I had to resort to this after upgrading to the leaked beta of BlackBerry OS 4.5 on my Curve the email-import method did not work. It's a perfectly legitimate method of importing a SecurID token on your handheld, and now I actually prefer it because it is significantly less problematic than emailing the seed file to yourself. For more information see the RSA BlackBerry Soft Token page.
What you need
- RSA SecurID Token for BlackBerry Utilities (bb302_utils.zip)
- SecurID Soft Token for BlackBerry – the app itself, if not installed (bb302.zip)
- Your soft token seed file (.SDTID file)
- BES 4.1.3 or newer
- BB OS 4.2.2 or newer. IMPORTANT: OS 4.3 is not supported, upgrade to 4.5, preferably one of the latest leaked releases.
- Java Runtime Environment 1.4 or newer
If your BES' MDS Connection Service port (default is 8080) is open you do not need to run this on the BES. Mine is not, so I pushed my soft token out from my BES.
Preparing your BlackBerry
Install the SecurID 3.0 software.You can install it from your desktop, from an internal server or using OTA links from RSA. Install version 3.0.2 Standard OTA from http://rsa.com/bb302
Launch it, accept the EULA and open the Settings. Make sure that Listen for Token is set to Yes. When the security prompt appears choose Yes to allow the application to run as a server.
Pushing out the Soft Token with PushToken
- Download and unzip bb300_utils.zip
- Make sure your .SDTID is on the same disk
- Open a command prompt (Start > Run > cmd)
- From the command prompt:
java -classpath <path_to_bb300utils>\PushToken.jar PushToken -e<email address or pin> -h<BES address> <path to .sdtid file>
In my case I ran:
java -classpath bb300_utils\PushToken.jar PushToken -ecorey@mydomain.com -hlocalhost x-rimdevice-xxxxxxxx.sdtid - If the .sdtid file was valid and you gave the SecurID application permission to run as a server on your BB you should see a prompt on your handheld about receiving a token.
- You may be prompted for a password, if so enter the password you were given with the token.
- If you entered the correct password you will receive notification of the token being imported. You can rename the token by choosing Manage Tokens from the menu.
- That's it. When you open the application you'll be prompted for your passphrase and PIN, and then be shown the generated token. One nice change between versions 2.x and 3.x of the SecurID application is that the numbers are much larger and split into two groups. Think 14 point font instead of 10.
PushToken Command Line Options
java -classpath PushToken.jar PushToken [options] file
Options:
-e E-mail or device ID of BlackBerry
-h Address of BES host (default: localhost)
-p
Port on which BES is listening (default: 8080)
Examples:
java -classpath PushToken.jar PushToken -h123.45.67.89 -p8765 -ejsmith@company.com token.sdtidArchived Versions
Older versions of the RSA Soft Token for BlackBerry app and server utilities.
- 3.0.0 – BlackBerry App (Zip) (OTA) – Server Utilities
- 3.0.1 – BlackBerry App (Zip) (OTA) – Server Utilities
- 3.0.2 – BlackBerry App (Zip) (OTA) – Server Utilities
UPDATED Jan 29, 2009: Links to token app and utilities changed from version 3.0.0 to version 3.0.1.
UPDATED Mar 06, 2009: Links to token app and utilities changed from version 3.0.1 to version 3.0.2, added Archived Versions, OTA installation links.
Tags: BlackBerry, RSA, SecurID, Security, Things you can't do with an iPhone, Tips
December 17th, 2008 at 4:45 pm
Have you seen this not work? I'm getting the following msg and I was wondering if you could assist me with this?
If you could assist me that would be big time. I have a major deployment and I can't get the tokens to load on certain devices.
C:\RSAPUSH>java -classpath C:\RSAPUSH\pushtoken.jar pushtoken test_archd@wilmerhale.com C:\RSAPUSH\x-rimdevicetest_arch.sdtid
Exception in thread "main" java.lang.NoClassDefFoundError: pushtoken
Caused by: java.lang.ClassNotFoundException: pushtoken
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
C:\RSAPUSH>
Thank you
Archie
December 19th, 2008 at 1:47 pm
Hey Archie,
Make sure you use the -e command line switch with an email address:
java -classpath C:\RSAPUSH\pushtoken.jar PushToken -etest_archd@wilmerhale.com C:\RSAPUSH\x-rimdevicetest_arch.sdtid
January 21st, 2009 at 11:42 am
Error:java.net.ConnectionException: Connection refused: connect
Unable to communicate with MDS.
any ideas?
