Transcription
RSA SecurID Software Token 2.0for iOS Administrator’s Guide
Contact InformationSee the RSA corporate web site for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htmTrademarksRSA, the RSA Logo, SecurID, and EMC are either registered trademarks or trademarks of EMC Corporation in the UnitedStates and/or other countries. All other trademarks used herein are the property of their respective owners. For the most up-todate listing of RSA trademarks, go to s.htm.License agreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, andmay be used and copied only in accordance with the terms of such license and with the inclusion of the copyright noticebelow. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to anyother person.No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Anyunauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by EMC.Note on encryption technologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, install, or export of encryptiontechnologies, and current use, install, and export regulations should be followed when using, installing or exporting thisproduct.DistributionUse, copying, and distribution of any EMC software described in this publication requires an applicable software license.EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NOREPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THISPUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.Copyright 2009-2014 EMC Corporation. All Rights Reserved. Published in the USA.June 2009Revised, October 2011, June 2014
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideContentsPreface. 7About This Guide. 7Product Documentation. 7Related Documentation. 7Support and Service . 8Before You Call Customer Support. 9Chapter 1: Product Overview .11About RSA SecurID Software Token for iOS .11RSA SecurID Authentication.11Authentication Options . 12Passcode Authentication (PINPad-Style) . 13Passcode Authentication (Fob-Style). 14Tokencode-Only Authentication. 15Product Features. 16Multiple Token Support. 16Scan QR Code. 17New User Interface . 17Token Expiration Warning . 17Token Import Log . 17Multiple Language Support . 18Binding ID Option . 18Token Import Options. 18Next Code Retrieval. 18App and Token Information . 19Show or Mask PIN. 19Removal of Support for Apple UDIDs . 19Chapter 2: Planning Your Deployment . 21Device Requirements . 21iOS Data Protection . 21Software Token Support . 21Provisioning and Authentication Servers. 22Supported Authentication Methods . 22Provisioning Models . 23RSA Authentication Manager Self-Service Solutions. 23RSA Authentication Manager Prime Suite . 24Provisioning Overview . 24File-Based Provisioning (SDTID Files) . 25Compressed Token Format (CTF Strings). 25Dynamic Seed Provisioning. 26QR Codes. 26Supported Token Attributes . 27Contents3
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideSoftware Token Security. 28Device Binding . 28Token Passwords . 29Token Security on the Device. 29System Clock Settings . 30Update to App Version 2.0 . 30Install and Manage the App . 31Install the App Directly to a Device . 31Install the App by Syncing It Through iTunes . 32Perform Encrypted Backup Using iTunes . 32Chapter 3: Provisioning Software Tokens UsingRSA Authentication Manager 8.x . 33Before You Begin . 33Provisioning Software Tokens Using the RSA Security Console . 34Import the Token Record File. 34Add a Software Token Profile . 35Add Users . 37Assign Tokens to Users . 37Enable or Disable Assigned Tokens . 38Distribute the Tokens . 39Distribute One Token Using Dynamic Seed Provisioning . 39Next Steps . 42Distribute One Token Using File-Based Provisioning (SDTID File). 42Next Steps . 43Distribute One Token Using Compressed Token Format (CTF String). 43Next Steps . 45Self-Service Provisioning . 46Configure User Logon Options. 47Define Settings for Software Token Self-Service. 47Provide Information for Users To Request Tokens . 50User Procedure. 50Approve Software Token Requests. 52Email Notification. 52Enable a Tokencode-Only Software Token . 54Chapter 4: Provisioning Tokens Using RSA AuthenticationManager 7.1 . 55Before You Begin . 55Provisioning Software Tokens Using the RSA Security Console . 56Import the Token Record File. 56Import the Device Definition File. 56Add Users . 57Assign Tokens to Users . 57Enable or Disable Assigned Tokens . 574Contents
