I had to resort to this after upgrading to the leaked beta of BlackBerry OS 4.5 on my Curve the email-import method did not work. It's a perfectly legitimate method of importing a SecurID token on your handheld, and now I actually prefer it because it is significantly less problematic than emailing the seed file to yourself. For more information see the RSA BlackBerry Soft Token page.
What you need
- RSA SecurID Token for BlackBerry Utilities (bb350_utils.zip)
- SecurID Soft Token for BlackBerry – the app itself, if not installed (bb350.zip)
- Your soft token seed file (.SDTID file)
- BES 4.1.3 or newer
- BB OS 4.2.2 or newer. IMPORTANT: OS 4.3 is not supported, upgrade to OS 4.5. For more information refer to the RSA SecurID Supported BlackBerry OS Versions page.
- Java Runtime Environment 1.4 or newer
If your BES' MDS Connection Service port (default is 8080) is open you do not need to run this on the BES. Mine is not, so I pushed my soft token out from my BES.
Preparing your BlackBerry
Install the SecurID software.You can install it from your desktop, from an internal server or using OTA links from RSA. Install version 3.5.0 Standard OTA from http://rsa.com/bb350
Storm2 (9520/9550) users running OS 5.0.0.602 and SecurID Token 3.0.2 should upgrade to version 3.5.x or install the Storm2-specific hotfix from http://www.rsa.com/storm2hotfix
NOTE Sep 20, 2010: BlackBerry 9800 Torch users should use the 3.5.1 hotfix available from http://rsa.com/torchhotfix
Launch it, accept the EULA and open the Settings. Make sure that Listen for Token is set to Yes. When the security prompt appears choose Yes to allow the application to run as a server.
Pushing out the Soft Token with PushToken
- Download and unzip bb350_utils.zip
- Make sure your .SDTID is on the same disk
- Open a command prompt (Start > Run > cmd)
- From the command prompt:
java -classpath <path_to_bb350utils>\PushToken.jar PushToken -e<email address or pin> -h<BES address> <path to .sdtid file>
In my case I ran:
java -classpath bb350_utils\PushToken.jar PushToken -ecorey@mydomain.com -hlocalhost x-rimdevice-xxxxxxxx.sdtid - If the .sdtid file was valid and you gave the SecurID application permission to run as a server on your BB you should see a prompt on your handheld about receiving a token.
- You may be prompted for a password, if so enter the password you were given with the token.
- If you entered the correct password you will receive notification of the token being imported. You can rename the token by choosing Manage Tokens from the menu.
- That's it. When you open the application you'll be prompted for your passphrase and PIN, and then be shown the generated token. One nice change between versions 2.x and 3.x of the SecurID application is that the numbers are much larger and split into two groups. Think 14 point font instead of 10.
PushToken Command Line Options
java -classpath PushToken.jar PushToken [options] file
Options:
-e E-mail or device ID of BlackBerry
-h Address of BES host (default: localhost)
-p
Port on which BES is listening (default: 8080)
Examples:
java -classpath PushToken.jar PushToken -h123.45.67.89 -p8765 -ejsmith@company.com token.sdtidArchived Versions
Older versions of the RSA Soft Token for BlackBerry app and server utilities.
- 3.0.0 – BlackBerry App (Zip) (OTA) – Server Utilities
- 3.0.1 – BlackBerry App (Zip) (OTA) – Server Utilities
- 3.0.2 – BlackBerry App (Zip) (OTA) – Server Utilities
- 3.0.2 Storm2 Hotfix – (OTA) – (I recommend using 3.5.0)
- 3.5.0 – BlackBerry App (Zip) (OTA) – Server Utilities
- 3.5.1 Torch Hotfix (OTA) (Release Notes)
UPDATED Jan 29, 2009: Links to token app and utilities changed from version 3.0.0 to version 3.0.1.
UPDATED Mar 06, 2009: Links to token app and utilities changed from version 3.0.1 to version 3.0.2, added Archived Versions, OTA installation links.
UPDATED Sep 20, 2010: Links to token app and utilities updated to 3.5.0, added hotfixes for Storm2 and Torch.
Tags: BlackBerry, RSA, SecurID, Security, Things you can't do with an iPhone, Tips
December 17th, 2008 at 4:45 pm
Have you seen this not work? I'm getting the following msg and I was wondering if you could assist me with this?
If you could assist me that would be big time. I have a major deployment and I can't get the tokens to load on certain devices.
