Pushing RSA SecurID Tokens to a BlackBerry

I had to resort to this after upgrading to the leaked beta of BlackBerry OS 4.5 on my Curve the email-import method did not work. It's a perfectly legitimate method of importing a SecurID token on your handheld, and now I actually prefer it because it is significantly less problematic than emailing the seed file to yourself. For more information see the RSA BlackBerry Soft Token page.

What you need

If your BES' MDS Connection Service port (default is 8080) is open you do not need to run this on the BES. Mine is not, so I pushed my soft token out from my BES.

Preparing your BlackBerry

Install the SecurID software.You can install it from your desktop, from an internal server or using OTA links from RSA.  Install version 3.5.0 Standard OTA from http://rsa.com/bb350

Storm2 (9520/9550) users running OS 5.0.0.602 and SecurID Token 3.0.2 should upgrade to version 3.5.x or install the Storm2-specific hotfix from http://www.rsa.com/storm2hotfix

NOTE Sep 20, 2010: BlackBerry 9800 Torch users should use the 3.5.1 hotfix available from http://rsa.com/torchhotfix

Launch it, accept the EULA and open the Settings. Make sure that Listen for Token is set to Yes. When the security prompt appears choose Yes to allow the application to run as a server.

Pushing out the Soft Token with PushToken

  1. Download and unzip bb350_utils.zip
  2. Make sure your .SDTID is on the same disk
  3. Open a command prompt (Start > Run > cmd)
  4. From the command prompt:
    java -classpath <path_to_bb350utils>\PushToken.jar PushToken -e<email address or pin> -h<BES address> <path to .sdtid file>
    In my case I ran:
    java -classpath bb350_utils\PushToken.jar PushToken -ecorey@mydomain.com -hlocalhost x-rimdevice-xxxxxxxx.sdtid
  5. If the .sdtid file was valid and you gave the SecurID application permission to run as a server on your BB you should see a prompt on your handheld about receiving a token.
  6. You may be prompted for a password, if so enter the password you were given with the token.
  7. If you entered the correct password you will receive notification of the token being imported. You can rename the token by choosing Manage Tokens from the menu.
  8. That's it. When you open the application you'll be prompted for your passphrase and PIN, and then be shown the generated token. One nice change between versions 2.x and 3.x of the SecurID application is that the numbers are much larger and split into two groups. Think 14 point font instead of 10.

PushToken Command Line Options

java -classpath PushToken.jar PushToken [options] file
 
Options:
-e      E-mail or device ID of BlackBerry
-h                  Address of BES host (default: localhost)
-p
                  Port on which BES is listening (default: 8080)
Examples:
java -classpath PushToken.jar PushToken -h123.45.67.89 -p8765 -ejsmith@company.com token.sdtid

Archived Versions

Older versions of the RSA Soft Token for BlackBerry app and server utilities.

UPDATED Jan 29, 2009: Links to token app and utilities changed from version 3.0.0 to version 3.0.1.

UPDATED Mar 06, 2009: Links to token app and utilities changed from version 3.0.1 to version 3.0.2, added Archived Versions, OTA installation links.

UPDATED Sep 20, 2010: Links to token app and utilities updated to 3.5.0, added hotfixes for Storm2 and Torch.

 

Tags: , , , , ,

44 Responses to “Pushing RSA SecurID Tokens to a BlackBerry”

  1. Archie Says:

    Have you seen this not work? I'm getting the following msg and I was wondering if you could assist me with this?

    If you could assist me that would be big time. I have a major deployment and I can't get the tokens to load on certain devices.

    C:\RSAPUSH>java -classpath C:\RSAPUSH\pushtoken.jar pushtoken test_archd@XXXX.com C:\RSAPUSH\x-rimdevicetest_arch.sdtid

    Exception in thread "main" java.lang.NoClassDefFoundError: pushtoken
    Caused by: java.lang.ClassNotFoundException: pushtoken
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClassInternal(Unknown Source)

    C:\RSAPUSH>

    Thank you
    Archie

  2. Corey Says:

    Hey Archie,

    Make sure you use the -e command line switch with an email address:
    java -classpath C:\RSAPUSH\pushtoken.jar PushToken -etest_archd@XXXXX.com C:\RSAPUSH\x-rimdevicetest_arch.sdtid

  3. ricky Says:

    Error:java.net.ConnectionException: Connection refused: connect
    Unable to communicate with MDS.

    any ideas?