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideConfigure the Token Records . 58Distribute the Tokens . 62Distribution Methods . 62Next Steps . 62Self-Service Provisioning Using RSA Credential Manager . 63Configure User Logon Options. 63Setup Tasks . 63Self-Service Provisioning Steps. 64Configure Token Management Settings . 65Replace the Request Approval Notification Email Template . 67Provide Information for Users To Request Tokens . 68User Procedure. 68Approve Software Token Requests . 70Software Token Request Approval Email . 70Enable a Tokencode-Only Software Token . 72Chapter 5: Provisioning Tokens Using RSA AuthenticationManager 6.1 . 73Before You Begin . 73Provisioning Tokens Using the Database Administration Application . 74Configure the Software Token Record . 75Bind a Token Using Token Extension Data. 77Assign a Token Nickname Using Token Extension Data. 78Next Steps . 78Chapter 6: Delivering Software Tokens . 79Token Delivery Methods . 79Delivering an SDTID File. 80Before You Begin . 80Delivering a Custom CT-KIP URL Link . 81Construct a Custom CT-KIP URL Link . 81Compose and Send an Email Message . 82Verify Successful Execution of the CT-KIP Protocol . 83Delivering a Custom CTF URL Link . 84Before You Begin . 85Convert the Token File . 85Compose and Send an Email Message . 86Delivering a QR Code. 87Chapter 7: Troubleshooting . 89Customer Support Information . 89Problems Installing the RSA SecurID App. 89Problems Importing Tokens. 90Problems Authenticating. 92Error Messages . 93Information Messages . 94Contents5
RSA SecurID Software Token 2.0 for iOS Administrator’s GuidePrefaceAbout This GuideThis guide describes how to provision and deploy software tokens to RSA SecurIDSoftware Token 2.0 for iOS (the RSA SecurID app). It is intended forRSA Authentication Manager administrators and IT personnel who will provision anddeploy software tokens. Do not make this guide available to the general userpopulation.Product DocumentationFor more information about RSA SecurID Software Token 2.0 for iOS, see thefollowing documentation:Help. The RSA SecurID app contains context-sensitive Help for each screen. TheHelp describes the app screens and associated procedures. Tap the Help icon on thescreen for which you need Help.Release Notes. Provides information about this release, as well as workarounds forknown issues. The latest version of the Release Notes is available from RSASecurCare Online: https://knowledge.rsasecurity.com.Related DocumentationRSA Secured Partner Solutions directory. RSA has worked with a number ofmanufacturers to qualify products that work with RSA products. Qualified third-partyproducts include virtual private network (VPN) and remote access servers (RAS),routers, web servers, and many more. To access the directory, includingimplementation guides and other information, go a/.RSA Authentication Manager 8.x Administrator’s Guide. Provides informationabout how to administer users and security policy in RSA AuthenticationManager 8.x.RSA Authentication Manager 7.1 Administrator’s Guide. Provides informationabout how to administer users and security policy in RSA AuthenticationManager 7.1.RSA Security Console Help. Describes day-to-day administration tasks performed inthe RSA Security Console interface used with RSA Authentication Manager 8.x and7.1. To view Help, click the Help tab in the Security Console.RSA Authentication Manager 6.1 Administrator's Guide. Provides informationabout how to administer users and security policy in RSA AuthenticationManager 6.1.Preface7
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideDatabase Administration application Help. Describes day-to-day administrationtasks performed in the Database Administration application used withRSA Authentication Manager 6.1.RSA SecurID Authentication Engine 2.8.1 for Java Developer’s Guide. DescribesAPIs that allow you to integrate RSA SecurID strong authentication directly into yourhomegrown apps. SAE documentation is available from RSA SecurCare Online(https://knowledge.rsasecurity.com). You must have an account on RSA SecurCareOnline. After logging on, click the “Documentation” quick link and search on “RSASecurID Authentication Engine.”RSA SecurID Software Token Converter 3.1 Administrator’s Guide. The TokenConverter 3.1 is a command line utility for converting individual RSA SecurIDsoftware token files into alternative delivery formats, including custom compressedtoken format (CTF) URLs and QR Codes. QR Codes can be scanned into the RSASecurID app on devices running iOS 7 or later. To download the Token Converter, curid-software-authenticators/converter.htmRSA SecurID Software Token Security Best Practices Guide. Describes bestpractices designed to ensure secure operation of RSASecurID software token apps.You must have an account on RSA SecurCare Online to access the Best PracticesGuide. Go to: ?id 8895.Support and ServiceRSA SecurCare Onlinehttps://knowledge.rsasecurity.comCustomer Support Informationwww.emc.com/support/rsa/index.htmRSA Solution ce/rsa?view overviewRSA SecurCare Online offers a knowledgebase that contains answers to commonquestions and solutions to known problems. It also offers information on new releases,important technical news and software downloads.8Preface
