OK, so you've got the SecurID soft token app installed on your iPhone, but now what? Installing a token isn't as simple as it is on the BlackBerry.
One method is to use the RSA Authentication Manager to generate CT-KIP URLs which can be sent to the end-users. You can read more about this from the RSA iPhone page after downloading the documentation and device definition file.
My preference is to use the Compressed Token Format (CTF) which will compress a .sdtid soft token file into an 81-digit string.
Clarification
I don't want there to be any confusion about the intent of this post – I'm demonstrating one possible way to install a token on your device without involving an administrator. In most cases your ACE administrator will probably be willing to assist you with the installation of a token, and none of this will be necessary.
Preparing the Token
You can use the Token Converter application from RSA, or the web-based token converter on my projects page. Paste the contents of your .sdtid file into the form, supply your password if it requires one and create the CTF link.
Distributing the CTF SecurID Token
You can email links to the CTF token file or link to an HTML page containing the link. Both work, although the current version (1.0.5) of the RSA SecurID iPhone Application is overly sensitive to malformed links. Sending an HTML email from Outlook will generate a malformed link, but as Phil noted in the comments composing a message in RTF format containing the link will work.
Malformed Links
Correct: com.rsa.securid.iphone://ctf?...
Malformed: com.rsa.securid.iphone://ctf/?....
If you are going to email the link make sure that it doesn't append the extra trailing slash after ctf. Do not use Outlook to send the email in HTML format as it always appends the extra slash – compose a RTF message instead.
You may need to change your Outlook options to retain RTF emails when sending to internet recipients. In Outlook open Options > Mail Format > Internet Format. Under "When sending Outlook Rich Text messages to Internet recipients, use this format:" change the option to "Send using Outlook Rich Text format".
Emailing the CTF Link
For iPhone users running OS 2.x you can compose a plain text message with the CTF link (com.rsa.securid.iphone://ctf?ctfData=<token>) between angle brackets.
This will only work with OS 2.x, and not with the GM release of OS 3.0.
For all users running OS 2.x and OS 3.x you can send an HTML-formatted email with a hyperlink to the CTF URL, like Click here to install Token. As mentioned above this will NOT work with Outlook, which adds an extra forward slash that the SecurID application cannot understand.
Linking to a page containing a CTF Link
The third option is to use Mobile Safari to open a web page containing a hyperlink to the CTF URL. You can put this page somewhere on your own servers, or use my RSA CTF Hyperlink Generator to dynamically build these links. Opening http://coreygilmore.com/rsa/<CTF> will automatically display an iPhone-ready hyperlink to install the token. View a sample page.
Resources
- RSA Token Converter – generate CTF links offline.
- Web-based token converter – generate CTF links from a webpage.
- RSA iPhone Resources page – Documentation and technical specs for the app and support utilities.
- RSA iPhone SecurID Application for the iPhone – iTunes link to the soft token application.
- CTF Hyperlink Generator – Dynamically generate a webpage with CTF links, viewable from Mobile Safari.
- Cisco VPN Connections from an iPhone – How to create an IPSEC VPN connection on the iPhone.
Updated 6/18/09: Added information about composing Outlook RTF emails to successfully send token installation links, brief clarification about the intent of this post.
Tags: BlackBerry, iPhone, RSA, SecurID, VPN
June 17th, 2009 at 2:38 pm
[...] and it looks like all RSA products… easy to use?… [...]
June 17th, 2009 at 2:48 pm
Hi Corey,
In our testing, sending the email in Rich Text Format (not HTML) from Outlook 2003/2007 works — the hyperlink does not get modified.
Regards,
Phil
June 18th, 2009 at 8:59 am
Thanks Phil, I've updated the post accordingly.
June 19th, 2009 at 7:41 am
Is there a way to do this from ACE Server 6.0? Apparently no ones wanted to upgrade the server in a while … :p … the RSA page requires 6.1 or 7.1 … didn't know if there was a work-around?
June 19th, 2009 at 8:30 am
RSA only officially tested this with 6.1 and 7.1, but there's no reason it shouldn't work with 6.0.
