RSA SecurID Software Token 1 - EMC Community Network
RSA SecurID Software Token 1 - EMC Community Network
RSA SecurID Software Token 1 - EMC Community Network
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0<br />
for iPhone Devices<br />
Administrator’s Guide<br />
Updated, June 19, 2009
Contact Information<br />
Go to the <strong>RSA</strong> corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com<br />
Trademarks<br />
<strong>RSA</strong> and the <strong>RSA</strong> logo are registered trademarks of <strong>RSA</strong> Security Inc. in the United States and/or other countries. For the<br />
most up-to-date listing of <strong>RSA</strong> trademarks, go to www.rsa.com/legal/trademarks_list.pdf. <strong>EMC</strong> is a registered trademark of<br />
<strong>EMC</strong> Corporation. All other goods and/or services mentioned are trademarks of their respective companies.<br />
License agreement<br />
This software and the associated documentation are proprietary and confidential to <strong>RSA</strong>, are furnished under license, and may<br />
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below.<br />
This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other<br />
person.<br />
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any<br />
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.<br />
This software is subject to change without notice and should not be construed as a commitment by <strong>RSA</strong>.<br />
Note on encryption technologies<br />
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption<br />
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this<br />
product.<br />
Distribution<br />
Limit distribution of this document to trusted personnel.<br />
© 2009 <strong>RSA</strong> Security Inc. All rights reserved.<br />
June 2009
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Contents<br />
Preface................................................................................................................................... 5<br />
About This Guide................................................................................................................5<br />
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Documentation .................................................................. 5<br />
Related Documentation....................................................................................................... 5<br />
Getting Support and Service ............................................................................................... 6<br />
Before You Call Customer Support............................................................................. 6<br />
Chapter 1: System Requirements ........................................................................ 7<br />
About <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong>................................................................................. 7<br />
System Requirements.......................................................................................................... 7<br />
Supported <strong>Software</strong> <strong>Token</strong> Configurations......................................................................... 8<br />
Clock Settings ..................................................................................................................... 9<br />
Chapter 2: Installing the Application.................................................................11<br />
Performing Pre-Deployment Tasks....................................................................................11<br />
Installation Overview.........................................................................................................11<br />
Install the Application Directly to a Device .............................................................. 12<br />
Install the Application by Syncing It Through iTunes .............................................. 13<br />
Quick Start for Users......................................................................................................... 13<br />
Chapter 3: Provisioning <strong>Software</strong> <strong>Token</strong>s.................................................... 15<br />
Prerequisites...................................................................................................................... 15<br />
Planning the <strong>RSA</strong> <strong>SecurID</strong> Authentication Requirement................................................. 15<br />
PINPad-Style <strong>Software</strong> <strong>Token</strong>s ................................................................................. 16<br />
Fob-Style <strong>Software</strong> <strong>Token</strong>s ....................................................................................... 17<br />
<strong>Token</strong>s That Do Not Require a PIN........................................................................... 18<br />
Provisioning Overview ..................................................................................................... 19<br />
Provisioning <strong>Token</strong>s Using Dynamic Seed Provisioning................................................. 19<br />
Add the iPhone 1.0 Device Definition File................................................................ 21<br />
Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong> Authentication Manager 7.1 ........... 21<br />
Distribute the <strong>Token</strong> .................................................................................................. 25<br />
Delivering a <strong>Token</strong> Using Dynamic Seed Provisioning ................................................... 26<br />
URL Link Format Requirements ............................................................................... 27<br />
E-mail Message Format Requirements...................................................................... 27<br />
Create the URL Link.................................................................................................. 27<br />
Before You Deliver the <strong>Token</strong>................................................................................... 28<br />
Using <strong>RSA</strong> Credential Manager for Dynamic Seed Provisioning.................................... 28<br />
Configure <strong>RSA</strong> Credential Manager.......................................................................... 29<br />
Request a <strong>Token</strong> Using the <strong>RSA</strong> Self-Service Console ............................................ 30<br />
Approve the Request.................................................................................................. 32<br />
Provisioning <strong>Token</strong>s Using Compressed <strong>Token</strong> Format .................................................. 33<br />
Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong> Authentication Manager 6.1 ........... 34<br />
Convert the <strong>Token</strong> File .............................................................................................. 37<br />
Contents 3
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
<strong>Token</strong> Converter Output ............................................................................................ 38<br />
E-mail Message Format Requirements...................................................................... 38<br />
Create the URL Link.................................................................................................. 38<br />
Before You Deliver the <strong>Token</strong>................................................................................... 38<br />
Chapter 4: Using the Application ....................................................................... 39<br />
Before You Begin ............................................................................................................. 39<br />
Start the Application ......................................................................................................... 39<br />
Completing First-Time Authentication............................................................................. 39<br />
Complete First-Time Authentication (Enter PIN Screen) ......................................... 40<br />
Complete First-Time Authentication (<strong>Token</strong>code Screen)........................................ 43<br />
Authenticate After the First Time ..................................................................................... 44<br />
Managing the Application................................................................................................. 45<br />
View Application and <strong>Token</strong> Information................................................................. 45<br />
Mask PIN Entry ......................................................................................................... 46<br />
View Application Help .............................................................................................. 46<br />
Close the Application................................................................................................. 46<br />
Back Up the Application............................................................................................ 46<br />
Reinstall the Application and Recover Your <strong>Token</strong>.................................................. 47<br />
Request a Replacement <strong>Token</strong>................................................................................... 47<br />
Uninstall the Application........................................................................................... 48<br />
Chapter 5: Troubleshooting................................................................................... 49<br />
Customer Support Information ......................................................................................... 49<br />
Application Installation Problems..................................................................................... 49<br />
<strong>Token</strong> Installation Problems ............................................................................................. 49<br />
Application Is Not Installed....................................................................................... 50<br />
Errors Issuing the <strong>Token</strong> in <strong>RSA</strong> Authentication Manager....................................... 50<br />
Invalid <strong>Token</strong>............................................................................................................. 50<br />
File Password Errors.................................................................................................. 50<br />
<strong>Token</strong> Converter Errors ............................................................................................. 50<br />
URL Format Errors.................................................................................................... 51<br />
E-mail Message Format Errors .................................................................................. 51<br />
<strong>Network</strong> Communication Errors................................................................................ 51<br />
Authentication Problems................................................................................................... 51<br />
User Error .................................................................................................................. 51<br />
Error Exporting <strong>Token</strong>s in <strong>RSA</strong> Authentication Manager 6.1 .................................. 51<br />
Time Synchronization Problem ................................................................................. 52<br />
Expired <strong>Token</strong>............................................................................................................ 52<br />