C:\RSAPUSH>java -classpath C:\RSAPUSH\pushtoken.jar pushtoken test_archd@XXXX.com C:\RSAPUSH\x-rimdevicetest_arch.sdtid
Exception in thread "main" java.lang.NoClassDefFoundError: pushtoken
Caused by: java.lang.ClassNotFoundException: pushtoken
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
C:\RSAPUSH>
Thank you
Archie
December 19th, 2008 at 1:47 pm
Hey Archie,
Make sure you use the -e command line switch with an email address:
java -classpath C:\RSAPUSH\pushtoken.jar PushToken -etest_archd@XXXXX.com C:\RSAPUSH\x-rimdevicetest_arch.sdtid
January 21st, 2009 at 11:42 am
Error:java.net.ConnectionException: Connection refused: connect
Unable to communicate with MDS.
any ideas?
January 21st, 2009 at 11:53 am
Hi Ricky,
Make sure that the MDS service is running and that if you're accessing it remotely that there are no firewall rules preventing access from the remote host you're using.
February 16th, 2009 at 12:27 pm
the link to download bb301_utils isn't working
does anyone know where they moved it?
there's also a version 3.0.2 of the app…same
download problem
February 18th, 2009 at 12:14 am
@jd both 3.0.1 links are working for me (utilities and BB app), but I don't see any reference to 3.0.2 being available on the RSA site. Do you have a link to it?
February 23rd, 2009 at 3:49 pm
This works great thank you!
March 2nd, 2009 at 10:11 am
Doing this but when I click on the attachment, stdid attachment on berry, nothing happens. It would normally say "accept" but nothing.
March 2nd, 2009 at 11:38 am
Gary – make sure the RSA Soft Token application is running on your BB before pushing it out. You shouldn't need to do anything with a stdid file on the BB. Also make sure that you've got a 128-bit token, we had a few incidents where people had the older 64-bit ones. It actually worked, but not consistently and not with v3.x of the BB Soft Token software.
March 2nd, 2009 at 5:09 pm
I got this to work by sending the attachment to my Gmail account and used the Gmail APP, it gave me the option to "Import the Token"
March 6th, 2009 at 3:49 pm
I'm getting no errors, but nothing is happening. No way I see to set the token app to run as a server either. It defaults to listen to token by default. Tried with PIN and with email.
March 6th, 2009 at 5:17 pm
Mark – What OS is on your device, and which version of the token app do you have? I've had mixed results with OS 4.5 (8130, 8330, 8830) and v3 of the app. I've got v2.1.1 available (OTA install) or you can try the new 3.0.2 (OTA install) which claims to fix compatibility issues with OS 4.3, 4.5, 4.6 and 4.7.
March 6th, 2009 at 5:30 pm
Running BB OS 4.3.0.127 on the phone, with BES V. 4.1.6.9, using RSA 3.0.2. The MDS server shows the push connection, but as far as I can see logs nothing, and the token never gets to the phone. Using port 8080. MDS V 4.1.6.26. Everything reads as 0 except for last 4 lines, which read 9/15/5/5. So far RSA tech support is baffled.
March 6th, 2009 at 5:36 pm
Open the soft token app, open the menu, choose Settings. The last option should be Listen for Token. Change that to Yes, Save, and try pushing the token out again.
March 6th, 2009 at 5:48 pm
Yeah, that was the first thing I did, 3.0.2 has it enabled by default.
March 6th, 2009 at 10:47 pm
It doesn't make sense, but try version 2.0.1.1 of the client. OS 4.3 is a strange and evil beast. The leaked 'betas' are actually very stable too if you wanted to give 4.5 a shot. Ronen is good about posting links to the newest releases.
March 12th, 2009 at 4:15 pm
I was able to do my token push without a problem but couldn't get it to work so I deleted it to start over. I don't get any errors but the token no longer shows up. Any ideas?
Thanks
March 12th, 2009 at 4:23 pm
Tom- once you receive the first token the SID application turns off the "Listen for Token" option. Re-enable that from the SID app Settings menu and try pushing again.
March 16th, 2009 at 7:38 pm
I pushed out my software tokens today through the bes server and now my users are getting prompted to log into a RSA SecurID page when launching their browsers. The devices are also now displaying a new SecurID Connect icon. I am the only one who can browse without logging in and I see that the software configuration failed to deliver on my device. I also see the new icon. Any ideas?
Thanks.
April 15th, 2009 at 7:31 am
Just an update, OS 4.3 does not support pushing the token seed, I upgraded to 4.5, and it works fine. Thanks all.
April 15th, 2009 at 9:06 am
Ah, it's been so long since I've used 4.3, in fact I don't think I tried the token pushing until OS 4.5 which broke the on-device token installation. Glad you found a solution. OS 4.5 is very mature at this point – I think it's been at least a year since it came out, and there haven't been any serious issues with leaked the CDMA releases since the builds > 100.