January 21st, 2009 at 11:53 am
Hi Ricky,
Make sure that the MDS service is running and that if you're accessing it remotely that there are no firewall rules preventing access from the remote host you're using.
February 16th, 2009 at 12:27 pm
the link to download bb301_utils isn't working
does anyone know where they moved it?
there's also a version 3.0.2 of the app…same
download problem
February 18th, 2009 at 12:14 am
@jd both 3.0.1 links are working for me (utilities and BB app), but I don't see any reference to 3.0.2 being available on the RSA site. Do you have a link to it?
February 23rd, 2009 at 3:49 pm
This works great thank you!
March 2nd, 2009 at 10:11 am
Doing this but when I click on the attachment, stdid attachment on berry, nothing happens. It would normally say "accept" but nothing.
March 2nd, 2009 at 11:38 am
Gary – make sure the RSA Soft Token application is running on your BB before pushing it out. You shouldn't need to do anything with a stdid file on the BB. Also make sure that you've got a 128-bit token, we had a few incidents where people had the older 64-bit ones. It actually worked, but not consistently and not with v3.x of the BB Soft Token software.
March 2nd, 2009 at 5:09 pm
I got this to work by sending the attachment to my Gmail account and used the Gmail APP, it gave me the option to "Import the Token"
March 6th, 2009 at 3:49 pm
I'm getting no errors, but nothing is happening. No way I see to set the token app to run as a server either. It defaults to listen to token by default. Tried with PIN and with email.
March 6th, 2009 at 5:17 pm
Mark – What OS is on your device, and which version of the token app do you have? I've had mixed results with OS 4.5 (8130, 8330, 8830) and v3 of the app. I've got v2.1.1 available (OTA install) or you can try the new 3.0.2 (OTA install) which claims to fix compatibility issues with OS 4.3, 4.5, 4.6 and 4.7.
March 6th, 2009 at 5:30 pm
Running BB OS 4.3.0.127 on the phone, with BES V. 4.1.6.9, using RSA 3.0.2. The MDS server shows the push connection, but as far as I can see logs nothing, and the token never gets to the phone. Using port 8080. MDS V 4.1.6.26. Everything reads as 0 except for last 4 lines, which read 9/15/5/5. So far RSA tech support is baffled.
March 6th, 2009 at 5:36 pm
Open the soft token app, open the menu, choose Settings. The last option should be Listen for Token. Change that to Yes, Save, and try pushing the token out again.
March 6th, 2009 at 5:48 pm
Yeah, that was the first thing I did, 3.0.2 has it enabled by default.
March 6th, 2009 at 10:47 pm
It doesn't make sense, but try version 2.0.1.1 of the client. OS 4.3 is a strange and evil beast. The leaked 'betas' are actually very stable too if you wanted to give 4.5 a shot. Ronen is good about posting links to the newest releases.
March 12th, 2009 at 4:15 pm
I was able to do my token push without a problem but couldn't get it to work so I deleted it to start over. I don't get any errors but the token no longer shows up. Any ideas?
Thanks
March 12th, 2009 at 4:23 pm
Tom- once you receive the first token the SID application turns off the "Listen for Token" option. Re-enable that from the SID app Settings menu and try pushing again.
March 16th, 2009 at 7:38 pm
I pushed out my software tokens today through the bes server and now my users are getting prompted to log into a RSA SecurID page when launching their browsers. The devices are also now displaying a new SecurID Connect icon. I am the only one who can browse without logging in and I see that the software configuration failed to deliver on my device. I also see the new icon. Any ideas?
Thanks.
April 15th, 2009 at 7:31 am
Just an update, OS 4.3 does not support pushing the token seed, I upgraded to 4.5, and it works fine. Thanks all.
April 15th, 2009 at 9:06 am
Ah, it's been so long since I've used 4.3, in fact I don't think I tried the token pushing until OS 4.5 which broke the on-device token installation. Glad you found a solution. OS 4.5 is very mature at this point – I think it's been at least a year since it came out, and there haven't been any serious issues with leaked the CDMA releases since the builds > 100.