Error Messages .................................................................................................................52<br />
Index ..................................................................................................................................... 53<br />
4 Contents
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Preface<br />
About This Guide<br />
This guide describes how to install and provision <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong><br />
(<strong>SecurID</strong> token application) for use with iPhone devices in an enterprise environment.<br />
It is intended for <strong>RSA</strong> Authentication Manager administrators and IT personnel who<br />
are responsible for deploying and administering the application. It assumes that these<br />
personnel have experience using <strong>RSA</strong> Authentication Manager. Do not make this<br />
guide available to the general user population.<br />
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Documentation<br />
For more information about the <strong>SecurID</strong> token application, see the following<br />
documentation:<br />
Administrator’s Guide. (This guide.) Provides information for security administrators<br />
on deploying and provisioning the application.<br />
Quick Start. Helps users install the application and install a software token. Also<br />
describes how to use a token to access resources protected by <strong>RSA</strong> <strong>SecurID</strong>.<br />
Help. Describes procedures associated with the application screens. Users can open<br />
the Help file by tapping the Help (?) icon in the application.<br />
Release Notes. Provides workarounds for known issues and includes other important<br />
information about the application. It is intended for administrators.<br />
Related Documentation<br />
For more information related to the <strong>SecurID</strong> token application, see the following:<br />
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Converter 2.4 Readme. Describes how to convert a<br />
token exported as an SDTID file from XML format to a compressed format that can be<br />
delivered to an iPhone device.<br />
<strong>RSA</strong> Authentication Manager 7.1 Administrator’s Guide. Provides information<br />
about how to administer users and security policy in <strong>RSA</strong> Authentication<br />
Manager 7.1.<br />
<strong>RSA</strong> Security Console Help. Describes day-to-day administration tasks performed in<br />
the <strong>RSA</strong> Security Console used with <strong>RSA</strong> Authentication Manager 7.1. To view Help,<br />
click the Help tab in the Security Console.<br />
<strong>RSA</strong> Authentication Manager 6.1 Administrator's Guide. Provides information<br />
about how to administer users and security policy in <strong>RSA</strong> Authentication<br />
Manager 6.1.<br />
Database Administration application Help. Describes day-to-day administration<br />
tasks performed in the Database Administration application used with<br />
<strong>RSA</strong> Authentication Manager 6.1.<br />
Preface 5
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Getting Support and Service<br />
<strong>RSA</strong> SecurCare Online<br />
Customer Support Information<br />
<strong>RSA</strong> Secured Partner Solutions Directory<br />
https://knowledge.rsasecurity.com<br />
www.rsa.com/support<br />
www.rsasecured.com<br />
<strong>RSA</strong> SecurCare Online offers a knowledgebase that contains answers to common<br />
questions and solutions to known problems. It also offers information on new releases,<br />
important technical news and software downloads.<br />
Before You Call Customer Support<br />
Make sure that you have direct access to the iPhone device running the software.<br />
Please have the following information available when you call:<br />
Your <strong>RSA</strong> Customer/License ID.<br />
<strong>SecurID</strong> token application version number.<br />
The model of the iPhone device on which the problem occurs.<br />
The device operating system version under which the problem occurs.<br />
6 Preface
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
1 System Requirements<br />
This chapter introduces <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> (<strong>SecurID</strong> token application)<br />
and lists the system requirements and supported software token configurations.<br />
About <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong><br />
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> is authentication software that transforms an iPhone<br />
into a <strong>SecurID</strong> authentication device. The application requires a software-based<br />
security token. <strong>SecurID</strong> software tokens generate one-time passwords (OTPs) at<br />
regular intervals. Users with supported iPhones can use the current OTP, along with<br />
other security information, to authenticate to resources protected by <strong>RSA</strong> <strong>SecurID</strong>.<br />
For example, with the application, users can gain access to Virtual Private <strong>Network</strong>s<br />
(VPNs) and web applications. The application ensures strong security in a single<br />
handheld application and eliminates the need for the user to carry a separate hardware<br />
token.<br />
System Requirements<br />
Make sure that you meet the following system requirements for installing and<br />
provisioning the application.<br />
• An iPhone 3G running the latest <strong>RSA</strong> supported iPhone OS. For the latest<br />
supported version, see http://www.rsa.com/iphone.<br />
• (Optional) A computer running Windows XP SP2, Windows Vista, or Mac OS X<br />
10.4.10 or later with iTunes 7.7 or later installed.<br />
• One of the following network authentication servers:<br />
– <strong>RSA</strong> Authentication Manager 6.1<br />
– <strong>RSA</strong> Authentication Manager 7.1<br />
– <strong>RSA</strong> <strong>SecurID</strong> Appliance 3.0<br />
• (Optional) <strong>RSA</strong> Credential Manager, the self-service and provisioning component<br />
of <strong>RSA</strong> Authentication Manager 7.1.<br />
• 2 MB available space on the iPhone device for the application.<br />
• <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Converter 2.4 running on Windows XP SP2,<br />
Windows Vista, or Red Hat Linux if you plan to provision software tokens using<br />
Compressed <strong>Token</strong> Format. For more information, see “Provisioning <strong>Token</strong>s<br />
Using Compressed <strong>Token</strong> Format” on page 33.<br />
1: System Requirements 7
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Supported <strong>Software</strong> <strong>Token</strong> Configurations<br />
You can provision each iPhone with one software token. You can issue tokens with the<br />
following attributes. For more information on setting token attributes, see<br />
“Provisioning <strong>Software</strong> <strong>Token</strong>s” on page 15.<br />
Note: You must issue 128-bit (AES) tokens. The <strong>SecurID</strong> token application does not<br />
support 64-bit (SID) tokens.<br />
<strong>Token</strong> Attributes<br />
<strong>RSA</strong><br />
Authentication<br />
Manager 7.1<br />
<strong>RSA</strong><br />
Authentication<br />
Manager 6.1<br />
<strong>RSA</strong> Credential<br />
Manager<br />
128-bit AES<br />
Time-based<br />
8-digit tokencode<br />
6-digit tokencode<br />
60-second tokencode duration<br />
30-second tokencode duration<br />
PINPad style tokens (PIN entry in<br />
the iPhone device)<br />
Fob-style tokens (PIN entry in the<br />
protected resource)<br />
<strong>Token</strong>s that do not require a PIN<br />
(user authenticates with user<br />
name and tokencode)<br />
<strong>Token</strong> file password<br />
Unique device identifier (UDID),<br />
used to bind a token to the iPhone<br />
device<br />
8 1: System Requirements
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Clock Settings<br />
The time, the time zone, and Daylight Saving Time must all be set correctly so that<br />
users can perform <strong>RSA</strong> <strong>SecurID</strong> authentication from their iPhones. Instruct users to<br />
verify the time settings on their iPhone devices before they install the application and<br />
periodically after installation to make sure that their settings are correct. If the clock<br />
settings on a user’s device change significantly, they will no longer be synchronized<br />
with the clock settings on the Authentication Manager host, and the user will not be<br />
able to be authenticated. Users who cross time zones with their devices need to change<br />
only the time zone in order to reflect the correct local time.<br />
For information on iPhone date and time settings, see the iPhone User Guide for<br />
iPhone and iPhone 3G.<br />
1: System Requirements 9
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
2 Installing the Application<br />
This chapter provides an overview of installing <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong><br />
(<strong>SecurID</strong> token application) and provides suggestions for preparing users to install and<br />
use the application.<br />
Performing Pre-Deployment Tasks<br />
To prepare to deploy the application in your enterprise, complete the tasks in the<br />
following table.<br />
Task<br />
1. Download the application from the Apple<br />
App Store.<br />
See<br />
“Installation Overview” on page 11<br />
2. Provision software tokens. “Provisioning <strong>Software</strong> <strong>Token</strong>s” on page 15<br />
3. Instruct users on downloading the<br />
application and receiving a token.<br />
“Quick Start for Users” on page 13<br />
Installation Overview<br />
The <strong>SecurID</strong> token application is available free of charge from the Apple App Store.<br />
The <strong>RSA</strong> web site provides the following web link, which you can use to direct users<br />
to the application: http://www.rsa.com/iphone. You can copy the link into an e-mail<br />
message and send it to users’ device e-mail program or to their computers. That way<br />
users do not have to search for the application in the App Store.<br />
After the users have installed the application, you must provision their devices with a<br />
software token. For more information, see Chapter 3, “Provisioning <strong>Software</strong><br />
<strong>Token</strong>s.”<br />
2: Installing the Application 11
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Users can install the application directly onto their iPhone device from the App Store.<br />
Or, they can launch the App Store in iTunes, download the application to their<br />
computer, and then sync it to the device. The following figure illustrates these two<br />
options.<br />
Install the Application Directly to a Device<br />
Use the following procedure to install the application directly onto your iPhone device<br />
from the App Store.<br />
To install the application directly to an iPhone device:<br />
1. Tap the App Store icon on your iPhone.<br />
2. Browse the Business category and select <strong>RSA</strong> <strong>SecurID</strong> <strong>Token</strong>.<br />
3. Enter your Apple ID or iTunes account credentials, as prompted.<br />
The device exits to the Home screen to display the download progress. When the<br />
download is complete, the application is available on the device.<br />
12 2: Installing the Application
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Install the Application by Syncing It Through iTunes<br />
Use the following procedure to download the application to your computer and install<br />
it onto your iPhone device through a sync.<br />
To install the application through a sync:<br />
1. Connect your iPhone to a USB port on your computer.<br />
2. Launch the App Store in iTunes.<br />
3. Browse the Business category and select <strong>RSA</strong> <strong>SecurID</strong> <strong>Token</strong>.<br />