August 4th, 2009 at 2:09 pm
I am able to manually import the sdtid file into the BB agent on the BB without issue, but why can't I use the SPH util? Please email me at yyyy@XXX.com …. I get this error:
java -classpath PushToken.jar PushToken -h122.6.12.31 -p8443 -ebob.miller@XXXX.tld x-rimdevice-bob.miller\@XXXX.com.sdtid
SdtidValidator.getDocFromPath> IOException thrown for [x-rimdevice-bob.miller@XXXX.com.sdtid]: java.io.UnsupportedEncodingException: null
Error:Invalid SDTID File "x-rimdevice-bob.miller@XXXX.com.sdtid"
Invalid seed record
August 10th, 2009 at 9:16 am
fyi… the solution:
Symptom The first line of the .sdtid file looks like this:
Cause A hotfix from May 20th, 2009 or earlier for AM 7.1 was applied that addressed defect #118865.
Fix
There are three workarounds:
1, Edit the .sdtid file to change the first line to:
or
2. edit the RSA_AM_HOME\util\resources\ims.properties file on all the server nodes and replicas. The entry should specify the local language code, for example
com.rsa.charset=UTF8
then reissue the .sdtid file.
3. apply AM 7.1 May 28th hotfix or later, where "UTF8" will be the default value
October 8th, 2009 at 3:20 pm
Corey,
getting the following error when I try t push a token out to my one of my blackberry users. I have used your method before on other devices with no issues. Any suggestions?
Error:java.io.IOException: Server returned HTTP response code: 403 for URL: http
://bes.xxxx.com:8080/push?DESTINATION=zzzz@xxxx.com&PORT=6446&REQUEST
URI=/
Unable to communicate with MDS.
Thank you,
Lewis
[edit (corey): removed server name]
October 8th, 2009 at 9:30 pm
Hi Lewis,
That error seems BES Specific. Can you access your BES on port 8080? Is the MDS service running?
October 9th, 2009 at 10:11 am
Corey,
Thanks for responding. I can access my BES from port 8080. The interesting thing is I'm only having issues with particular user. The other users I setup had no problems. is it possible there is some setting on the BB device that is not allowing incoming connections from port 8080?
Thank you,
Lewis
February 9th, 2010 at 12:16 pm
Receiving the following error when attempting to execute the pushtoken method:
C:\Temp\RSA>java -classpath c:\Temp\RSA\Pushtoken.jar pushtoken -edonovan.elder@
REDACTED C:\Temp\RSA\x-xxxx-token1.sktid -h1.2.3.4
Exception in thread "main" java.lang.NoClassDefFoundError: pushtoken
Caused by: java.lang.ClassNotFoundException: pushtoken
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
Could not find the main class: pushtoken. Program will exit.
Do you have any advice?
February 10th, 2010 at 10:05 am
@Donovan – the classname is case sensitive, it should be PushToken not pushtoken.
C:\Temp\RSA>java -classpath c:\Temp\RSA\Pushtoken.jar PushToken -edonovan.elder@
example.com C:\Temp\RSA\x-xxxxxx-token1.sktid -h11.22.33.44
March 10th, 2010 at 2:03 pm
Hey man, I have had this working great for about a month now, great post!!
However, today I went to use it for a particular user and now I get this error:
2010-03-10T15:45:27 AST|PushToken(Error )|java.io.IOException: Server returned HTTP response code: 403 for URL: http://(servername):8080/push?DESTINATION=(email addy)&PORT=6446&REQUESTURI=/
Looks like the same issue as Lewis Papaleo.
I can connect fine to my BES on port 8080 and MDS service is running, nothing has changed that I'm aware of…
any ideas?
Thanks
May 3rd, 2010 at 11:18 am
Hi Corey,
This msg is in repsonse to Lewis who is getting the error:
Error:java.io.IOException: Server returned HTTP response code: 403 for URL: http
://bes.xxxx.com:8080/push?DESTINATION=zzzz@xxxx.com&PORT=6446&REQUEST
URI=/
Unable to communicate with MDS.
I was also able to get to the mds using port 8080, on my computer. However, if I tried to access the same webpage on the actual blackberry enterprise server, I got the forbidden error as a result of IE's security. Once I added the site to the trusted sites on the actual server, I no longer received the error.
Thanks,
Tiffany
July 6th, 2010 at 11:52 am
Is it possible to convert a RSA FOB hardware token to a software token?
Please kindly advice whether it is possible to generate a web-based SDTID or CTF if a RSA FOB hardware token is provided its 9 digits number in the back, the 6 digits displaied in front at the time of pushing submit button.
