Transcription
RSA SecurID Software Token 5.0.2for WindowsAdministrator’s GuideRevision 2
Contact InformationRSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and provides solutionsto known problems, product documentation, community discussions, and case management.TrademarksRSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/orother countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, goto sa.License AgreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, andmay be used and copied only in accordance with the terms of such license and with the inclusion of the copyright noticebelow. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to anyother person.No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Anyunauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by EMC.Third-Party LicensesThis product may include software developed by parties other than RSA. The text of the license agreements applicable tothird-party software in this product may be viewed on the product documentation page on RSA Link. By using this product, auser of this product agrees to be fully bound by terms of the license agreements.Note on Encryption TechnologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryptiontechnologies, and current use, import, and export regulations should be followed when using, importing or exporting thisproduct.DistributionUse, copying, and distribution of any EMC software described in this publication requires an applicable software license.EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THISPUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. 2009-2017 EMC Corporation. All Rights Reserved. Published in the USA.February 2015Revised: March 2017
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideContentsRevision History . 5Preface. 7About This Guide. 7RSA SecurID Software Token 5.0.2 for Windows Documentation . 7Related Documentation. 7Support and Service . 8Before You Call Customer Support. 8Chapter 1: Overview and Requirements . 9About RSA SecurID Software Token 5.0.2 for Windows . 9Standard Desktop Application . 9RSA SecurID Software Token with Automation. 10Internet Explorer Plug-In . 10Connected RSA SecurID 800 Authenticator .11Customization Policies. 12Secure Sites . 13System Requirements. 13Token Storage Devices . 14Support for Visually Impaired Users . 14Virtual Machines. 14Clock Settings . 15Chapter 2: Installing the Application . 17Before You Begin . 17Token Storage Database Options for VPN Client Applications . 18Token Database Copy Protection. 19Installing RSA SecurID Software Token for Windows. 19Enterprise-Wide Installations . 20Windows Installation Package. 20Install the Application Using the InstallShield Program . 21Command Line Installation . 22Command Line Examples. 26Modify an Installation. 28Repair an Installation . 31Upgrading RSA SecurID Software Token for Windows. 32Upgrade Procedures . 32Uninstalling RSA SecurID Software Token for Windows . 33Uninstall the Application Using the Program List. 33Uninstall the Application Using the Command Line. 33Contents3
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideChapter 3: User Options for Managing Tokens and Devices . 35Importing Tokens . 35Import a Token Automatically Using CT-KIP . 36Import a Token from the Web Using the Desktop Application. 36Import a Token from an Email Attachment. 37Import a Token Automatically from a Default Directory. 38Import a Token from a Non-Default Directory . 39Change a Token Name . 40Select a Token. 40Device Passwords . 41Set a Device Password . 41Change a Device Password. 42Remove a Device Password. 42Reset the Device (Local Hard Drive) . 43Device Passwords for Third-Party Plug-Ins . 44View Token Information. 45View Token Storage Device Information . 46Delete a Token . 47Obtaining the Next Code. 48Enter the Next Code. 48Disable Next Code Mode. 48Chapter 4: Troubleshooting . 49Appendix A: Customizing the Application . 51Customization Policies. 51Policies for RSA SecurID Software Token for Windows . 51Policy Details . 52ActivationCode . 52CtkipUrl . 53DisableDeleteToken. 53DisableSetDevicePassword . 54OnlyOneToken. 54TokenExpirationNotification . 54TokenRenewalURL . 54ValidDevices. 54Customizing RSA SecurID Software Token for Windows . 56Add the RSA Administrative Template. 56Configure Group Policy Settings . 56Updating the Token Storage Device Serial Number. 57Appendix B: Logging . 59Setting the Logging Level. 59Location of Log Output Files. 59Log Message Format. 60Sample Log Messages. 614Contents
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideRevision HistoryRevisionDateNumberRevision1Updated for RSA SecurID Software Token 5.0.1 for Windows:January 2017 Removed the “What’s New in This Release” and “What’s Changed in thisRelease” sections. The Release Notes contain information on the updates andchanges in version 5.0.1. Updated Chapter 2, “Installing the Application” with the new filenames andupgrade instructions. RSA SecurID Software Token 5.0.1 supportsupgrading from version 5.0. Added Windows 10 support to the “System Requirements” section. Added descriptions of the Device Name and Device Serial Number registryentries to Appendix A, “Customizing the Application.”2March 2017Updated for RSA SecurID Software Token 5.0.2 for Windows: Updated Chapter 2, “Installing the Application” with the new filenames andupgrade instructions. RSA SecurID Software Token 5.0.2 supportsupgrading from version 5.0 and version 5.0.1. Added statements that the command line installation must be run as anadministrator. Updated the location for the Device Name and Device Serial Numberregistry entries in Appendix A, “Customizing the Application.”Revision History5