4. Download the application to your computer.<br />
5. If prompted, authenticate with your Apple ID or iTunes account credentials.<br />
6. Instruct iTunes to sync the application onto your device, and apply the changes.<br />
Quick Start for Users<br />
Deploying the <strong>SecurID</strong> token application affects the way that users access secure<br />
applications in the enterprise. <strong>RSA</strong> provides a Quick Start document in PDF format to<br />
help users install and use the application. The Quick Start contains instructions for:<br />
• Downloading and installing the application<br />
• Installing a software token<br />
• Setting a PIN (if required) during the user’s first <strong>RSA</strong> <strong>SecurID</strong> authentication<br />
• Using the application to log on to resources protected by <strong>RSA</strong> <strong>SecurID</strong><br />
The product documentation is located on the <strong>RSA</strong> web site at<br />
http://www.rsa.com/iPhone. <strong>RSA</strong> recommends that you download the<br />
documentation and e-mail the Quick Start to users.<br />
After launching the application, users can access a Help file by tapping the Help (?)<br />
icon.<br />
2: Installing the Application 13
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
3 Provisioning <strong>Software</strong> <strong>Token</strong>s<br />
This chapter provides the key steps for issuing software tokens in <strong>RSA</strong> Authentication<br />
Manager and describes the supported methods for provisioning tokens for use with<br />
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> (<strong>SecurID</strong> token application).<br />
Prerequisites<br />
Before provisioning tokens, you must:<br />
• Understand how to issue software tokens in <strong>RSA</strong> Authentication Manager.<br />
– For <strong>RSA</strong> Authentication Manager 7.1 or <strong>RSA</strong> <strong>SecurID</strong> Appliance 3.0, use the<br />
<strong>RSA</strong> Security Console. For detailed instructions, see the <strong>RSA</strong> Security<br />
Console Help.<br />
– For <strong>RSA</strong> Authentication Manager 6.1, use the Database Administration<br />
application. For detailed instructions, see the Database Administration<br />
application Help.<br />
• Issue 128-bit (AES) tokens. The application does not support 64-bit (SID) tokens.<br />
• Plan your authentication requirement, as described in the following section.<br />
Planning the <strong>RSA</strong> <strong>SecurID</strong> Authentication Requirement<br />
<strong>RSA</strong> <strong>SecurID</strong> authentication normally requires using a PIN with the software token.<br />
The PIN and the tokencode displayed on the device form a passcode, which serves as<br />
the user’s one-time password (OTP). Entering a PIN in addition to the tokencode is<br />
known as two-factor authentication. The two factors are something you have (the<br />
token) and something you know (the PIN). Using two factors delivers a higher level of<br />
authentication assurance than using a single factor.<br />
<strong>RSA</strong> Authentication Manager also supports tokens that do not require entering a PIN.<br />
If you issue this token type, the user authenticates with the currently displayed<br />
tokencode (something you have). This option is best used when a system other than<br />
<strong>RSA</strong> <strong>SecurID</strong> is responsible for managing the second factor (something you know),<br />
such as an existing user name and password. In this scenario, the first factor (user<br />
name/password) is validated by the external system and the second factor (tokencode)<br />
is validated by Authentication Manager.<br />
With <strong>RSA</strong> Authentication Manager 7.1 and <strong>RSA</strong> <strong>SecurID</strong> Appliance 3.0, you can<br />
issue two types of software tokens that require a PIN: PINPad-style tokens and<br />
fob-style tokens. Each type offers strong two-factor authentication assurance. The<br />
<strong>SecurID</strong> token application recognizes the token type that is installed on the iPhone<br />
device and displays customized screens accordingly.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 15
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
PINPad-Style <strong>Software</strong> <strong>Token</strong>s<br />
Note: All supported versions of Authentication Manager support PINPad-style<br />
software tokens.<br />
If a PINPad-style token is installed on the user’s iPhone device, the application<br />
prompts the user to enter a PIN. The user types the PIN using the device keyboard and<br />
taps the right arrow button to submit it. The <strong>SecurID</strong> token application then displays<br />
an OTP, in this case a passcode formed from the PIN and the current tokencode. To<br />
authenticate, the user enters the OTP in the logon screen of the protected resource (for<br />
example, a VPN client application).<br />
This authentication experience is similar to using an <strong>RSA</strong> <strong>SecurID</strong> PINPad-style<br />
hardware token, such as the SD520, where the user enters the PIN on the device’s<br />
numeric keypad and then enters the displayed OTP (passcode) in the protected<br />
resource. PINPad-style software tokens require a numeric PIN of 4 to 8 digits.<br />
The following figure shows the user authentication experience.<br />
16 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Fob-Style <strong>Software</strong> <strong>Token</strong>s<br />
Note: <strong>RSA</strong> Authentication Manager 7.1 and <strong>RSA</strong> <strong>SecurID</strong> Appliance 3.0 support<br />
fob-style software tokens. <strong>RSA</strong> Authentication Manager 6.1 does not support<br />
fob-style tokens.<br />
If a fob-style token is installed on the user’s iPhone device, the <strong>SecurID</strong> token<br />
application displays a tokencode. To authenticate, the user types the PIN in the logon<br />
screen of the protected resource, and then types the tokencode, without spaces, next to<br />
the PIN. The combination of the PIN and tokencode forms the OTP (passcode).<br />
This authentication experience is similar to using an <strong>RSA</strong> <strong>SecurID</strong> hardware fob, such<br />
as the SID700, where the user types the PIN in the protected resource, followed by the<br />
current tokencode displayed on the fob. Because many users are familiar with <strong>RSA</strong><br />
hardware fobs, issuing fob-style software tokens can simplify the transition from<br />
using a hardware fob to using a software token.<br />
Fob-style software tokens used with application require a numeric PIN of 4 to 8 digits.<br />
The following figure shows the user authentication experience.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 17
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
<strong>Token</strong>s That Do Not Require a PIN<br />
Note: All supported versions of Authentication Manager support tokens that do not<br />
require a PIN.<br />
If the user has been issued a token that does not require a PIN, the <strong>SecurID</strong> token<br />
application displays a tokencode. To authenticate, the user types the current tokencode<br />
in the logon field of the protected resource.<br />
The following figure shows the user authentication experience.<br />
18 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Provisioning Overview<br />
You can provision tokens for the application using Dynamic Seed Provisioning or<br />
using Compressed <strong>Token</strong> Format.<br />
<strong>RSA</strong> recommends that you use Dynamic Seed Provisioning with <strong>RSA</strong> Authentication<br />
Manager 7.1 or <strong>RSA</strong> <strong>SecurID</strong> Appliance, 3.0. However, you can deliver tokens using<br />
Compressed <strong>Token</strong> Format if you prefer.<br />
If you use <strong>RSA</strong> Authentication Manager 6.1, you must use Compressed <strong>Token</strong><br />
Format, as version 6.1 does not support Dynamic Seed Provisioning.<br />
Use the information in the following table to become familiar with authentication<br />
server requirements for token provisioning, and then click the link to see more<br />
information on the provisioning method you plan to use.<br />
Provisioning Method Server Requirement See<br />
Dynamic Seed Provisioning<br />
<strong>RSA</strong> Authentication Manager<br />
7.1 or <strong>RSA</strong> <strong>SecurID</strong><br />
Appliance 3.0<br />
<strong>RSA</strong> Credential Manager<br />
“Provisioning <strong>Token</strong>s Using<br />
Dynamic Seed Provisioning”<br />
on page 19<br />
“Using <strong>RSA</strong> Credential<br />
Manager for Dynamic Seed<br />
Provisioning” on page 28<br />
Compressed <strong>Token</strong> Format<br />
Required with <strong>RSA</strong><br />
Authentication Manager 6.1<br />
Also supported with<br />
<strong>RSA</strong> Authentication<br />
Manager 7.1 or <strong>RSA</strong> <strong>SecurID</strong><br />
Appliance 3.0<br />
“Provisioning <strong>Token</strong>s Using<br />
Compressed <strong>Token</strong> Format”<br />
on page 33<br />
Provisioning <strong>Token</strong>s Using Dynamic Seed Provisioning<br />
Dynamic Seed Provisioning (also called Remote <strong>Token</strong> Key Generation) uses the<br />
<strong>RSA</strong> Cryptographic <strong>Token</strong> Key Initialization Protocol (CT-KIP) for the secure<br />
initialization and configuration of cryptographic tokens. When the protocol is<br />
executed, it results in the generation of the same shared secret on both the server and<br />
the token.<br />
To use Dynamic Seed Provisioning, you configure and issue a token in Authentication<br />
Manager, selecting CT-KIP as the distribution method. You must then format a URL<br />
link to the CT-KIP server. You send an e-mail message containing the URL link to the<br />
server to the user’s iPhone device. In the iPhone Mail program, the user taps the URL<br />
link to install the token.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 19
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Dynamic Seed Provisioning requires a numeric or alphanumeric activation code<br />
generated in Authentication Manager to complete the token installation. You can<br />
include the token activation code as part of the URL link. If you prefer to deliver the<br />
activation code separately, through an out-of-band mechanism, you can omit the<br />
activation code from the link. In that case, the user must manually enter the activation<br />
code on the iPhone keyboard to complete the token installation. If the user forgets the<br />
activation code, you can communicate it again, and the user can tap the URL link<br />
again to retry.<br />
The figure below provides an overview of Dynamic Seed Provisioning, and the<br />
following sections describe the provisioning steps in detail.<br />
20 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Dynamic Seed Provisioning requires <strong>RSA</strong> Authentication Manager 7.1 or<br />
<strong>RSA</strong> <strong>SecurID</strong> Appliance 3.0. The following table lists the provisioning steps, and the<br />
following sections describe each step.<br />
Task<br />
See<br />
1. Add the iPhone device definition file<br />
to the Authentication Manager server.<br />
“Add the iPhone 1.0 Device Definition File” on<br />
page 21<br />
2. Configure the software token record. “Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong><br />
Authentication Manager 7.1” on page 21<br />
3. Distribute the token. “Distribute the <strong>Token</strong>” on page 25<br />
4. Deliver the token to the user’s iPhone<br />
device.<br />
“Delivering a <strong>Token</strong> Using Dynamic Seed<br />
Provisioning” on page 26<br />
Add the iPhone 1.0 Device Definition File<br />
<strong>Software</strong> tokens issued using <strong>RSA</strong> Authentication Manager 7.1 or <strong>RSA</strong> <strong>SecurID</strong><br />