Thank you and best regards.
David.
July 6th, 2010 at 11:58 am
@David Chen – no, they're totally different products, sold separately, backed by different token seeds.
July 29th, 2010 at 3:12 pm
Are there any particular permissions required for the PushToken app to work? I (Domain Admin) can successfully push from my PC but another person (PC Support) is not getting any error, but, does not see the token on the BB.
Great tutorials on your site by the way!
Thanks!
Kevin
August 9th, 2010 at 11:37 pm
Yey! this works great for me. I just followed the steps above carefully and there it goes, I made it. Maybe, other Blacberry phones have little problem with the software that needs proper attention. This app works fine with me and the other as well as for you but on the other hand, it doesn't work mostly of the people above, I think something's wrong with their compatibility. That's just my opinion, I am not that sure. Anyway, thank you for this.
August 12th, 2010 at 8:24 am
RSA soft token 3.5 and the associated utility is now available on the RSA website
September 3rd, 2010 at 12:13 pm
Got myself a Torch (OS 6.0) a couple of weeks ago, and I tried to push the RSA app 3.5 from my BES to it. It seemed to get pushed down to the device OK, and I imported the token via an email attachment (Option to import was available when I touched & held on to the ".sdtid' file). However, when I tried to launch the SID app afterwards I got
Uncaught Exception: Layout Requested During Layout:
Screen: Passcode Screen Engine
net.rim.device.api.ui.UiEngineImpl$UiEngineOldInterface Adapter@dxxxxxx
Googling found a result that OS 6.0 doesn't quite work with 3.5, and that us Torch users must wait for 3.5.1, due ~mid-Sept.
Anyone else had and experience with their Torch and this app?
Tx,
November 1st, 2010 at 1:04 pm
Try the built it token reader:
On older model settings>options>security options>software tokens
from BES:
The RSA SecureID Token will need to be manually applied at the BlackBerry Enterprise Server level by completing the following steps:
Open BlackBerry Manager.
Select the BlackBerry Enterprise Server in question.
Go to the Users tab.
Locate the user and right click.
Select Edit Properties.
Go to WLAN configuration.
Go to Software Tokens.
Select New.
Type the serial number of the software token.
Double click seed.
Click import from file.
Navigate to the software token seed file for the BlackBerry smartphone user, click open, and once the file has been imported – select OK.
If you configured a password in the RSA Authentication Manager to encrypt the .SDTID file seed, enter the password (and then re-enter to confirm).
In the timeout field, enter the length of time that the BlackBerry smartphone caches the personal identification number (PIN):
0: BlackBerry smartphone does not cache the PIN and prompts the BlackBerry smartphone user to authenticate at each login
1 through 9: BlackBerry smartphone retains the PIN in the cache for the specified number of minutes and then deletes it
-1 to -9:– BlackBerry smartphone caches the PIN until the seed is deleted or changed
Note: If you do not configure a timeout, the PIN is always cached.
Click Apply.
November 2nd, 2010 at 11:58 am
I had problems with the RSA software for the new Curve 3G (9300 & 9330), but RSA has released a new fix
OTA: rsa.com/bb351
November 14th, 2010 at 11:40 pm
I have a torch 9800 with the 3.5.1 RSA software installed but I haven't been able to import the token via email. When I navigate to the token file in the email and select Import SecureID Token I get an error that says "Token not intended for this device. Token import failed. Contact your administrator." I did edit the file so it starts with x-rimdevice, has anyone else run into this issue?
January 10th, 2011 at 12:35 pm
I have the same problem at the moment and am trying to resolve it.
January 10th, 2011 at 3:57 pm
We were able to get this to work. We created a new policy group on the server to support 3.5.1 and were able to install the 3.5.1 software on the phone and finally created a new software token and it imported.
January 24th, 2011 at 9:01 pm
Hey — I've tried all suggestions I've seen, but PushToken isn't working for me. I get an error "Failed to load Main-Class manifest attribute from PushToken.jar" when I run it from the command line using: c:\> java -classpath c:\pushtoken\PushToken.jar PushToken -hxxx.xxx.xxx.xxx -p8080 -edevicePIN tokenname.sdtid
Is there something I'm missing?
January 25th, 2011 at 3:51 pm
LOL – Nevermind… They say a fresh mind works better. Took another look and retyped everything from scratch once I'd taken a break and rested. PushToken appears to have worked for me this time. I just had to specify the full path both to the PushToken.jar and to the token itself. Once I did that, it ran like a charm.
Thanks anyway!
July 8th, 2011 at 1:27 am
Hi,
what is BES host ? How to check it ?
Thanks