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuidePrefaceAbout This GuideThis guide describes how to prepare for and deploy RSA SecurID Software Token5.0.2 for Windows (the SecurID desktop application). This guide is intended forRSA Authentication Manager administrators and other personnel who are responsiblefor deploying and administering the SecurID desktop application. It assumes thatthese personnel have experience using RSA Authentication Manager. Do not makethis guide available to the general user population.RSA SecurID Software Token 5.0.2 for Windows DocumentationFor more information about the SecurID desktop application, see the followingdocumentation:Administrator’s Guide. (This guide.) Provides information for security administratorson deploying and managing the SecurID desktop application.Provisioning Guide. Describes the tasks required to configure and distribute softwaretokens using RSA Authentication Manager 8.x. Also covers user Self-Service options.Release Notes. Provides information about what is new and changed in this releaseand workarounds for known issues. The latest version of the Release Notes isavailable on RSA Link at https://community.rsa.com.RSA SecurID Software Token Help. Explains how to import tokens, set an RSASecurID PIN, authenticate with SecurID, and manage tokens. You access Help topicsfrom the SecurID desktop application.Related DocumentationFor more information related to the SecurID desktop application or software tokens,see the following:RSA Authentication Manager 8.x Administrator’s Guide. Provides an overview ofAuthentication Manager and its features. Describes how to configure the system andperform a wide range of administration tasks.RSA Authentication Manager Help. Instructions for performing dailyadministration tasks in the Security Console and configuration and setup tasks in theOperations Console (RSA Authentication Manager user interfaces). Includesinstructions for the most common tasks for Help Desk Administrators. To view Help,click the Help tab in the Security Console or the Operations Console.RSA SecurID Authentication Engine 2.8.1 for Java Developer's Guide. Provides adetailed description of the Authentication Engine API for Java.Preface7
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideRSA SecurID Software Token Security Best Practices Guide. Identifies bestpractices designed to ensure secure operation of RSA SecurID software tokenapplications. To download this guide from RSA Link, go to:https://community.rsa.com/docs/DOC-35128.RSA SecurID Software Token Deployment Planning Guide. Provides information onplanning an enterprise-wide software token deployment, including transitioning fromhardware tokens to software tokens, and examples of software token provisioning anddelivery on desktop and mobile platforms. To download the RSA SecurID SoftwareToken Deployment Planning Guide, go tohttps://community.rsa.com/docs/DOC-35127.Support and ServiceYou can access community and support information on RSA Link athttps://community.rsa.com. RSA Link contains a knowledgebase that answerscommon questions and provides solutions to known problems, productdocumentation, community discussions, and case management.The RSA Ready Partner Program website at www.rsaready.com providesinformation about third-party hardware and software products that have been certifiedto work with RSA products. The website includes Implementation Guides withstep-by-step instructions and other information on how RSA products work withthird-party products.Before You Call Customer SupportMake sure that you have direct access to the computer running the RSA SecurIDSoftware Token 5.0.2 for Windows software.Please have the following information available when you call: Your RSA Customer/License ID. RSA SecurID Software Token software version number. The make and model of the machine on which the problem occurs. The name and version of the operating system under which the problem occurs.8Preface
RSA SecurID Software Token 5.0.2 for Windows Administrator’s Guide1Overview and RequirementsThis chapter introduces RSA SecurID Software Token 5.0.2 for Windows (theSecurID desktop application) and provides system requirements and other generalinformation.About RSA SecurID Software Token 5.0.2 for WindowsRSA SecurID Software Token 5.0.2 for Windows is authentication software that runson 32-bit and 64-bit Windows operating systems and allows users to verify theiridentity to resources protected by RSA SecurID. The application must be installed ondesktops and laptops, along with separately installed software-based security tokens.SecurID software tokens generate one-time passwords (OTPs) at regular intervals.With the SecurID desktop application, users can enter the current OTP, along withother security information, to gain access to Virtual Private Networks (VPNs) and webapplications. The software provides strong two-factor authentication and eliminatesthe need for the user to carry a separate hardware token.Standard Desktop ApplicationThe RSA SecurID Standard desktop application provides an installation package forcustomers who do not require the software token automation API features of theproduct. This package does not contain the dynamically linked STAUTO32 API(stauto32.dll). This security enhancement is intended to help prevent potential misuseof the API.Install the Standard desktop application if users will authenticate manually to a VPNclient or web resource that does not have integrated SecurID functionality. As shownin the following figure, the user is prompted for a username and RSA SecurIDpasscode (PIN and tokencode).1: Overview and Requirements9