Appliance 3.0 must be associated with a device definition file. This is an XML file<br />
that specifies the supported capabilities and attributes of tokens used with the<br />
application. The device definition file specifies the supported tokencode length, type,<br />
and duration, as well as the attributes that you can use to bind a software token to a<br />
specific iPhone device. The iPhone 1.0 device definition file is included with the<br />
product documentation at http://www.rsa.com/iphone.<br />
Before you issue software tokens to use with the <strong>SecurID</strong> token application, you must<br />
add the device definition file to <strong>RSA</strong> Authentication Manager 7.1. This adds the<br />
iPhone 1.0 entry to the <strong>Software</strong> <strong>Token</strong> Device Type drop-down list on the Edit<br />
<strong>Token</strong> page. When you select iPhone 1.0 from the device type list, the page displays<br />
the software token attributes that you can configure. For more information, see the<br />
following section, “Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong> Authentication<br />
Manager 7.1.”<br />
To add the device definition file:<br />
1. Save the device definition file, iPhone-1.0-swtd.xml, provided in the installation<br />
kit to a folder on your computer.<br />
2. In the <strong>RSA</strong> Security Console, click Authentication > <strong>Software</strong> <strong>Token</strong> Device<br />
Types > Import <strong>Token</strong> Device Type.<br />
3. Click Browse to locate the iPhone 1.0 device definition file, and select the file.<br />
4. Click Submit.<br />
Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong> Authentication Manager 7.1<br />
This guide assumes that you have imported software tokens into Authentication<br />
Manager, assigned them to users, and are ready to configure them in the Security<br />
Console. The following sections highlight key steps for configuring token records for<br />
use with the <strong>SecurID</strong> token application. For more information on configuring token<br />
records, see the Security Console Help.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 21
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Step 1: Access the Edit <strong>Token</strong> page:<br />
To access the Edit <strong>Token</strong> page:<br />
1. Log on to the Security Console.<br />
2. Click Authentication > <strong>SecurID</strong> <strong>Token</strong>s > Manage Existing.<br />
3. Select the token that you want to edit.<br />
4. Click the drop-down arrow next to the token serial number, and select Edit.<br />
Step 2: Select the User Authentication Requirement<br />
In the <strong>SecurID</strong> PIN Management section, do one of the following:<br />
• Select Require PIN during authentication if you want the user to authenticate<br />
with a passcode (PIN plus tokencode).<br />
• Select Do not require PIN (only tokencode) if you want the user to authenticate<br />
with a tokencode only (no PIN).<br />
Step 3: Select the <strong>Software</strong> <strong>Token</strong> Device Type<br />
From the <strong>Software</strong> <strong>Token</strong> Device Type drop-down list, select iPhone 1.0.<br />
Selecting the device type displays the Device Specific Attributes section, which lists<br />
the attributes that you can assign to tokens used with iPhone devices.<br />
If you want to bind the token to the user’s device, you enter the unique device<br />
identifier (UDID) for the device in the DeviceSerialNumber field. This ensures that<br />
the token can be installed only on the device for which it is intended. To obtain the<br />
UDID and bind the token, see “Step 5: Obtain the UDID for Binding the <strong>Token</strong>” on<br />
page 24 and “Step 6: Bind the <strong>Token</strong>” on page 25.<br />
You can optionally assign a nickname to the token in the Nickname field. However,<br />
the token nickname is not displayed in the application.<br />
22 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Step 4: Select the <strong>Software</strong> <strong>Token</strong> Settings<br />
In the <strong>Software</strong> <strong>Token</strong> Settings section, select the software token settings. The<br />
following figure shows the settings available for the <strong>SecurID</strong> token application, and<br />
the table explains each setting.<br />
Option<br />
Displayed Value<br />
<strong>Token</strong>code Length<br />
<strong>Token</strong>code Type<br />
<strong>Token</strong>code Duration<br />
Choices<br />
Displayed Value options are available if you selected “Require<br />
PIN during authentication” as the user authentication requirement.<br />
If you selected “Do not require PIN (only tokencode),” the<br />
Displayed Value field automatically defaults to “<strong>Token</strong>code.” (In<br />
that case, the parenthetical text after the <strong>Token</strong>code option does<br />
not apply.)<br />
Select Passcode (PIN incorporated into tokencode) to issue a<br />
PINPad-style software token.<br />
Select <strong>Token</strong>code (PIN entered followed by tokencode during<br />
authentication) to issue a fob-style software token. For more<br />
information on these token types, see “Planning the <strong>RSA</strong> <strong>SecurID</strong><br />
Authentication Requirement” on page 15.<br />
Select either 6-Digits or 8-Digits.<br />
Time Based is automatically selected, indicating that the<br />
tokencode changes at a regular interval. The application does not<br />
support event-based tokens.<br />
Select either Display next tokencode every 30 seconds or<br />
Display next tokencode every 60 seconds.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 23
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Step 5: Obtain the UDID for Binding the <strong>Token</strong><br />
For added security, <strong>RSA</strong> recommends that you bind the token to the unique device<br />
identifier (UDID) of the user’s iPhone device. The UDID consists of a sequence of 40<br />
letters and numbers that is device specific. Binding a token to a UDID associates it<br />
with a specific device and provides the means for verifying that the device is the<br />
correct destination for the token. If the user attempts to install the token on a different<br />
device, an error message is displayed, and the token is not installed.<br />
Before you can bind a token to a specific device, you must obtain the UDID from the<br />
user. The user can obtain the UDID from iTunes or from the Info screen in the<br />
installed <strong>SecurID</strong> token application. The user can then send you the UDID in a secure<br />
e-mail message.<br />
If you want users to obtain their UDIDs from iTunes, instruct them as follows.<br />
To obtain the UDID from iTunes:<br />
1. Launch iTunes and connect your iPhone.<br />
2. In the Summary tab in the right pane, locate the Serial Number field.<br />
3. Click Serial Number to reveal the Identifier field.<br />
This field displays the UDID.<br />
4. In the iTunes menu bar, select Edit > Copy to copy the UDID to your clipboard.<br />
24 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
5. In your e-mail program, select Edit > Paste to paste the UDID into an e-mail.<br />
6. Send the e-mail to your administrator.<br />
Step 6: Bind the <strong>Token</strong><br />
In the <strong>Software</strong> <strong>Token</strong> Device Type section, enter the UDID in the<br />
DeviceSerialNumber field, as shown in the following figure.<br />
Distribute the <strong>Token</strong><br />
After you configure the user’s software token record, you must specify the token<br />
distribution method and select an attribute to use for the token activation code. The<br />
activation code can contain a maximum of 40 numeric or alphanumeric characters.<br />
You can specify the UDID that you used to bind the token as the activation code. If<br />
you did not bind the token, Authentication Manager automatically generates an<br />
activation code.<br />
To distribute the token:<br />
1. In the Security Console, click Authentication > <strong>SecurID</strong> <strong>Token</strong>s > Manage<br />
Existing.<br />
2. Use the search fields to find the token that you want to distribute.<br />
3. From the search results, click the token that you want to distribute.<br />
4. From the Context menu, click Edit.<br />
5. From the <strong>Software</strong> <strong>Token</strong> Device Type drop-down menu, select iPhone 1.0 as<br />
the device type.<br />
6. Click Save & Distribute <strong>Token</strong>.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 25
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
7. In the Basics section, next to Distribution Method, select Generate CT-KIP<br />
Credentials for Web Download.<br />
8. Under Options, do one of the following:<br />
• If you bound the token to a UDID, and you want to use the UDID as the token<br />
activation code, select DeviceSerialNumber.<br />
• If you did not bind the token to the UDID, select System Generated Code.<br />
9. Click Next to save the configuration and view the token delivery details.<br />
Delivering a <strong>Token</strong> Using Dynamic Seed Provisioning<br />
To deliver a token using Dynamic Seed Provisioning, you send an e-mail message<br />
containing a specially formatted URL link to the user’s iPhone device. The user<br />
installs the token by tapping the URL link.<br />
If you include the activation code in the URL link, the user does not have to enter the<br />
activation code. If you deliver the activation code separately (for example, through<br />
internal corporate e-mail), the user is prompted to type the activation code in the<br />
<strong>SecurID</strong> token application to complete the token installation.<br />
If you use a self-signed certificate in your Authentication Manager CT-KIP<br />
deployment, the application displays a warning that the certificate is not trusted and<br />
prompts the user to accept or reject the certificate. To complete the token installation,<br />
the user must accept the certificate.<br />
26 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
URL Link Format Requirements<br />
The URL link must be in the format:<br />
com.rsa.securid.iphone://ctkip?url=https://customer_ctkip_s<br />
erver_url<br />
where customer_ctkip_server_url is your CT-KIP server-side URL<br />
To include the activation code, append it to the string, as follows:<br />
com.rsa.securid.iphone://ctkip?url=https://customer_ctkip_se<br />
rver_url&activationCode=activation_code<br />
You can use either https or http protocol.<br />
The following example shows a properly formatted URL link that does not include an<br />
activation code:<br />
com.rsa.securid.iphone://ctkip?url=https://ctk-server123.you<br />
rco.com:7004/ctkip/services/CtkipService<br />
The following example shows a properly formatted URL link that includes an<br />
activation code:<br />
com.rsa.securid.iphone://ctkip?url=https://ctk-server123.you<br />
rco.com:7004/ctkip/services/CtkipService<br />
&activationCode=123456789012<br />
E-mail Message Format Requirements<br />
To deliver the token, you must send an e-mail message containing the formatted URL<br />
link to the user’s device. If you use Microsoft Outlook to create the link, under certain<br />
circumstances Microsoft Outlook inserts a slash character into the URL link that<br />
causes the <strong>SecurID</strong> token application to reject the token as invalid. To avoid this<br />
problem, set the message format as follows:<br />
• For Microsoft Outlook 2007, set the message format to Rich Text.<br />
• For Microsoft Outlook 2003, make sure that Microsoft Word is not selected as<br />
your default editor, and set the message format to HTML.<br />
• For e-mail clients other than Microsoft Outlook, set the message format to HTML.<br />
Create the URL Link<br />
To create the URL link:<br />
1. Compose a brief e-mail message, using text similar to the following in the<br />