Regards,
Phil Darringer
RSA SecurID Product Management
June 19th, 2009 at 10:26 am
I tried using the sdtid file I use for Windows and Windows Mobile, but while the conversion worked, it wouldn't load on the iPhone. I also went into the 6.0 admin tool and added the iphone unique identifier (which, by itself didn't work either), but there's no choice to add the device and I don't see a way to import the included xml file … so either I'm doing something wrong or I have to upgrade.
June 19th, 2009 at 12:00 pm
Hi Paul,
There are a couple reasons why the import of your .sdtid file may not have worked:
1) The iPhone software token only supports newer 128-bit software tokens. If you can open up your .sdtid file in an editor and find "1", it's a 128-bit token. If you can't open the file (it's binary) or you have "0" it's an older 64-bit token.
2) The token could be bound to another device. Open up the .sdtid file and look for . If it's set, you would only be able to import the token on that specific device (i.e. your Windows Mobile device).
3) Outlook could be changing your CTF string before you email it to your device. To avoid this, for Microsoft Outlook 2007, set the message format to Rich Text. For Microsoft Outlook 2003, make sure that Microsoft Word is not selected as your default editor, and set the message format to HTML.
Regarding the other steps you tried, adding the iPhone UDID to the DeviceSerialNumber field in AM 6.0 is optional. This would ensure that the .sdtid file you issue can only be imported on that specific iPhone device.
The included xml fie (the Device Definition File) is provided for AM 7.1 customers and does not apply to AM 6.x.
Regards,
Phil
June 19th, 2009 at 12:12 pm
Ok … I wondered how to identify 64-bit vs 128-bit … the Version line shows a value of "0" so that appears to be the root of the problem. When I went to export it, it just showed AES, which I assumed (wrongly) was 128-bit. So, this is just a purchasing issue then? If I bought some 128-bit keys, I would be good to proceed in all likelihood?
June 19th, 2009 at 12:12 pm
Thanks for the help and information, by the way, Phil. It's much appreciated.
June 19th, 2009 at 2:33 pm
Hi Paul,
If Auth Mgr is showing the token type to be AES, then it is a 128-bit token, not a 64-bit token.
Also, if you see 1, then it's 128-bit. The attribute is unrelated.
Phil
June 19th, 2009 at 2:45 pm
ok … the problem was outlook … I was able to send from my home email (not using outlook) and was able to get it to load the converted file.
June 22nd, 2009 at 12:03 pm
BTW, the app is awesome … now it just needs copy and paste support so I can more easily use it with the iPhone's VPN client.
June 22nd, 2009 at 1:00 pm
Thanks, we're looking into copy/paste right now…
Phil
July 1st, 2009 at 1:41 pm
thanks corey. works like a charm!
July 28th, 2009 at 9:31 am
Hello,
I'm trying to configure the iPhone's RSA but I can't understand where i can find the .sdtid file.
I just have the token and the PCF file use for establish the connection.
Could someone please explain me how to configure it?
Thanks.
Regards.
Fabrizio
July 29th, 2009 at 1:22 pm
I got all installed on my iphone and even imported the file/link but I can't autheticate.
So i wonder if my converter is messed up, so I wanted to try the converter on this webpage,
without offending anyone, is this safe? Can't the site record the XML information and use that ?
again, don't want to offend anyone.
July 29th, 2009 at 1:28 pm
@Fabrizio – your token administrators should be able to provide a .sdtid file for you to use with a soft token application.
@RDC – the data you provide is used to generate the CTF token and is deleted immediately after the conversion process. The password is only stored in memory for the duration of the HTTP request, and is not recorded.
August 20th, 2009 at 10:08 am
How do I go about getting a .sdtid file?
I have the RSA hardware token and the iphone with RSA app installed. I am pretty sure that the RSA admin will not help me. Is there anyway that I can get the .sdtid file myself?
Thanks for the help
August 20th, 2009 at 12:54 pm
@Alex – Unfortunately you'll need to have your RSA administrator provide the .sdtid file for you. I believe there is a licensing fee associated with each soft token too. Hard tokens aren't free either, perhaps your admin would be willing to trade your hard token for a soft token?