  4. Corey Says:

    Hi Ricky,

    Make sure that the MDS service is running and that if you're accessing it remotely that there are no firewall rules preventing access from the remote host you're using.

  5. jd Says:

    the link to download bb301_utils isn't working
    does anyone know where they moved it?

    there's also a version 3.0.2 of the app…same
    download problem

  6. Corey Says:

    @jd both 3.0.1 links are working for me (utilities and BB app), but I don't see any reference to 3.0.2 being available on the RSA site. Do you have a link to it?

  7. Steve Says:

    This works great thank you!

  8. Gary Jagan Says:

    Doing this but when I click on the attachment, stdid attachment on berry, nothing happens. It would normally say "accept" but nothing.

  9. Corey Says:

    Gary – make sure the RSA Soft Token application is running on your BB before pushing it out. You shouldn't need to do anything with a stdid file on the BB. Also make sure that you've got a 128-bit token, we had a few incidents where people had the older 64-bit ones. It actually worked, but not consistently and not with v3.x of the BB Soft Token software.

  10. Nick Says:

    I got this to work by sending the attachment to my Gmail account and used the Gmail APP, it gave me the option to "Import the Token"

  11. Mark Says:

    I'm getting no errors, but nothing is happening. No way I see to set the token app to run as a server either. It defaults to listen to token by default. Tried with PIN and with email.

  12. Corey Says:

    Mark – What OS is on your device, and which version of the token app do you have? I've had mixed results with OS 4.5 (8130, 8330, 8830) and v3 of the app. I've got v2.1.1 available (OTA install) or you can try the new 3.0.2 (OTA install) which claims to fix compatibility issues with OS 4.3, 4.5, 4.6 and 4.7.

  13. Mark Says:

    Running BB OS 4.3.0.127 on the phone, with BES V. 4.1.6.9, using RSA 3.0.2. The MDS server shows the push connection, but as far as I can see logs nothing, and the token never gets to the phone. Using port 8080. MDS V 4.1.6.26. Everything reads as 0 except for last 4 lines, which read 9/15/5/5. So far RSA tech support is baffled.

  14. Corey Says:

    Open the soft token app, open the menu, choose Settings. The last option should be Listen for Token. Change that to Yes, Save, and try pushing the token out again.

  15. Mark Says:

    Yeah, that was the first thing I did, 3.0.2 has it enabled by default.

  16. Corey Says:

    It doesn't make sense, but try version 2.0.1.1 of the client. OS 4.3 is a strange and evil beast. The leaked 'betas' are actually very stable too if you wanted to give 4.5 a shot. Ronen is good about posting links to the newest releases.

  17. Tom Says:

    I was able to do my token push without a problem but couldn't get it to work so I deleted it to start over. I don't get any errors but the token no longer shows up. Any ideas?

    Thanks

  18. Corey Says:

    Tom- once you receive the first token the SID application turns off the "Listen for Token" option. Re-enable that from the SID app Settings menu and try pushing again.

  19. Mark Says:

    I pushed out my software tokens today through the bes server and now my users are getting prompted to log into a RSA SecurID page when launching their browsers. The devices are also now displaying a new SecurID Connect icon. I am the only one who can browse without logging in and I see that the software configuration failed to deliver on my device. I also see the new icon. Any ideas?

    Thanks.

  20. Mark Says:

    Just an update, OS 4.3 does not support pushing the token seed, I upgraded to 4.5, and it works fine. Thanks all.

  21. Corey Says:

    Ah, it's been so long since I've used 4.3, in fact I don't think I tried the token pushing until OS 4.5 which broke the on-device token installation. Glad you found a solution. OS 4.5 is very mature at this point – I think it's been at least a year since it came out, and there haven't been any serious issues with leaked the CDMA releases since the builds > 100.

  22. Ed Says:

    I am able to manually import the sdtid file into the BB agent on the BB without issue, but why can't I use the SPH util? Please email me at yyyy@XXX.com …. I get this error:

    java -classpath PushToken.jar PushToken -h122.6.12.31 -p8443 -ebob.miller@XXXX.tld x-rimdevice-bob.miller\@XXXX.com.sdtid

    SdtidValidator.getDocFromPath> IOException thrown for [x-rimdevice-bob.miller@XXXX.com.sdtid]: java.io.UnsupportedEncodingException: null
    Error:Invalid SDTID File "x-rimdevice-bob.miller@XXXX.com.sdtid"
    Invalid seed record

  23. Ed Says:

    fyi… the solution:

    Symptom The first line of the .sdtid file looks like this:

    Cause A hotfix from May 20th, 2009 or earlier for AM 7.1 was applied that addressed defect #118865.