August 10th, 2009 at 9:16 am
fyi… the solution:
Symptom The first line of the .sdtid file looks like this:
Cause A hotfix from May 20th, 2009 or earlier for AM 7.1 was applied that addressed defect #118865.
Fix
There are three workarounds:
1, Edit the .sdtid file to change the first line to:
or
2. edit the RSA_AM_HOME\util\resources\ims.properties file on all the server nodes and replicas. The entry should specify the local language code, for example
com.rsa.charset=UTF8
then reissue the .sdtid file.
3. apply AM 7.1 May 28th hotfix or later, where "UTF8" will be the default value
October 8th, 2009 at 3:20 pm
Corey,
getting the following error when I try t push a token out to my one of my blackberry users. I have used your method before on other devices with no issues. Any suggestions?
Error:java.io.IOException: Server returned HTTP response code: 403 for URL: http
://bes.xxxx.com:8080/push?DESTINATION=zzzz@xxxx.com&PORT=6446&REQUEST
URI=/
Unable to communicate with MDS.
Thank you,
Lewis
[edit (corey): removed server name]
October 8th, 2009 at 9:30 pm
Hi Lewis,
That error seems BES Specific. Can you access your BES on port 8080? Is the MDS service running?
October 9th, 2009 at 10:11 am
Corey,
Thanks for responding. I can access my BES from port 8080. The interesting thing is I'm only having issues with particular user. The other users I setup had no problems. is it possible there is some setting on the BB device that is not allowing incoming connections from port 8080?
Thank you,
Lewis
February 9th, 2010 at 12:16 pm
Receiving the following error when attempting to execute the pushtoken method:
C:\Temp\RSA>java -classpath c:\Temp\RSA\Pushtoken.jar pushtoken -edonovan.elder@
REDACTED C:\Temp\RSA\x-xxxx-token1.sktid -h1.2.3.4
Exception in thread "main" java.lang.NoClassDefFoundError: pushtoken
Caused by: java.lang.ClassNotFoundException: pushtoken
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
Could not find the main class: pushtoken. Program will exit.
Do you have any advice?
February 10th, 2010 at 10:05 am
@Donovan – the classname is case sensitive, it should be PushToken not pushtoken.
C:\Temp\RSA>java -classpath c:\Temp\RSA\Pushtoken.jar PushToken -edonovan.elder@
example.com C:\Temp\RSA\x-xxxxxx-token1.sktid -h11.22.33.44
March 10th, 2010 at 2:03 pm
Hey man, I have had this working great for about a month now, great post!!
However, today I went to use it for a particular user and now I get this error:
2010-03-10T15:45:27 AST|PushToken(Error )|java.io.IOException: Server returned HTTP response code: 403 for URL: http://(servername):8080/push?DESTINATION=(email addy)&PORT=6446&REQUESTURI=/
Looks like the same issue as Lewis Papaleo.
I can connect fine to my BES on port 8080 and MDS service is running, nothing has changed that I'm aware of…
any ideas?
Thanks
May 3rd, 2010 at 11:18 am
Hi Corey,
This msg is in repsonse to Lewis who is getting the error:
Error:java.io.IOException: Server returned HTTP response code: 403 for URL: http
://bes.xxxx.com:8080/push?DESTINATION=zzzz@xxxx.com&PORT=6446&REQUEST
URI=/
Unable to communicate with MDS.
I was also able to get to the mds using port 8080, on my computer. However, if I tried to access the same webpage on the actual blackberry enterprise server, I got the forbidden error as a result of IE's security. Once I added the site to the trusted sites on the actual server, I no longer received the error.
Thanks,
Tiffany
July 6th, 2010 at 11:52 am
Is it possible to convert a RSA FOB hardware token to a software token?
Please kindly advice whether it is possible to generate a web-based SDTID or CTF if a RSA FOB hardware token is provided its 9 digits number in the back, the 6 digits displaied in front at the time of pushing submit button.
Thank you and best regards.
David.
July 6th, 2010 at 11:58 am
@David Chen – no, they're totally different products, sold separately, backed by different token seeds.
July 29th, 2010 at 3:12 pm
Are there any particular permissions required for the PushToken app to work? I (Domain Admin) can successfully push from my PC but another person (PC Support) is not getting any error, but, does not see the token on the BB.
Great tutorials on your site by the way!
Thanks!
Kevin