permanently uninstall the application from both your device and 

iTunes. 

To uninstall the application from the device: 

1. Touch and hold any application icon on the Home screen until the icons start to 

wiggle. 

2. Tap the “x” in the corner of the RSA SecurID application. 

3. Tap Delete, and press the Home button. 

Note: The next time you sync your iPhone device, if the application reappears 

on your device, it is probably because you set your synchronization setting to 

All Applications. To ensure that the application does not reappear on your 

device, change this setting to Selected Applications. 

To uninstall the application from iTunes: 

1. In iTunes, select the Applications content area, and right-click the RSA SecurID 

Token application. 

2. Click Delete. 

3. When asked if you are sure you want to remove the application from your library, 

click Remove. 

4. When asked whether you want to move the application to the trash or keep it in 

the Mobile Applications folder, click Move to Trash. 

The application is removed from your iTunes library. 

5. Connect your iPhone device to your computer. If you have not manually deleted 

the application from your iPhone, you are asked if you want to transfer the item 

from your iPhone back to your iTunes library. Click Don’t Transfer. 



5 Troubleshooting 

This chapter describes issues that might occur with RSA SecurID Software Token 

(SecurID token application), and their corresponding solutions. 

Customer Support Information 

If you need to contact RSA Customer Support in order to resolve an issue, have the 

following information available: 

• The date and time set on the device 

• The information presented on the Info screen 

• Device name 

• Network 

• Operating system version 

• Carrier configuration information 

• Device model number 

Include a detailed description of the problem that can be used to form the basis for 

steps to reproduce the issue. 

Application Installation Problems 

If the user cannot install the application, the problem is likely one of the following: 

• The user has an unsupported device. For a list of hardware requirements, see 

“System Requirements” on page 7. 

• The iPhone device does not have enough space to install the application. The user 

must free up some space on the device. See “System Requirements” on page 7. 

• A network failure occurred when the user attempted to download the application 

from the Apple App Store. Instruct the user to retry the download. 

Token Installation Problems 

If a user cannot receive a token on the iPhone device, the problem is likely described 

in one of the following sections. 

5: Troubleshooting 49


Application Is Not Installed 

If you send an e-mail message containing a hyperlink with the token before the user 

has installed the application, the token installation fails. Instruct the user to download 

and install the application from the Apple App Store before attempting to install a 

token. 

Errors Issuing the Token in RSA Authentication Manager 

Invalid Token 

File Password Errors 

Token Converter Errors 

Token installation problems can result from errors in issuing the token in 

Authentication Manager. For example: 

• The token is not intended for an iPhone device. If you issue tokens in 

RSA Authentication Manager 7.1, verify that you installed the iPhone 1.0 device 

definition file. Also verify that you selected “iPhone 1.0” as the device type when 

issuing tokens. 

• The token device binding is incorrect. For example, you may have entered an 

incorrect UDID when binding the token to a device. Correct the token device 

binding and reissue the token. 

• The token type is not supported (64-bit, SID). Reissue the token as a 128-bit 

(AES) token. 

• The death date of the token lifetime configured in Authentication Manager has 

passed. 

The user received an “Invalid Token” message. This can happen if the administrator 

makes an error when issuing the token in Authentication Manager. 

The user may not be able to complete the token installation due to errors in entering 

the token file password. For example: 

• The user forgot the token file password. The user must contact the administrator 

for the token file password. 

• The user received an “incorrect password” message. The user must enter the 

correct password. 

Errors in using the Token Converter may prevent a token from being converted 

properly. For example: 

• The token was not converted properly with the Token Converter utility. For 

example, you did not specify the -p password option when converting a 

password-protected token file or you did not specify the required -iphone option. 

• The SDTID file could not be converted properly with the Token Converter utility 

because the file contained double-byte characters in the UserFirstName, 

UserLastName, or UserLogin fields. For more information, see “Known Issues” 

in the RSA SecurID Software Token Converter 2.4 Readme. 

50 5: Troubleshooting


URL Format Errors 

The URL link containing the CT-KIP server information is not formatted correctly. 

Use the instructions in Chapter 3, “Provisioning Software Tokens.” 

E-mail Message Format Errors 

The e-mail message containing the hyperlink with the token data used the wrong 

message format. 



your default e-mail editor, and set the message format to HTML. 


Network Communication Errors 

The e-mail message containing the hyperlink with the token data did not reach the 

user’s device. This can happen in rare cases because of a network communication 

failure. Resend the e-mail. 

Authentication Problems 

If a user cannot authenticate with the SecurID token, the problem is likely described in 

one of the following sections. 

User Error 

The user may have made one of the following errors: 

• The user made too many failed logon attempts, causing the token to be disabled. 

Check the Authentication Manager logs. If the token is not disabled (or expired), 

ask the user to read you the current tokencode displayed on the device, and 

resynchronize the token with the Authentication Manager server. 

• The user has been issued a token that requires a PIN, and the user attempted to 

authenticate before creating the PIN. 

• The user entered an incorrect user name when logging on to a protected resource. 

• The user entered an incorrect PIN or entered the PIN in the wrong location. For 

example, the user may have entered the tokencode, followed by the PIN instead of 

entering the PIN, followed by the tokencode. 