    Fix

    There are three workarounds:
    1, Edit the .sdtid file to change the first line to:

    or
    2. edit the RSA_AM_HOME\util\resources\ims.properties file on all the server nodes and replicas. The entry should specify the local language code, for example
    com.rsa.charset=UTF8
    then reissue the .sdtid file.
    3. apply AM 7.1 May 28th hotfix or later, where "UTF8" will be the default value

  24. Lewis Papaleo Says:

    Corey,

    getting the following error when I try t push a token out to my one of my blackberry users. I have used your method before on other devices with no issues. Any suggestions?

    Error:java.io.IOException: Server returned HTTP response code: 403 for URL: http
    ://bes.xxxx.com:8080/push?DESTINATION=zzzz@xxxx.com&PORT=6446&REQUEST
    URI=/
    Unable to communicate with MDS.

    Thank you,

    Lewis

    [edit (corey): removed server name]

  25. Corey Says:

    Hi Lewis,

    That error seems BES Specific. Can you access your BES on port 8080? Is the MDS service running?

  26. Lewis Papaleo Says:

    Corey,

    Thanks for responding. I can access my BES from port 8080. The interesting thing is I'm only having issues with particular user. The other users I setup had no problems. is it possible there is some setting on the BB device that is not allowing incoming connections from port 8080?

    Thank you,

    Lewis

  27. Donovan Says:

    Receiving the following error when attempting to execute the pushtoken method:
    C:\Temp\RSA>java -classpath c:\Temp\RSA\Pushtoken.jar pushtoken -edonovan.elder@
    REDACTED C:\Temp\RSA\x-xxxx-token1.sktid -h1.2.3.4
    Exception in thread "main" java.lang.NoClassDefFoundError: pushtoken
    Caused by: java.lang.ClassNotFoundException: pushtoken
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClassInternal(Unknown Source)
    Could not find the main class: pushtoken. Program will exit.
    Do you have any advice?

  28. Corey Says:

    @Donovan – the classname is case sensitive, it should be PushToken not pushtoken.

    C:\Temp\RSA>java -classpath c:\Temp\RSA\Pushtoken.jar PushToken -edonovan.elder@
    example.com C:\Temp\RSA\x-xxxxxx-token1.sktid -h11.22.33.44

  29. Jim Says:

    Hey man, I have had this working great for about a month now, great post!!

    However, today I went to use it for a particular user and now I get this error:

    2010-03-10T15:45:27 AST|PushToken(Error )|java.io.IOException: Server returned HTTP response code: 403 for URL: http://(servername):8080/push?DESTINATION=(email addy)&PORT=6446&REQUESTURI=/

    Looks like the same issue as Lewis Papaleo.

    I can connect fine to my BES on port 8080 and MDS service is running, nothing has changed that I'm aware of…

    any ideas?

    Thanks

  30. Tiffany Says:

    Hi Corey,
    This msg is in repsonse to Lewis who is getting the error:

    Error:java.io.IOException: Server returned HTTP response code: 403 for URL: http
    ://bes.xxxx.com:8080/push?DESTINATION=zzzz@xxxx.com&PORT=6446&REQUEST
    URI=/
    Unable to communicate with MDS.

    I was also able to get to the mds using port 8080, on my computer. However, if I tried to access the same webpage on the actual blackberry enterprise server, I got the forbidden error as a result of IE's security. Once I added the site to the trusted sites on the actual server, I no longer received the error.
    Thanks,
    Tiffany

  31. David Chen Says:

    Is it possible to convert a RSA FOB hardware token to a software token?
    Please kindly advice whether it is possible to generate a web-based SDTID or CTF if a RSA FOB hardware token is provided its 9 digits number in the back, the 6 digits displaied in front at the time of pushing submit button.

    Thank you and best regards.
    David.

  32. Corey Says:

    @David Chen – no, they're totally different products, sold separately, backed by different token seeds.

  33. Kevin Says:

    Are there any particular permissions required for the PushToken app to work? I (Domain Admin) can successfully push from my PC but another person (PC Support) is not getting any error, but, does not see the token on the BB.

    Great tutorials on your site by the way!