message body:<br />
Tap this link to install your token. When done, delete<br />
this message.<br />
2. Select the text to use as the hyperlink, for example, “Tap this link,” and create a<br />
link to the URL that contains the token information.<br />
For detailed instructions, see the Help for your e-mail client.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 27
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Before You Deliver the <strong>Token</strong><br />
After you have created the e-mail message with the URL link, you are ready to deliver<br />
the token to the user’s iPhone device. Before delivering the token:<br />
• Make sure that the user has installed the <strong>SecurID</strong> token application.<br />
• Provide the activation code to the user if you did not include it in the formatted<br />
URL link.<br />
• Instruct the user to delete the e-mail message containing CT-KIP server<br />
information as soon as the token has been installed. This measure helps prevent an<br />
unauthorized user who might have access to the device from wrongfully obtaining<br />
the token.<br />
Using <strong>RSA</strong> Credential Manager for Dynamic Seed Provisioning<br />
You can use <strong>RSA</strong> Credential Manager for Dynamic Seed Provisioning. Credential<br />
Manager is the self-service and provisioning component of <strong>RSA</strong> Authentication<br />
Manager 7.1 and shares the <strong>RSA</strong> Security Console. You can allow users to sign up to<br />
access the built-in Self-Service Console, where they can request a new token or a<br />
replacement token.<br />
To use Credential Manager for Dynamic Seed Provisioning, you must perform the<br />
tasks in the following table.<br />
Task<br />
1. Install the device definition file for<br />
iPhone.<br />
2. Configure Credential Manager to<br />
allow users to request a token to use<br />
with the iPhone application.<br />
3. Instruct users on making the proper<br />
selections when requesting a software<br />
token for iPhone through the<br />
Self-Service Console.<br />
See<br />
“Add the iPhone 1.0 Device Definition File” on<br />
page 21<br />
“Configure <strong>RSA</strong> Credential Manager” on page 29<br />
“Request a <strong>Token</strong> Using the <strong>RSA</strong> Self-Service<br />
Console” on page 30<br />
28 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Configure <strong>RSA</strong> Credential Manager<br />
The following figure shows sample console configuration settings for the iPhone<br />
application. Use the following procedure to configure the settings you want.<br />
Note: Credential Manager does not support token configurations other than the<br />
standard settings (8-digit, 60-second, with or without a PIN). To issue tokens with<br />
other settings, including fob-style tokens, you must use <strong>RSA</strong> Authentication Manager.<br />
To configure Credential Manager to allow users to request a token:<br />
1. From the Credential Manager Home page, under <strong>Token</strong> Provisioning, click<br />
Manage <strong>Token</strong>s.<br />
2. On the Manage <strong>Token</strong>s page, under <strong>Software</strong> <strong>Token</strong> Types Available for<br />
Request, scroll to iPhone 1.0, and click Allow users to request iPhone 1.0<br />
software tokens.<br />
The Display Name, Image location, and Description fields are automatically<br />
populated and provide a display name, an application description, and an image to<br />
be displayed in the Self-Service Console.<br />
3. In the Require User to Authenticate With field, select the authentication<br />
requirement:<br />
• Select Passcode to provision a PINPad-style token.<br />
• Select <strong>Token</strong>code to provision a token that does not require a PIN.<br />
4. In the Supported <strong>Token</strong> Distribution Methods field, select Generate CT-KIP<br />
Credentials for Web Download.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 29
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
5. In the Client Application URL field, enter your server-side CT-KIP URL in the<br />
following format:<br />
com.rsa.securid.iphone://ctkip?url=https://customer_ctkip<br />
_server_url<br />
where customer_ctkip_server_url is your CT-KIP server-side URL.<br />
For example:<br />
com.rsa.securid.iphone://ctkip?url=https://ctk-server123.<br />
yourco.com:7004/ctkip/services/CtkipService<br />
Note: Because the setting for Client Application URL is the same for all<br />
users, you cannot include an activation code as part of the URL. Credential<br />
Manager automatically generates a different activation code for each user and<br />
delivers it in the e-mail that is sent to the user’s device when the token request<br />
is approved. The user is prompted to enter the activation code to complete the<br />
token installation.<br />
6. (Optional) To make iPhone the default token type for all token requests, select<br />
Make this token type the default option for all token requests.<br />
7. (Optional) In the Attribute Details field, select Allow users to edit token<br />
attribute details.<br />
Selecting this option allows the user to enter a device-specific attribute when<br />
requesting a token from the Self-Service Console. Instruct the user to enter the<br />
UDID associated with the device to bind the token to the device. The user can<br />
obtain the UDID from iTunes, as described in “To obtain the UDID from iTunes:”<br />
on page 24, or from the installed application.<br />
8. Select Save.<br />
Request a <strong>Token</strong> Using the <strong>RSA</strong> Self-Service Console<br />
Before a user can request a token using the <strong>RSA</strong> Self-Service Console, the user must<br />
request an account. After you have approved the account request, the user can create<br />
an account and request a token. Make sure that the user has obtained the UDID before<br />
requesting a token.<br />
To ensure that the user fills out the token request correctly, provide the following<br />
instructions.<br />
To request a software token using the <strong>RSA</strong> Self-Service Console:<br />
Note: You must know your device UDID before requesting a token.<br />
1. Log on to the Self-Service Console URL.<br />
2. In the My <strong>SecurID</strong> <strong>Token</strong>s section, click Request a <strong>Token</strong>.<br />
30 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
3. In the Request a <strong>Token</strong> drop-down box, select <strong>Software</strong>, and then select I need a<br />
specific software token.<br />
The <strong>Token</strong> Type section is displayed.<br />
4. In the <strong>Token</strong>Type section, scroll to and select iPhone_1.0.<br />
5. Under Provide Your <strong>Token</strong> Details, in the DeviceSerialNumber field, enter<br />
your device UDID.<br />
You must enter the UDID to ensure that the token you are requesting cannot be<br />
installed on another device.<br />
6. Under Create Your PIN, create and confirm a PIN for your token.<br />
This field is displayed if your administrator requires a PIN with your token.<br />
Memorize your PIN. If you forget your PIN, you can reset it using the<br />
Self-Service Console.<br />
7. In the Reason for <strong>Token</strong> Request box, enter the reason for your request. For<br />
example: “To access the corporate VPN from my iPhone.”<br />
8. Click Submit Request.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 31
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Approve the Request<br />
After you approve the user’s request for a token, an e-mail message containing<br />
instructions for installing the token is sent automatically to the user’s device e-mail<br />
address. The message contains several hyperlinks. The user must tap the “Download<br />
the <strong>SecurID</strong> Application” link to install the token. To ensure that the user selects the<br />
correct link, you can enter administrator comments when you approve the user’s<br />
request, as shown in step 2 below. The comments become part of the e-mail message.<br />
To approve the request:<br />
1. In the Security Console, click Administration > Provisioning.<br />
2. In the Comment to User field, enter a comment similar to the following:<br />
Note: The “Download the <strong>SecurID</strong> Application” link contains the user’s<br />
token. It does not contain the <strong>SecurID</strong> token application.<br />
3. Click Approve Requests.<br />
The e-mail message sent to the user looks similar to the following figure:<br />
32 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Provisioning <strong>Token</strong>s Using Compressed <strong>Token</strong> Format<br />
As an alternative to Dynamic Seed Provisioning, you can provision a token using<br />
Compressed <strong>Token</strong> Format. This provisioning method is required for organizations<br />
using <strong>RSA</strong> Authentication Manager 6.1.<br />
You first configure the token record in any supported version of Authentication<br />
Manager and issue it as an SDTID file. You then use the <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong><br />
<strong>Token</strong> Converter 2.4 command line utility to convert the SDTID file from XML<br />
format to an 81-digit numeric string and output a text file that contains the numeric<br />
string appended to a specially formatted URL link. You send the URL link to the<br />
user’s device in an e-mail message. The user opens the iPhone Mail program and taps<br />
the URL link to install the token.<br />
If you password protect the token in Authentication Manager, the user must enter the<br />
password to complete the process. If the user forgets the password, you can<br />
communicate it again, and the user can tap the hyperlink again to retry. Once the user<br />
correctly enters the password, the password is not used again.<br />
The following figure shows token provisioning using Compressed <strong>Token</strong> Format.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 33
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Provisioning tokens using Compressed <strong>Token</strong> Format involves the following steps,<br />
which are detailed in the following associated sections.<br />
Task<br />
1. Configure the software token record<br />
and generate the token file (SDTID<br />
file).<br />
2. Convert the token file to Compressed<br />
<strong>Token</strong> Format.<br />
See<br />
“Configure the <strong>Software</strong> <strong>Token</strong> Record in<br />
<strong>RSA</strong> Authentication Manager 6.1” on page 34<br />
“Convert the <strong>Token</strong> File”on page 37<br />
3. Set the e-mail message format “E-mail Message Format Requirements” on<br />
page 38<br />
Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong> Authentication Manager 6.1<br />
This section highlights key steps in using <strong>RSA</strong> Authentication Manager 6.1 to<br />
configure token records for use with the <strong>SecurID</strong> token application. For more<br />
information, see the Database Administration application Help.<br />
Note: To configure a token record in <strong>RSA</strong> Authentication Manager 7.1, see<br />
“Configure the <strong>Software</strong> <strong>Token</strong> Record in <strong>RSA</strong> Authentication Manager 7.1” on<br />
page 21.<br />
<strong>RSA</strong> Authentication Manager 6.1 supports the following software token<br />
characteristics:<br />
• 8-digit tokencode length<br />
• 60-second, time-based tokencode<br />
• Passcode authentication (PIN plus tokencode)<br />
• <strong>Token</strong>code authentication (no PIN required)<br />
Note: <strong>RSA</strong> Authentication Manager 6.1 does not support fob-style tokens (PIN entry<br />
in protected resource).<br />
34 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
To configure a token record in <strong>RSA</strong> Authentication Manager 6.1:<br />