Error Exporting Tokens in RSA Authentication Manager 6.1 

When issuing a token in RSA Authentication Manager 6.1, you chose to have multiple 

tokens exported in a single SDTID file. When you ran the Token Converter, it properly 

converted the first token in the file, but that token was intended for a different user, so 

the user’s attempt to authenticate failed. You must reissue the token, making sure that 

each SDTID file contains only one token. 

5: Troubleshooting 51


Time Synchronization Problem 

Expired Token 

The time on the iPhone device may be out of synchronization with the clock settings 

in Authentication Manager. Instruct the user to read you the time shown on the device. 

The user’s token may have expired. If this occurs, the application displays a “Token 

Expired” message. The user must contact the administrator to request a replacement 

token. 

Error Messages 

If the iPhone device displays any of the following error messages, the user must 

contact the administrator to request a replacement token: 

• Invalid URL. 

• Token install failed. 

• Error communicating with server. Token install failed. 

• Token not intended for this device. Token import failed. 

• Token expired. Request a replacement token. 

• Invalid token. 

52 5: Troubleshooting


Index 

A 

activation code 

generating, 25 

system-generated, 26 

application 

backing up, 46 

closing, 46 

installing, 12 

reinstalling, 46 

starting, 39 

application information, viewing, 45 

approving a self-service token request, 32 

authenticating in New PIN mode, 39 

authentication issues, troubleshooting, 51 

authentication procedure, 44 

authentication requirement 

planning, 15 

setting in RSA Authentication Manager 

6.1, 36 

setting in RSA Authentication Manager 

7.1, 22 

B 

backing up the application, 46 

binding a token, 24 

in RSA Authentication Manager 6.1, 36 

C 

clock settings, 9 

closing the application, 46 

Compressed Token Format, 33 

defined, 37 

illustrated, 33 

configurations, software token, 8 

configuring 

RSA Credential Manager, 28 

token record in RSA Authentication 

Manager 6.1, 35 

token record in RSA Authentication 


converted token 

delivering, 38 

required link format, 38 

converting a token file, 37 

creating PIN, 39 

for fob-style token, 43 

for PINPad-style token, 40 

Customer Support, contacting, 6 

D 

Database Administration application, 15, 35 

delivering token 

using Dynamic Seed Provisioning, 20, 

26 

device definition file, 21 

device identifier, 24, 36 

device type, 22 

DeviceSerialNumber field, 22 

device-specific attributes, 22 

Displayed Value field, 23 

documentation list, 5 

Dynamic Seed Provisioning, 19 


with RSA Credential Manager, 28 

E 

editing token extension data, 37 

e-mail message format requirements, 27, 38 

error messages, 52 

expiration date of token, 45 

exporting token file, 35 

F 

first-time authentication, 39 

Enter PIN screen, 40 

tokencode screen, 43 

fob-style software token, 17 

format of converted token URL 

hyperlink, 38 

G 

generating activation code, 25 

getting support, 6 

H 

help, viewing, 46 

helping users get started, 13 

I 

installation 

options, 12 

troubleshooting, 49 

installation application 


Index 53


installing application, 11 

directly, 12 

through sync, 12 

iPhone device definition file, 21 

L 

logging on to protected resource, 44 

N 

New PIN mode, 39 

fob-style token, 43 

PINPad-style token, 40 

Nickname field, 22 

O 

one-time password (OTP), 15 

overview, token provisioning, 19 

P 

passcode, 15, 16, 22, 23, 29 

PIN entry, show or mask, 46 

PIN requirement, 22 

PIN, creating, 39 

PINPad-style software token, 16, 23 

planning authentication requirement, 15 

pre-deployment tasks, 11 

provisioning prerequisites, 15 

provisioning token 

using Compressed Token Format, 33 

using Dynamic Seed Provisioning, 19 

R 

recover a token, 47 

reinstall the application, 47 

requesting a replacement token, 47 

requesting a token through RSA Self-Service 

Console, 30 

RSA Authentication Manager 

user authentication requirement, 22 

RSA Credential Manager, 28 

configuring, 28 

sample settings, 29 

RSA SecurID Software Token Converter, 37 

RSA Security Console, 15 

RSA Self-Service Console, 30 

S 

SDTID file format, 35 

selecting user authentication requirement 



self-service token, approving request for, 32 

serial number of token, 45 

service, getting support, 6 

show or mask PIN entry, 46 

software token 

binding to device in RSA Authentication 


binding to device in RSA Authentication 


device type, 22 

fob style, 17 

no PIN, 18 

PINPad style, 16, 23 

supported configurations, 8 

software token attributes 

supported in RSA Authentication 




starting the application, 39 

support and service, 6 

system requirements, 7 

system-generated activation code, 26 

T 

time synchronization, 9 

token attributes 





token extension data, editing, 37 

token file 

converting, 37 

exporting, 35 

token information, viewing, 45 

token installation, troubleshooting, 49 

token provisioning overview, 19 

token record 

configuring in RSA Authentication 


configuring in RSA Authentication 


token, binding in RSA Authentication 


tokencode, 23, 29 

requirement, 22 

type, 23 

54 Index


tokencode setting in RSA Authentication 


troubleshooting, 49 

U 

UDID (unique device identifier), 24, 36 

user authentication requirement 



V 

viewing application and token 

information, 45 

viewing application help, 46 

VPN, authenticating to, 44 

Index 55

RSA SecurID Software Token 1 - EMC Community Network

Create successful ePaper yourself

Delete template?

Save as template?