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideRSA SecurID Software Token with AutomationThe RSA SecurID Software Token with Automation provides an installation packageto support backwards compatibility for using the software token automation API. Thesoftware token automation API enables integration with leading VPN and remoteaccess applications so that users are only required to enter a user name and RSASecurID PIN for authentication.Install the RSA SecurID Software Token with Automation if users will authenticate toa VPN client or web resource that has integrated RSA SecurID functionality. Asshown in the following figure, the user is prompted only for a username and RSASecurID PIN.Internet Explorer Plug-InRSA SecurID Software Token 5.0.2 for Windows provides an optional InternetExplorer plug-in that allows users to authenticate to selected web pages withoutmanually entering a one-time password (OTP). The Internet Explorer plug-in is acustom feature of the desktop application. To install the plug-in, select Custom in theInstallShield installation program or specify the InternetExplorerPlugin feature on theWindows Installer command line. For instructions, see “Installing RSA SecurIDSoftware Token for Windows” on page 19.The Internet Explorer plug-in is accessible by web sites protected by RSAAuthentication Agent for Web for IIS. You must use the updated HTML templatepages included in RSAWebAgentTemplates.zip to replace the existing HTMLtemplate pages used by Authentication Agent for Web. The HTML template pagescontain JavaScript defining the RSA SecurID authentication prompts to be displayedwhen a user attempts to access a protected site. For the most recent RSAAuthentication Agent for Web for IIS template files, 01: Overview and Requirements
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideTo invoke the plug-in, users open Internet Explorer and navigate to a protected website. An authentication page prompts users to select a software token from their list oftokens and enter their username and PIN. After users enter their PIN, the passcode(OTP) generated by the SecurID desktop application is passed automatically to RSAAuthentication Manager. Users do not need to open the SecurID desktop applicationto get an OTP.Note: RSA SecurID Software Token 5.0.2 for Windows does not support runningmultiple instances of the Internet Explorer plug-in within the same browser process.As a result, users cannot use the Internet Explorer plug-in to authenticatesimultaneously to multiple sites that are protected by SecurID.Connected RSA SecurID 800 AuthenticatorYou can use an RSA SecurID 800 Authenticator (SecurID 800) connected to a USBport with RSA SecurID Software Token for Windows for automatic tokencoderetrieval by a VPN client application. You can also use a connected SecurID 800 withthe optional Internet Explorer plug-in for automatic tokencode retrieval by webresources protected by RSA SecurID. Users only need to enter their SecurID PINs tobe authenticated.To use connected SecurID 800 Authenticators, you must install RSA Smart CardMiddleware 3.6. A plug-in that is installed automatically with the SecurID desktopapplication allows the Smart Card Middleware and the desktop application tocommunicate with the SecurID 800.You install the Middleware from the RSA Authentication Client 3.6 product kit urid/authentication-client-36/downloads. Install the Middleware as documented in theRSA Authentication Client 3.6 Installation and Administration Guide urid/authentication-client-36.If the SecurID 800 is the only token used with the desktop application, it isautomatically the active token (the token from which OTPs are retrieved). If the userhas imported software tokens to the desktop application, however, the user must openthe application and select the SecurID 800 serial number (or nickname) from the list oftokens. For details, see the RSA SecurID Software Token Help.Note: You cannot import software tokens to a SecurID 800. Only the built-in tokencan be used to generate OTPs.1: Overview and Requirements11
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideCustomization PoliciesYou can set policies to customize the behavior of RSA SecurID Software Token 5.0.2for Windows.The following table summarizes the customization policies. For details andinstructions, see Appendix A, “Customizing the Application.”Important: RSA recommends that you set customization policies before you installthe es that the Windows user security identifier (user SID)should be used as the activation code for a token provisionedusing dynamic seed provisioning (CT-KIP). To allow a tokento be imported automatically the first time that the userlaunches the application, you must set both ActivationCodeand CtkipUrl.CtkipUrlPrefills the Enter URL field in the application so that the userdoes not have to enter the URL when importing a tokenprovisioned using CT-KIP.DisableChangeTokenNameSpecifies whether or not users can change the nicknamesassigned to their tokens.DisableDeleteTokenSpecifies whether or not users can delete their tokens.DisableSetDevicePasswordSpecifies whether or not users are permitted to set a devicepassword. Applies only to the Local Hard Drive (RSA)plug-in.OnlyOneTokenSpecifies that users can have only one token installed.TokenExpirationNotification Changes the number of days before the application displays anotification informing the user that a token is nearing itsexpiration date. If you do not set this policy, the notification isdisplayed 30 days before the token expires.If used with TokenRenewalURL, this policy adds a link in thetoken expiration notification to a URL where the user canrequest a replacement token.12TokenRenewalURLUsed with the TokenExpirationNotification policy. Specifies aURL link to display in the token expiration notification. Forexample, the link could be the URL of the RSA Self-Serviceportal where the user can request a replacement token.ValidDevicesSpecifies a whitelist of storage devices to which tokens can beimported.1: Overview and Requirements