1. Open the Database Administration application, and select <strong>Token</strong>s > Issue<br />
<strong>Software</strong> <strong>Token</strong>s.<br />
2. Accept the default algorithm (AES SDTID 3.0).<br />
3. Under Options, leave Enable Copy Protection selected, and select Edit<br />
Extension Data.<br />
4. If you want to protect the token file with a password, select Password Protect,<br />
and then enter and confirm a static password of up to 24 case-sensitive characters,<br />
or select another password protection option. For information on other password<br />
protection options, click the Help button at the bottom right of the screen.<br />
5. Under Output, in the Target Directory field, browse to the directory on your<br />
system to which you want the token file to be exported.<br />
6. Under Output, select One <strong>Token</strong> Per File.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 35
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
7. Click Next, and select One user.<br />
8. Click Next, and select the user for whom you want to issue the token. Click OK,<br />
and then click Next.<br />
9. Do one of the following:<br />
• To require passcode authentication, leave Do not change selected or select<br />
User authenticates with passcode.<br />
• To issue a token that does not require a PIN, select User authenticates with<br />
tokencode only.<br />
10. Click Next, and then click Yes.<br />
The Edit <strong>Token</strong> Extension Data screen opens. Use the instructions in the following<br />
section to bind the token to the user’s iPhone device.<br />
Bind the <strong>Token</strong> to a Device<br />
For added security, <strong>RSA</strong> recommends that you bind the token to the UDID of the<br />
user’s device. The UDID consists of a sequence of 40 letters and numbers that is<br />
device specific. Binding a token to a UDID associates it with a specific device and<br />
provides the means for verifying that the device is the correct destination for the<br />
token. If the user attempts to install the token on a different device, an error message is<br />
displayed, and the token is not installed. The user must contact the administrator to<br />
request a token.<br />
Before you bind a token, you must obtain the UDID from the user. The user can copy<br />
the UDID from iTunes and paste it into an e-mail message. Alternatively, the user can<br />
obtain the UDID from the Info screen in the <strong>SecurID</strong> token application.<br />
Note: If you want users to obtain their UDID from iTunes, see “To obtain the UDID<br />
from iTunes:” on page 24.<br />
36 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
To bind a token to a device:<br />
1. In the Key field, enter DeviceSerialNumber.<br />
2. In the Data field, enter the UDID.<br />
3. Click Save, and click Exit.<br />
The result should look similar to the following figure.<br />
Convert the <strong>Token</strong> File<br />
After issuing the token file (SDTID file), you must convert it to a format that can be<br />
installed on the device. This requires using the <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong><br />
Converter. The <strong>Token</strong> Converter is a free command line utility that converts a<br />
software token record that has been issued as an SDTID file from XML format to a<br />
Compressed <strong>Token</strong> Format consisting of an 81-digit string.<br />
To convert a token file (SDTID file):<br />
1. Download the <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Converter 2.4 from<br />
http://www.rsa.com/node.aspx?id=1313.<br />
2. Follow the instructions in the <strong>Token</strong> Converter Readme, making sure to observe<br />
the following requirements:<br />
• Convert only one token file at a time. You cannot convert multiple token files<br />
at a time.<br />
• Use the -iphone option to specify that the output of the <strong>Token</strong> Converter will<br />
be a specially formatted hyperlink (URL) containing the converted token. You<br />
must deliver the hyperlink to the user’s iPhone device in an e-mail message,<br />
as described in “E-mail Message Format Requirements” on page 38.<br />
• Use the -o filename option to output the hyperlink containing the converted<br />
token to a text file that you can send to the user. If you do not use the -o<br />
option, the output is written to the screen.<br />
• Use the -p password option if you password protected the token file in<br />
Authentication Manager.<br />
3: Provisioning <strong>Software</strong> <strong>Token</strong>s 37
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
<strong>Token</strong> Converter Output<br />
• Do not use the -f option. This application ignores the -f option.<br />
• You do not need to use the -v option. When you use the -iphone option, the -v<br />
2 option is implemented automatically.<br />
When you convert a token using the -iphone and -o filename options, the output is a<br />
text file containing a specially formatted URL link that contains token data. The link<br />
format signals the device that the link contains data relevant to the application.<br />
The URL link will look similar to the following example.<br />
com.rsa.securid.iphone://ctf?ctfData=00206816463136011170432<br />
7744610766317206477164632456201026172002115044627167126500<br />
E-mail Message Format Requirements<br />
To deliver the token, you must send an e-mail message containing the formatted URL<br />
link to the user’s device. If you use Microsoft Outlook to create the link, under certain<br />
circumstances Microsoft Outlook inserts a slash character into the URL link that<br />
causes the <strong>SecurID</strong> token application to reject the token as invalid. To avoid this<br />
problem, set the message format as follows:<br />
• For Microsoft Outlook 2007, set the message format to Rich Text.<br />
• For Microsoft Outlook 2003, make sure that Microsoft Word is not selected as<br />
your default editor, and set the message format to HTML.<br />
• For e-mail clients other than Microsoft Outlook, set the message format to HTML.<br />
Create the URL Link<br />
To create the URL link:<br />
1. Compose a brief e-mail message, using text similar to the following in the<br />
message body:<br />
Tap this link to install your token. When done, delete<br />
this message.<br />
2. Select the text to use as the hyperlink, for example, “Tap this link,” and create a<br />
link to the URL that contains the token information.<br />
For detailed instructions, see the Help for your e-mail client.<br />
Before You Deliver the <strong>Token</strong><br />
After you have created the e-mail message with the URL link, you are ready to deliver<br />
the token to the user’s iPhone device. Before delivering the token:<br />
• Make sure that the user has installed the <strong>SecurID</strong> token application.<br />
• If you protected the token with a password, provide the password to the user.<br />
• Instruct the user to delete the e-mail containing the token data as soon as the token<br />
has been installed. This measure helps prevent an unauthorized user who might<br />
have access to the device from wrongfully obtaining the token.<br />
38 3: Provisioning <strong>Software</strong> <strong>Token</strong>s
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
4 Using the Application<br />
This chapter contains information for users on how to use <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong><br />
<strong>Token</strong> (<strong>SecurID</strong> token application), and contains information about managing the<br />
application.<br />
Before You Begin<br />
Verify the following before attempting to use the application.<br />
Before starting the <strong>SecurID</strong> token application:<br />
1. Verify that the iPhone device is configured to allow additional applications to be<br />
executed.<br />
2. Ensure that a token has been installed on the device.<br />
Start the Application<br />
When you start the application, the screen displayed depends on the type of token<br />
installed on your iPhone device.<br />
To start the application:<br />
On your iPhone device, tap the <strong>RSA</strong> <strong>SecurID</strong> application icon.<br />
If you were issued a PINPad-style software token, the application displays the Enter<br />
PIN screen.<br />
If you were issued a fob-style software token or a token that does not require a PIN,<br />
the application displays the <strong>Token</strong>code screen. A tokencode is displayed for either 60<br />
seconds or 30 seconds, depending on the token configuration. The screen displays the<br />
number of seconds remaining before the tokencode changes.<br />
Completing First-Time Authentication<br />
Note: If you were issued a token that does not require a PIN, skip this section and go<br />
to “Authenticate After the First Time” on page 44.<br />
If the token you were issued requires a PIN, you are normally required to set up your<br />
PIN the first time that you use the token to authenticate when accessing a protected<br />
resource. In the examples shown in the following sections, the protected resource is a<br />
VPN client that resides on the computer.<br />
4: Using the Application 39
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
When you start the <strong>SecurID</strong> token application, the application recognizes the token<br />
type stored on your iPhone device and presents the appropriate screen.<br />
• If your device displays the Enter PIN screen, follow the instructions in the<br />
following section, “Complete First-Time Authentication (Enter PIN Screen).”<br />
• If your device displays the <strong>Token</strong>code screen, follow the instructions in<br />
“Complete First-Time Authentication (<strong>Token</strong>code Screen)” on page 43.<br />
Complete First-Time Authentication (Enter PIN Screen)<br />
Use the following procedure if the <strong>SecurID</strong> token application on your iPhone displays<br />
the Enter PIN screen.<br />
To complete your first <strong>SecurID</strong> authentication:<br />
1. On your computer, connect to your VPN client.<br />
2. Enter your user name, and leave the logon screen open.<br />
40 4: Using the Application
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
3. On your iPhone, leave the Enter PIN field blank, and tap the right arrow button.<br />
A tokencode is displayed.<br />
4. In the VPN client logon screen, in the Passcode field, enter the tokencode from<br />
your device, without spaces.<br />
You are prompted to create a PIN. Your PIN must contain four to eight digits, and<br />
it cannot begin with a zero. Be sure to memorize your PIN.<br />
5. Enter and confirm your new PIN.<br />
You are prompted for a passcode.<br />
6. On your iPhone, tap the left arrow button located at the top left of the <strong>Token</strong>code<br />
screen to return to the Enter PIN screen.<br />
4: Using the Application 41
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
7. Enter your newly created PIN, and tap the right arrow button.<br />
A passcode is displayed.<br />
8. In the VPN client logon screen, in the Passcode field, enter the passcode, without<br />
spaces. Click OK.<br />
42 4: Using the Application
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Complete First-Time Authentication (<strong>Token</strong>code Screen)<br />
Use the following procedure if the <strong>SecurID</strong> token application on your iPhone displays<br />
the <strong>Token</strong>code screen.<br />
To complete your first <strong>SecurID</strong> authentication:<br />
1. On your computer, connect to your VPN client.<br />
2. Enter your user name.<br />
3. In your VPN client, in the Passcode field, enter the tokencode from your device,<br />
without spaces.<br />
You will now be prompted to create a PIN. Your PIN must contain four to eight<br />
digits. Be sure to memorize your PIN.<br />
4. Enter and confirm your new PIN.<br />