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideBefore You Call Customer SupportMake sure you have information about the device that is experiencing the problem.Please have the following information available when you call: Your RSA Customer/License ID Product software version number Device model number iOS version Date and time set on the iOS device Information listed in the app’s Information screen Carrier configuration informationPreface9
RSA SecurID Software Token 2.0 for iOS Administrator’s Guide1Product OverviewAbout RSA SecurID Software Token for iOSRSA SecurID AuthenticationAuthentication OptionsProduct FeaturesRemoval of Support for Apple UDIDsAbout RSA SecurID Software Token for iOSRSA SecurID Software Token 2.0 for iOS is authentication software thattransforms an iOS device into a network authentication device. The software consistsof a mobile app and separately installed software tokens. With a software tokeninstalled, the app generates 6-digit or 8-digit pseudorandom numbers, calledtokencodes (one-time passwords), at regular intervals. Authorized users withsupported iOS devices can use a tokencode, in combination with an RSA SecurID PINto access resources protected by SecurID, such as Virtual Private Networks (VPNs)and web applications.RSA SecurID AuthenticationRSA SecurID authentication is a type of strong two-factor authentication using“something you know” plus “something you have.” Something you know is an RSASecurID PIN, and something you have is an RSA SecurID software token installed inthe RSA SecurID Software Token app running on a device. The software tokengenerates new tokencodes every 60 seconds or every 30 seconds, depending on thetoken configuration. An RSA SecurID PIN is used with the current tokencode tocreate a passcode, or one-time password (OTP), for user authentication. This twofactor authentication solution offers stronger security than traditional passwords(single-factor authentication).1: Product Overview11
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideAuthentication OptionsRSA SecurID Software Token 2.0 for iOS supports the following user authenticationoptions: PIN integrated with tokencode (PINPad-style). The user enters an RSA SecurIDPIN in the Enter PIN screen on the iOS device to produce a passcode (one-timepassword). The user authenticates by entering the passcode in the protectedresource. Tokens configured to require PIN entry on the device are calledPINPad-style tokens because the user experience is similar to authenticating withan RSA hardware device that contains a key pad for PIN entry. PIN followed by tokencode (fob-style). The user authenticates by entering aSecurID PIN in the protected resource, followed by the current tokencodedisplayed on the device. Tokens configured to require PIN entry in the protectedresource are called fob-style tokens because the user experience is similar toauthenticating with an RSA hardware fob that displays tokencodes. Tokencode only. The user authenticates by entering the current tokencodedisplayed on the device (no PIN required).Important: Because tokencode-only authentication does not use two-factorauthentication, RSA strongly recommends that you require the standard logonpassword in addition to the tokencode. For complete information about properuse of tokens that do not require a PIN, see the RSA SecurID Software TokenSecurity Best Practices Guide. This guide is available from:https://knowledge.rsasecurity.com/scolcms. After logging on to SecurCareOnline, scroll to Best Practices for RSA SecurID Authenticators and RSAAuthentication Manager and click View Best Practices.For information on configuring the authentication requirement, see one of thefollowing chapters:12 “Provisioning Software Tokens Using RSA Authentication Manager 8.x” onpage 33 “Provisioning Tokens Using RSA Authentication Manager 7.1” on page 55 “Provisioning Tokens Using RSA Authentication Manager 6.1” on page 731: Product Overview
RSA SecurID Software Token 2.0 for iOS Administrator’s GuidePasscode Authentication (PINPad-Style)The following table shows how a user authenticates to a VPN client with aPINPad-style software token (PIN integrated with tokencode).1Enter the PIN in the RSASecurID app on the device.2View the passcode (PINintegrated with thetokencode).3Enter the passcode in theprotected resource (forexample, a VPN).1: Product Overview13