If you use a desktop, iPhone or BlackBerry client they should have issued you a soft token (.sdtid file), although it may have been pushed to your client and I don't believe you can export an imported token.
September 24th, 2009 at 10:24 am
Corey,
C:\>TokenConverter.exe 212012983.sdtid -iphone -o text.txt
Error parsing XML for the following reason:
Failed to parse token record.
Am I doing something wrong ? I get the same error while I do it with your website converter.. gives me a parsing error.
Thanks for the help.
October 2nd, 2009 at 8:27 am
C:\>TokenConverter.exe 212012983.sdtid -iphone -o text.txt
Error parsing XML for the following reason:
Failed to parse token record.
October 4th, 2009 at 6:23 pm
also getting
parse error
October 8th, 2009 at 9:28 pm
If you're getting a parse error you may not have a 128 bit token. Check out the comment from Phil where he describes some common issues with the conversion utility.
October 15th, 2009 at 9:23 am
I'm looking at the sdtid via notepad editor, since I've been getting the same parsing error as Ronny. Just to confirm I have a 64bit token. I copied the following 4 lines.
0
It's not the xml version i should be looking at correct, but the "0" to see if it's either 128 or 64 bit correct? Thanks again for your time and help.
October 15th, 2009 at 9:27 am
hmmm….for some reason the copy did not take. let me revise without the left and right arrows. Hope it works
(?xml version="1.0"?)
(TKNBatch)
(TKNHeader)
(Version)0(/Version)
February 23rd, 2010 at 8:33 am
Hi there,
I know that this article was about implementation for an iPhone but as I can see on the article and the comments you guys seem to know your stuff :-) Therefore I would like to ask you if you have experienced when importing the .sdtid file into the RSA application running on Windows Mobile that is prompts for a password. I have not configured the file as copy protected or password protected. The strange thing is it works fine on some of our Windows Mobile phones (HTC) but I have had this issue with two phones now (different HTC types) and of course both are Managers phones :-)
Hope you can advice,
Vik
July 5th, 2010 at 8:34 am
Hi,
our IT department is a little bit too much in windows-mode ("ah, no, that's not supported… just click the link…") so I can't expect no help from them.
We have some kind of RSA backend to distribute software tokens. And the windows-application that we feed with a web-link where the app downloads a seed, so it can provide me with one-time-passwords. When I use this link to download the seed, my token is bound to the windows machine. I don't know how to get this then to work with the iphone app, where would I find the .sdtid file to feed to the converter? and why would this work if it's bound to the Windows app anyway? Where would I find the option to export the token into .sdtid in "RSA SecurID Token".
Or do I have my head wrapped around the wrong process and it's quite easy?
thanks a lot for unwinding my head.
regards
simon
July 6th, 2010 at 6:42 am
I was issued a new token that I should download from the windows app, with an activation code:
https://host.domain.tld:7004/ctkip/services/CtkipService
How the hell can I convert that into a CTF file?
thanks
simon
July 6th, 2010 at 7:19 am
I tried
com.rsa.securid.iphone://ctf?https://host.domain.tld:7004/ctkip/services/CtkipService
(which obviously shouldn't work)
and
com.rsa.securid.iphone://https://host.domain.tld:7004/ctkip/services/CtkipService
which also didn't work. I cannot get cooperation from the admins to fiddle with the URL, so I have to feed my iPhone somehow a correct URL so it can download the token, as described in the QuickStart document, without getting "Invalid token. Contact your inept administrator."
thanks a lot
simon
July 6th, 2010 at 11:43 am
Is it possible to convert a RSA FOB hardware token to a software token?
Please kindly advice whether it is possible to generate a web-based SDTID or CTF if a RSA FOB hardware token is provided its 9 digits number in the back, the 6 digits displaied in front at the time of push submit button.
Thank you and best regards.
David.
July 8th, 2010 at 12:25 am
everything ok, with some social engineering I coaxed our IT to provide me with an .sdtid
And from there it was a walk in the park, thanks to this tutorial. THANK YOU VERY MUCH, COREY!