You are prompted for a passcode.<br />
5. On your iPhone, wait for the tokencode to change.<br />
The application displays the time remaining before the code changes.<br />
4: Using the Application 43
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
6. When the tokencode changes, return to the VPN client logon screen. In the<br />
Passcode field, enter your newly created PIN, followed immediately by the<br />
tokencode that is displayed by the <strong>SecurID</strong> token application. Click OK.<br />
Authenticate After the First Time<br />
Use the following procedure to log on to a protected resource after you have created a<br />
PIN or if your token does not require a PIN. The resource protected by <strong>SecurID</strong> may<br />
reside on your computer, or you may be able to access it from your device. In the<br />
following example, the protected resource is a VPN client that resides on your<br />
computer.<br />
To log on to a protected resource:<br />
1. On your computer, open the protected resource, for example, connect to your<br />
VPN client.<br />
2. Enter your user name, and leave the logon screen open.<br />
3. On your iPhone, start the <strong>SecurID</strong> token application.<br />
4. Do one of the following:<br />
• If the application displays the Enter PIN screen, enter your PIN, and tap OK.<br />
The application displays a passcode. In the VPN client, in the Passcode field,<br />
enter the passcode, without spaces. Click OK.<br />
• If the application displays a tokencode, and your token requires a PIN, in the<br />
VPN client, in the Passcode field, enter your PIN, immediately followed by<br />
the tokencode displayed by the <strong>SecurID</strong> token application. Click OK.<br />
• If your token does not require a PIN, in the VPN client, in the Passcode field,<br />
enter the tokencode displayed by the <strong>SecurID</strong> token application, without<br />
spaces. Click OK.<br />
44 4: Using the Application
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Managing the Application<br />
This section describes application features and tasks that you may need to perform.<br />
View Application and <strong>Token</strong> Information<br />
You can view information about the application and the installed token on the Info<br />
screen. To view information, tap the Information (i) icon.<br />
Field<br />
Application Version<br />
UDID<br />
Mask PIN Entry<br />
GMT<br />
Serial Number<br />
Expiration Date<br />
Description<br />
The version of <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong>.<br />
The unique device identifier of the iPhone. Used to bind the<br />
token to the device.<br />
Allows the user to mask the PIN or show the PIN as it is being<br />
entered. The default is ON (mask PIN).<br />
Displays the current Greenwich Mean Time. For more<br />
information, see “Clock Settings” on page 9.<br />
The serial number that identifies the token to<br />
<strong>RSA</strong> Authentication Manager.<br />
Date when the installed token will expire. The date appears in<br />
the regional format that the user has selected for the device.<br />
<strong>Software</strong> tokens expire on the expiration date at 00:00:01.<br />
4: Using the Application 45
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Mask PIN Entry<br />
View Application Help<br />
Close the Application<br />
By default, when you enter your PIN in the application, the entry is masked (displayed<br />
as bullet symbols).<br />
To display the PIN as readable numbers:<br />
Tap the Information (i) icon and, under Settings, tap OFF.<br />
To view the Help file associated with the application:<br />
Tap the question mark icon (?) in the application.<br />
To close the application:<br />
Press the Home button.<br />
Back Up the Application<br />
You may want to perform both a sync and a backup through iTunes as soon as you<br />
install a token on your device. By doing so, you ensure that you will be able to recover<br />
your token in case you delete the <strong>SecurID</strong> token application from your device in the<br />
future.<br />
Use the following procedure to create a backup that iTunes will not overwrite.<br />
To back up the application:<br />
1. Connect your iPhone device to the computer that you normally sync with.<br />
2. In iTunes, select your device in the sidebar, and click the Summary tab in the<br />
window to the right.<br />
3. From the Summary screen, select Restore.<br />
4. Click Back Up (this creates a backup of all data on your device).<br />
Note: If you are not prompted to back up your device before the next step,<br />
select Cancel, disconnect your device, and go back to step 1.<br />
5. Click Restore (this erases all data on your device).<br />
6. On the Set Up Your iPhone screen, select Restore from the backup of, and then<br />
select the backup that features the date and time when this restore process was<br />
started. Record this backup date and time, because you will use it in the future to<br />
recover your token.<br />
7. Right-click your device from the sidebar, and select Sync.<br />
46 4: Using the Application
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Reinstall the Application and Recover Your <strong>Token</strong><br />
If you remove the <strong>SecurID</strong> token application after performing both a sync and a<br />
backup, you can use the following procedure to reinstall the application and recover<br />
your token. However, doing so will cause you to lose any changes that you have made<br />
on your device since creating your backup.<br />
To reinstall the application and recover your token:<br />
1. Connect your iPhone device to the computer you that you normally sync with.<br />
2. In iTunes, select your device in the sidebar, and click the Summary tab in the<br />
window to the right.<br />
3. From the Summary screen, select Restore.<br />
4. Click Back Up (this creates a backup of all data on your device).<br />
Note: If you are not prompted to back up your device before the next step,<br />
select Cancel, disconnect your device, and go back to step 1.<br />
5. Click Restore (this erases all data on your device).<br />
6. On the Set Up Your iPhone screen, select Restore from the backup of, and then<br />
select the backup that you recorded in the preceding procedure, “To back up the<br />
application:.”<br />
7. Right-click your device from the sidebar, and select Sync.<br />
For more information, go to http://support.apple.com/kb/HT1766.<br />
Request a Replacement <strong>Token</strong><br />
Normally, you do not need to replace the software token stored on your iPhone device.<br />
However, you must request a replacement token if your token expires or if instructed<br />
to do so by your administrator. When a token expires, the application displays a<br />
“<strong>Token</strong> expired” message on the Passcode or <strong>Token</strong>code screen.<br />
<strong>Token</strong> expiration occurs at the first second of the token death date Coordinated<br />
Universal Time (UTC). That is, at 12:00:01 a.m. UTC of the death date, a token will<br />
cease generating valid OTPs.<br />
When you install a replacement token, your original token is removed. You cannot<br />
delete a token from your device manually.<br />
To request a replacement token:<br />
Do one of the following:<br />
• If your administrator issued your original token, contact your administrator to<br />
request a replacement token.<br />
• If you requested your original token using the <strong>RSA</strong> Self-Service Console, access<br />
the Self-Service Console to request a replacement token.<br />
4: Using the Application 47
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Uninstall the Application<br />
You can uninstall the <strong>SecurID</strong> token application from your iPhone device and from<br />
iTunes. Uninstalling the application from your device does not remove it from your<br />
iTunes library. If you uninstall the application from iTunes but not from the device,<br />
and then you sync, the application will still be available on the device. This section<br />
describes how to permanently uninstall the application from both your device and<br />
iTunes.<br />
To uninstall the application from the device:<br />
1. Touch and hold any application icon on the Home screen until the icons start to<br />
wiggle.<br />
2. Tap the “x” in the corner of the <strong>RSA</strong> <strong>SecurID</strong> application.<br />
3. Tap Delete, and press the Home button.<br />
Note: The next time you sync your iPhone device, if the application reappears<br />
on your device, it is probably because you set your synchronization setting to<br />
All Applications. To ensure that the application does not reappear on your<br />
device, change this setting to Selected Applications.<br />
To uninstall the application from iTunes:<br />
1. In iTunes, select the Applications content area, and right-click the <strong>RSA</strong> <strong>SecurID</strong><br />
<strong>Token</strong> application.<br />
2. Click Delete.<br />
3. When asked if you are sure you want to remove the application from your library,<br />
click Remove.<br />
4. When asked whether you want to move the application to the trash or keep it in<br />
the Mobile Applications folder, click Move to Trash.<br />
The application is removed from your iTunes library.<br />
5. Connect your iPhone device to your computer. If you have not manually deleted<br />
the application from your iPhone, you are asked if you want to transfer the item<br />
from your iPhone back to your iTunes library. Click Don’t Transfer.<br />
48 4: Using the Application
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
5 Troubleshooting<br />
This chapter describes issues that might occur with <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong><br />
(<strong>SecurID</strong> token application), and their corresponding solutions.<br />
Customer Support Information<br />
If you need to contact <strong>RSA</strong> Customer Support in order to resolve an issue, have the<br />
following information available:<br />
• The date and time set on the device<br />
• The information presented on the Info screen<br />
• Device name<br />
• <strong>Network</strong><br />
• Operating system version<br />
• Carrier configuration information<br />
• Device model number<br />
Include a detailed description of the problem that can be used to form the basis for<br />
steps to reproduce the issue.<br />
Application Installation Problems<br />
If the user cannot install the application, the problem is likely one of the following:<br />
• The user has an unsupported device. For a list of hardware requirements, see<br />
“System Requirements” on page 7.<br />
• The iPhone device does not have enough space to install the application. The user<br />
must free up some space on the device. See “System Requirements” on page 7.<br />
• A network failure occurred when the user attempted to download the application<br />
from the Apple App Store. Instruct the user to retry the download.<br />
<strong>Token</strong> Installation Problems<br />
If a user cannot receive a token on the iPhone device, the problem is likely described<br />
in one of the following sections.<br />
5: Troubleshooting 49
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Application Is Not Installed<br />
If you send an e-mail message containing a hyperlink with the token before the user<br />
has installed the application, the token installation fails. Instruct the user to download<br />
and install the application from the Apple App Store before attempting to install a<br />
token.<br />
Errors Issuing the <strong>Token</strong> in <strong>RSA</strong> Authentication Manager<br />
Invalid <strong>Token</strong><br />
File Password Errors<br />
<strong>Token</strong> Converter Errors<br />
<strong>Token</strong> installation problems can result from errors in issuing the token in<br />