RSA SecurID Software Token 2.0 for iOS Administrator’s GuidePasscode Authentication (Fob-Style)The following table shows how a user authenticates to a VPN client with a fob-stylesoftware token (PIN entered in protected resource, followed by tokencode).141View the tokencode in theRSA SecurID app on thedevice.2Enter the PIN in theprotected resource (forexample, a VPN). The PINin this example is13248675.3Enter the tokencode to theright of the PIN in theprotected resource (forexample, a VPN).1: Product Overview
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideTokencode-Only AuthenticationThe following table shows how a user authenticates to a VPN client with a tokencodeonly. No PIN is required.1View the tokencode in theRSA SecurID app on thedevice.2Enter the tokencode in theprotected resource (forexample, a VPN).1: Product Overview15
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideProduct FeaturesRSA SecurID Software Token 2.0 for iOS includes the following features.Multiple Token SupportThis release allows users to import up to 10 software tokens per device. An RSAAuthentication Manager server can provision three software tokens to an individualuser. RSA SecurID software tokens can be provisioned to the same device by differentcompanies.This release provides the following options for managing multiple tokens.My Tokens ListThe My Tokens screendisplays a list of the tokens that have been imported to thedevice. The name and status (active, expired, or both) of each token is displayed. Theapp also displays a warning when the token is nearing its expiration date.Users with multiple tokens select the token they want from the list. The selected tokenbecomes the “Active” token, and the Enter PIN or Tokencode screen is displayed,depending on the token type. If the user does not select a token, the last tokenimported is the Active token. Users can rename, sort, and delete tokens.Rename Token option. Users can set token names to identify their tokens. Tokennames are called “nicknames” in the authentication servers. Nicknames Can contain up to 32 characters. Must be alphabetic or alphanumeric Must be unique. Are case sensitive. Cannot consist entirely of spaces.As the administrator, you can optionally set a nickname when configuring a tokenrecord. If you do not set a nickname, tokens are imported to the app with defaultnames based on installation order: Token 1, Token 2, and so on. The user can renametokens after importing them to the app.If you use Self-Service provisioning with RSA Authentication Manager 8.x or 7.1,you can allow users to set a nickname when they request a token. The token isimported into the app with the user-supplied nickname.Delete Token option. Users can delete tokens that have expired or are not needed,including the Active token. Users who delete all of their tokens must contact theadministrator to request replacement tokens, or use Self-Service if they have anaccount.161: Product Overview
RSA SecurID Software Token 2.0 for iOS Administrator’s GuideScan QR CodeThe version 2.0 app supports importing a software token by scanning a QR Code (atwo-dimensional barcode). The QR Code contains either a compressed token format(CTF) URL or a CT-KIP URL. For more information, see “Delivering a QR Code” onpage 87.Important: The Scan QR Code feature is supported on devices running iOS 7 or later.New User InterfaceThe user interface has been redesigned for an up-to-date look and feel and improvednavigation. Many user operations take advantage of familiar, native iOS features. Theapp supports portrait mode only.Embedded help is provided for each screen. Help informationsupported language that the device is set to use.is displayed in theToken Expiration WarningSoftware tokens used with iOS devices expire at 00:00:00 GMT of the token’sexpiration date. To ensure that the user always has a working software token installed,the app displays a warning on the Tokencode, Passcode, Next Code, and My Tokensscreens indicating how many days remain before the token expires, starting 30 daysbefore the expiration date. The user can contact the administrator or use a Self-Serviceaccount (if allowed) to request a replacement token.Token Import LogThe app generates a log file that records successful and unsuccessful attempts toimport tokens. As the administrator, you can review the log file to assist a user whoreports a token import failure. You can ins
RSA SecurID Software Token 2.0 for iOS Administrator's Guide Preface About This Guide This guide describes how to provision and deploy software tokens to RSA SecurID Software Token 2.0 for iOS (the RSA SecurID app). It is intended for RSA Authentication Manager administrators and IT personnel who will provision and deploy software tokens.