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideSecure SitesYou can assign each user up to three tokens, and for each token, you can designate upto three secure web sites for that token to protect. For example, if a user has threetokens, you can protect up to nine web sites. The separate sitelist template that wasprovided with the RSA SecurID Toolbar 1.4.2 product is not supported. If secure websites are not designated, then the user can attempt to authenticate with the token at anyweb site that is protected by your RSA Authentication Manager deployment.When configuring a token, you can specify secure sites by adding theTOOLBAR SITEURL1, TOOLBAR SITEURL2, and TOOLBAR SITEURL3attributes to the token record. The attribute value must be the web URL of the securesite. IP addresses are not supported as secure sites.You can use an asterisk as a wildcard to represent any characters. This can provideaccess to all of the sites in a specific domain. For example, an administrator can enterhttps://*.xyz.com to allow access to all of the sites that end with .xyz.com.In RSA Authentication Manager 8.x, you can add up to three secure web sites to thesoftware token profile, which specifies software token configuration and distributionoptions. When you configure a token that uses this software token profile, you canadd, remove, or update the secure sites as needed.For instructions on how to use this feature, see the RSA SecurID Software Token 5.0for Windows Provisioning Guide.System RequirementsThe following table lists the system requirements for RSA SecurID Software Token5.0.2 for Windows.DescriptionRequirementOperating SystemRSA SecurID Software Token 5.0.2 for Windows supports the following: 1: Overview and RequirementsWindows 10 32-bit and 64-bitWindows 8.1 32-bit and 64-bitWindows 7 Enterprise 32-bit and 64-bitWindows 7 Professional 32-bit and 64-bitWindows Vista Business SP1 and SP2 32-bit and 64-bitWindows Vista Enterprise SP1 and SP2 32-bit and 64-bit13
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideDescriptionRequirementInternet Explorer support forInternet Explorer Plug-InRSA SecurID Software Token 5.0.2 for Windows supports the following: Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7Internet Explorer 10 on Windows 8.1 and Windows 7Internet Explorer 9 on Windows 7 and Windows VistaInternet Explorer 8 on Windows 7 and Windows VistaNote: The Internet Explorer Plug-In does not support the Microsoft Edgebrowser. On Windows 10, the Internet Explorer Plug-In supports InternetExplorer 11 only.Disk space1 KB available space for each software token installed.Token Storage DevicesA token storage “device” is a logical storage container for tokens. The SecurIDdesktop application can store tokens on the user's hard drive, a Trusted PlatformModule (TPM), a biometric device, a flash drive, or another supported device. Bydefault, the application stores tokens on the user’s local hard drive. For moreinformation, see the RSA SecurID Software Token 5.0 for Windows ProvisioningGuide.Support for Visually Impaired UsersRSA SecurID Software Token 5.0.2 for Windows supports the use of screen readersfor visually impaired users. RSA has tested the application with the JAWS forWindows Screen Reading Software. You can download JAWS from the FreedomScientific web site. Once you install JAWS, no additional configuration is required touse the software with the SecurID desktop application.Virtual MachinesThe SecurID desktop application has not been fully tested and qualified on virtualmachines. RSA Customer Support will initially assist you with issues that occur on avirtual machine, but may eventually request that you reproduce the issue on asupported physical machine before they proceed further with the case.141: Overview and Requirements
RSA SecurID Software Token 5.0.2 for Windows Administrator’s GuideClock SettingsThe SecurID desktop application and RSA Authentication Manager rely onCoordinated Universal Time (UTC). The time, date, and time zone settings on thelocal computer and on the computer running Authentication Manager must always becorrect in relation to UTC. If the time settings on a user’s computer changesignificantly, they will no longer be synchronized with the time settings on theAuthentication Manager host, and the user may not be able to authenticate. If thishappens, the user must contact the server administrator to have the tokenresynchronized.Instruct users to verify that the time, time zone, and Daylight Saving Time (DST)settings on their computer are correct before they use the SecurID desktop applica
This chapter introduces RSA SecurID Software Token 5.0.2 for Windows (the SecurID desktop application) and provides system requirements and other general information. About RSA SecurID Software Token 5.0.2 for Windows RSA SecurID Software Token 5.0.2 for Windows is authentication software that runs