    Thanks!
    Kevin

  34. Sam from freeware blackberry Says:

    Yey! this works great for me. I just followed the steps above carefully and there it goes, I made it. Maybe, other Blacberry phones have little problem with the software that needs proper attention. This app works fine with me and the other as well as for you but on the other hand, it doesn't work mostly of the people above, I think something's wrong with their compatibility. That's just my opinion, I am not that sure. Anyway, thank you for this.

  35. Marc Says:

    RSA soft token 3.5 and the associated utility is now available on the RSA website

  36. El Kabong Says:

    Got myself a Torch (OS 6.0) a couple of weeks ago, and I tried to push the RSA app 3.5 from my BES to it. It seemed to get pushed down to the device OK, and I imported the token via an email attachment (Option to import was available when I touched & held on to the ".sdtid' file). However, when I tried to launch the SID app afterwards I got
    Uncaught Exception: Layout Requested During Layout:
    Screen: Passcode Screen Engine
    net.rim.device.api.ui.UiEngineImpl$UiEngineOldInterface Adapter@dxxxxxx

    Googling found a result that OS 6.0 doesn't quite work with 3.5, and that us Torch users must wait for 3.5.1, due ~mid-Sept.

    Anyone else had and experience with their Torch and this app?
    Tx,

  37. Omar Viscafe Says:

    Try the built it token reader:

    On older model settings>options>security options>software tokens

    from BES:

    The RSA SecureID Token will need to be manually applied at the BlackBerry Enterprise Server level by completing the following steps:

    Open BlackBerry Manager.
    Select the BlackBerry Enterprise Server in question.
    Go to the Users tab.
    Locate the user and right click.
    Select Edit Properties.
    Go to WLAN configuration.
    Go to Software Tokens.
    Select New.
    Type the serial number of the software token.
    Double click seed.
    Click import from file.
    Navigate to the software token seed file for the BlackBerry smartphone user, click open, and once the file has been imported – select OK.
    If you configured a password in the RSA Authentication Manager to encrypt the .SDTID file seed, enter the password (and then re-enter to confirm).
    In the timeout field, enter the length of time that the BlackBerry smartphone caches the personal identification number (PIN):
    0: BlackBerry smartphone does not cache the PIN and prompts the BlackBerry smartphone user to authenticate at each login
    1 through 9: BlackBerry smartphone retains the PIN in the cache for the specified number of minutes and then deletes it
    -1 to -9:– BlackBerry smartphone caches the PIN until the seed is deleted or changed
    Note: If you do not configure a timeout, the PIN is always cached.

    Click Apply.

  38. Omar Viscafe Says:

    I had problems with the RSA software for the new Curve 3G (9300 & 9330), but RSA has released a new fix

    OTA: rsa.com/bb351

  39. Dan Says:

    I have a torch 9800 with the 3.5.1 RSA software installed but I haven't been able to import the token via email. When I navigate to the token file in the email and select Import SecureID Token I get an error that says "Token not intended for this device. Token import failed. Contact your administrator." I did edit the file so it starts with x-rimdevice, has anyone else run into this issue?

  40. Dave Says:

    I have the same problem at the moment and am trying to resolve it.

  41. Dave Says:

    We were able to get this to work. We created a new policy group on the server to support 3.5.1 and were able to install the 3.5.1 software on the phone and finally created a new software token and it imported.

  42. Kate Says:

    Hey — I've tried all suggestions I've seen, but PushToken isn't working for me. I get an error "Failed to load Main-Class manifest attribute from PushToken.jar" when I run it from the command line using: c:\> java -classpath c:\pushtoken\PushToken.jar PushToken -hxxx.xxx.xxx.xxx -p8080 -edevicePIN tokenname.sdtid

    Is there something I'm missing?

  43. Kate Says:

    LOL – Nevermind… They say a fresh mind works better. Took another look and retyped everything from scratch once I'd taken a break and rested. PushToken appears to have worked for me this time. I just had to specify the full path both to the PushToken.jar and to the token itself. Once I did that, it ran like a charm.

    Thanks anyway!

  44. vineet Says:

    Hi,
    what is BES host ? How to check it ?

    Thanks

Leave a Reply


© 2007-2012, Corey Gilmore | Posts RSS Feed | Comments RSS Feed | Contact

 

The views expressed on these pages are mine alone and not those of any past or present employer. All information presented on this site was obtained lawfully and not through disclosure under the terms of an NDA.