000034899 - How to present a QR code for a CT-KIP URL for software token activation in the RSA Authentication Manager 8.x Self Service Console

Document created by RSA Customer Support Employee on Mar 14, 2017Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034899
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1, 8.2
IssueThis article shows how to present a QR code for a CT-KIP URL for software token activation in the RSA Authentication Manager 8.x Self Service Console.
Tasks
  1. Assign a software token to a user(s).
  2. Create software token profile that defines QR codes as the distribution method for a software token.
  3. Distribute software token(s) using the QR code soft token profile.
  4. Have the user logon to the Self-Service Console (SSC) to activate the software token.
  5. The user's device will need to be able access the Self-Service Console and/or the CT-KIP URL.  This can be either directly on your internal or corporate wireless network or through a Web Tier in your internal or corporate DMZ from the internet.  This will most likely same way your users access the SSC.
Resolution
  1. Assign a software token to a user(s) as you normally do through the Security Console.  
    1. Follow the steps here to assign a software token individually.
    2. To assign tokens in bulk follow the steps on assigning software tokens to multiple users.  Alternative options for assigning tokens to thousands of users is to use the Authentication Manager Bulk Administration (AMBA) tool or the Authentication Manager Prime Suite, available from RSA Professional Services.
  2. Using the steps on how to add a software token profile, create a software token profile that defines QR codes as the distribution method for a software token.   Some devices, like a Windows PC, are not capable of converting this URL to a QR code, so that option is not in a software token profile for a Windows Desktop.
ST Profile
 

  1. When you distribute a software token using the Dynamic Seed Provisioning (CT-KIP) option, you get a URL like the one above, plus an activation code, which you can email to the end user or provide via phone call.  Emailing the URL and having the end user call the help desk for the activation code is probably the safest procedure.  If you email both the activation code and the URL, someone could intercept it; but it can only be used once, so that is safety through fail-safe.  If it does not import into the intended user’s device, you get them a new one which invalidates the first one.
With QR codes, which are a subset of CT-KIP, only work on specific devices.  The difference is the user must logon to the Self-Service Console to get their QR code.  When you distribute a software token with QR code, it looks like this:
 

ST Profile QR
 

Use the DeviceID or DeviceSerial number to bind the software token to this specific advice for maximum assurance that this token will not be imported into the wrong device.

  1. Distribute the software token(s) that use the QR code software token profile following the steps on Software Token Distribution.  As with token assignment, tokens can be distributed individually or in bulk through Security console (Authentication > Distribute Software Tokens in Bulk).  WARNING:  Be very careful when distributing tokens in bulk!  Earlier versions of Authentication Manager allowed administrators to accidentally redistribute every single software token in the database by simply leaving the search fields blank.  This invalidates every token already imported into your users' device(s) and all user authentications done with a software token will fail.  Unless you have a very recent backup,that has up to date token information, the only method to recover from this is to reassign and redistribute all software tokens in the deployment.  If you do not store copies of your token seed media, there will be a delay in RSA being able to provide you with new media.
  2. Have the user login to the Self-Service Console to activate their software token.  Note that the user's device will need to be able access the Self-Service Console and/or the CT-KIP URL.  This can be either directly on your internal or corporate wireless network or through a Web Tier in your internal or corporate DMZ from the internet.  This will most likely same way your users access the SSC.
  3. You do not see a QR code or CT-KIP URL until the user logs into the Self-Service Console, typically with a password, and clicks the Activate Your Token link.
SSS QR activate
Notes
  • A QR code is a way for a handheld device with the RSA SecurID Software Token Application to take a picture of the code and import the token.  It works by converting a CT-KIP URL into a QR code.  
  • The CT-KIP must be valid for the user’s device, which means if you need to do this from a phone on the internet, you need a Web Tier in your DMZ.  If your users can access your internal wireless LAN, inside the firewall, then you would not need a Web Tier to allow access through your internet firewall/DMZ into the Self-Service Console.  In other words, your user’s PC and their device need to access the Self-Service Console the same way, and if your users logon to the Self-Service Console on your LAN or through a VPN, but their device it using a cell tower, they are not on the same network and the device won’t be able to use the QR code because it cannot reach the CT-KIP URL without a Web Tier.
  • Basically without a Web Tier, a CT-KIP URL shows the internal port 7004.  This is configured in your software token Profile (Authentication > Software Token Profiles > Manage Existing).

Attachments

    Outcomes