Authentication Manager. For example:<br />
• The token is not intended for an iPhone device. If you issue tokens in<br />
<strong>RSA</strong> Authentication Manager 7.1, verify that you installed the iPhone 1.0 device<br />
definition file. Also verify that you selected “iPhone 1.0” as the device type when<br />
issuing tokens.<br />
• The token device binding is incorrect. For example, you may have entered an<br />
incorrect UDID when binding the token to a device. Correct the token device<br />
binding and reissue the token.<br />
• The token type is not supported (64-bit, SID). Reissue the token as a 128-bit<br />
(AES) token.<br />
• The death date of the token lifetime configured in Authentication Manager has<br />
passed.<br />
The user received an “Invalid <strong>Token</strong>” message. This can happen if the administrator<br />
makes an error when issuing the token in Authentication Manager.<br />
The user may not be able to complete the token installation due to errors in entering<br />
the token file password. For example:<br />
• The user forgot the token file password. The user must contact the administrator<br />
for the token file password.<br />
• The user received an “incorrect password” message. The user must enter the<br />
correct password.<br />
Errors in using the <strong>Token</strong> Converter may prevent a token from being converted<br />
properly. For example:<br />
• The token was not converted properly with the <strong>Token</strong> Converter utility. For<br />
example, you did not specify the -p password option when converting a<br />
password-protected token file or you did not specify the required -iphone option.<br />
• The SDTID file could not be converted properly with the <strong>Token</strong> Converter utility<br />
because the file contained double-byte characters in the UserFirstName,<br />
UserLastName, or UserLogin fields. For more information, see “Known Issues”<br />
in the <strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Converter 2.4 Readme.<br />
50 5: Troubleshooting
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
URL Format Errors<br />
The URL link containing the CT-KIP server information is not formatted correctly.<br />
Use the instructions in Chapter 3, “Provisioning <strong>Software</strong> <strong>Token</strong>s.”<br />
E-mail Message Format Errors<br />
The e-mail message containing the hyperlink with the token data used the wrong<br />
message format.<br />
• For Microsoft Outlook 2007, set the message format to Rich Text.<br />
• For Microsoft Outlook 2003, make sure that Microsoft Word is not selected as<br />
your default e-mail editor, and set the message format to HTML.<br />
• For e-mail clients other than Microsoft Outlook, set the message format to HTML.<br />
<strong>Network</strong> Communication Errors<br />
The e-mail message containing the hyperlink with the token data did not reach the<br />
user’s device. This can happen in rare cases because of a network communication<br />
failure. Resend the e-mail.<br />
Authentication Problems<br />
If a user cannot authenticate with the <strong>SecurID</strong> token, the problem is likely described in<br />
one of the following sections.<br />
User Error<br />
The user may have made one of the following errors:<br />
• The user made too many failed logon attempts, causing the token to be disabled.<br />
Check the Authentication Manager logs. If the token is not disabled (or expired),<br />
ask the user to read you the current tokencode displayed on the device, and<br />
resynchronize the token with the Authentication Manager server.<br />
• The user has been issued a token that requires a PIN, and the user attempted to<br />
authenticate before creating the PIN.<br />
• The user entered an incorrect user name when logging on to a protected resource.<br />
• The user entered an incorrect PIN or entered the PIN in the wrong location. For<br />
example, the user may have entered the tokencode, followed by the PIN instead of<br />
entering the PIN, followed by the tokencode.<br />
Error Exporting <strong>Token</strong>s in <strong>RSA</strong> Authentication Manager 6.1<br />
When issuing a token in <strong>RSA</strong> Authentication Manager 6.1, you chose to have multiple<br />
tokens exported in a single SDTID file. When you ran the <strong>Token</strong> Converter, it properly<br />
converted the first token in the file, but that token was intended for a different user, so<br />
the user’s attempt to authenticate failed. You must reissue the token, making sure that<br />
each SDTID file contains only one token.<br />
5: Troubleshooting 51
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Time Synchronization Problem<br />
Expired <strong>Token</strong><br />
The time on the iPhone device may be out of synchronization with the clock settings<br />
in Authentication Manager. Instruct the user to read you the time shown on the device.<br />
The user’s token may have expired. If this occurs, the application displays a “<strong>Token</strong><br />
Expired” message. The user must contact the administrator to request a replacement<br />
token.<br />
Error Messages<br />
If the iPhone device displays any of the following error messages, the user must<br />
contact the administrator to request a replacement token:<br />
• Invalid URL.<br />
• <strong>Token</strong> install failed.<br />
• Error communicating with server. <strong>Token</strong> install failed.<br />
• <strong>Token</strong> not intended for this device. <strong>Token</strong> import failed.<br />
• <strong>Token</strong> expired. Request a replacement token.<br />
• Invalid token.<br />
52 5: Troubleshooting
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
Index<br />
A<br />
activation code<br />
generating, 25<br />
system-generated, 26<br />
application<br />
backing up, 46<br />
closing, 46<br />
installing, 12<br />
reinstalling, 46<br />
starting, 39<br />
application information, viewing, 45<br />
approving a self-service token request, 32<br />
authenticating in New PIN mode, 39<br />
authentication issues, troubleshooting, 51<br />
authentication procedure, 44<br />
authentication requirement<br />
planning, 15<br />
setting in <strong>RSA</strong> Authentication Manager<br />
6.1, 36<br />
setting in <strong>RSA</strong> Authentication Manager<br />
7.1, 22<br />
B<br />
backing up the application, 46<br />
binding a token, 24<br />
in <strong>RSA</strong> Authentication Manager 6.1, 36<br />
C<br />
clock settings, 9<br />
closing the application, 46<br />
Compressed <strong>Token</strong> Format, 33<br />
defined, 37<br />
illustrated, 33<br />
configurations, software token, 8<br />
configuring<br />
<strong>RSA</strong> Credential Manager, 28<br />
token record in <strong>RSA</strong> Authentication<br />
Manager 6.1, 35<br />
token record in <strong>RSA</strong> Authentication<br />
Manager 7.1, 22<br />
converted token<br />
delivering, 38<br />
required link format, 38<br />
converting a token file, 37<br />
creating PIN, 39<br />
for fob-style token, 43<br />
for PINPad-style token, 40<br />
Customer Support, contacting, 6<br />
D<br />
Database Administration application, 15, 35<br />
delivering token<br />
using Dynamic Seed Provisioning, 20,<br />
26<br />
device definition file, 21<br />
device identifier, 24, 36<br />
device type, 22<br />
DeviceSerialNumber field, 22<br />
device-specific attributes, 22<br />
Displayed Value field, 23<br />
documentation list, 5<br />
Dynamic Seed Provisioning, 19<br />
illustrated, 20<br />
with <strong>RSA</strong> Credential Manager, 28<br />
E<br />
editing token extension data, 37<br />
e-mail message format requirements, 27, 38<br />
error messages, 52<br />
expiration date of token, 45<br />
exporting token file, 35<br />
F<br />
first-time authentication, 39<br />
Enter PIN screen, 40<br />
tokencode screen, 43<br />
fob-style software token, 17<br />
format of converted token URL<br />
hyperlink, 38<br />
G<br />
generating activation code, 25<br />
getting support, 6<br />
H<br />
help, viewing, 46<br />
helping users get started, 13<br />
I<br />
installation<br />
options, 12<br />
troubleshooting, 49<br />
installation application<br />
illustrated, 12<br />
Index 53
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
installing application, 11<br />
directly, 12<br />
through sync, 12<br />
iPhone device definition file, 21<br />
L<br />
logging on to protected resource, 44<br />
N<br />
New PIN mode, 39<br />
fob-style token, 43<br />
PINPad-style token, 40<br />
Nickname field, 22<br />
O<br />
one-time password (OTP), 15<br />
overview, token provisioning, 19<br />
P<br />
passcode, 15, 16, 22, 23, 29<br />
PIN entry, show or mask, 46<br />
PIN requirement, 22<br />
PIN, creating, 39<br />
PINPad-style software token, 16, 23<br />
planning authentication requirement, 15<br />
pre-deployment tasks, 11<br />
provisioning prerequisites, 15<br />
provisioning token<br />
using Compressed <strong>Token</strong> Format, 33<br />
using Dynamic Seed Provisioning, 19<br />
R<br />
recover a token, 47<br />
reinstall the application, 47<br />
requesting a replacement token, 47<br />
requesting a token through <strong>RSA</strong> Self-Service<br />
Console, 30<br />
<strong>RSA</strong> Authentication Manager<br />
user authentication requirement, 22<br />
<strong>RSA</strong> Credential Manager, 28<br />
configuring, 28<br />
sample settings, 29<br />
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> Converter, 37<br />
<strong>RSA</strong> Security Console, 15<br />
<strong>RSA</strong> Self-Service Console, 30<br />
S<br />
SDTID file format, 35<br />
selecting user authentication requirement<br />
in <strong>RSA</strong> Authentication Manager 6.1, 36<br />
in <strong>RSA</strong> Authentication Manager 7.1, 22<br />
self-service token, approving request for, 32<br />
serial number of token, 45<br />
service, getting support, 6<br />
show or mask PIN entry, 46<br />
software token<br />
binding to device in <strong>RSA</strong> Authentication<br />
Manager 6.1, 36<br />
binding to device in <strong>RSA</strong> Authentication<br />
Manager 7.1, 24<br />
device type, 22<br />
fob style, 17<br />
no PIN, 18<br />
PINPad style, 16, 23<br />
supported configurations, 8<br />
software token attributes<br />
supported in <strong>RSA</strong> Authentication<br />
Manager 6.1, 34<br />
supported in <strong>RSA</strong> Authentication<br />
Manager 7.1, 23<br />
starting the application, 39<br />
support and service, 6<br />
system requirements, 7<br />
system-generated activation code, 26<br />
T<br />
time synchronization, 9<br />
token attributes<br />
supported in <strong>RSA</strong> Authentication<br />
Manager 6.1, 34<br />
supported in <strong>RSA</strong> Authentication<br />
Manager 7.1, 23<br />
token extension data, editing, 37<br />
token file<br />
converting, 37<br />
exporting, 35<br />
token information, viewing, 45<br />
token installation, troubleshooting, 49<br />
token provisioning overview, 19<br />
token record<br />
configuring in <strong>RSA</strong> Authentication<br />
Manager 6.1, 35<br />
configuring in <strong>RSA</strong> Authentication<br />
Manager 7.1, 22<br />
token, binding in <strong>RSA</strong> Authentication<br />
Manager 6.1, 36<br />
tokencode, 23, 29<br />
requirement, 22<br />
type, 23<br />
54 Index
<strong>RSA</strong> <strong>SecurID</strong> <strong>Software</strong> <strong>Token</strong> 1.0 for iPhone Devices Administrator’s Guide<br />
tokencode setting in <strong>RSA</strong> Authentication<br />
Manager 6.1, 36<br />
troubleshooting, 49<br />
U<br />
UDID (unique device identifier), 24, 36<br />
user authentication requirement<br />
in <strong>RSA</strong> Authentication Manager 6.1, 34<br />
in <strong>RSA</strong> Authentication Manager 7.1, 22<br />
V<br />
viewing application and token<br />
information, 45<br />
viewing application help, 46<br />
VPN, authenticating to, 44<br />
Index 55