SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

dynamic seed provisioning


when I use "dynamic seed provisioning" in order to distribuite a software token I obtain a strange string: 
""MY Server FQDN":7004/ctkip/services/CtkipService", is it coorrect ? 

Can I use "dynamic seed provisioning" whitout install Web-Tier or is necessary implement it ?

Best regards


Supporto Redco
3 Replies
Employee (Retired) Employee (Retired)
Employee (Retired)

Roberto Rabolini‌,

I've moved your question to the RSA SecurID Access" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.


Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA SecurID Access" data-type="space and click Ask A Question.  That way your question will appear in the correct space.






Thank you Erica


Da: Erica Chalfin

Inviato: venerdì 19 ottobre 2018 15:30

A: Roberto Rabolini

Oggetto: You have been mentioned by Erica Chalfin in Re: dynamic seed provisioning in RSA Link






You have been mentioned


by Erica Chalfin<> in Re: dynamic seed provisioning in RSA Link - View Erica Chalfin's reference to you<>


Dynamic seed provisioning , or CTKIP, does not require a web tier.


If the device can access port 7004 on the primary RSA Authentication Manager, then it can CTKIP a token.


A web tier (and this is when you would need to configure a Virtual Host) is essentially an RSA Authentication Manager self-service portal that can sit on the DMZ (essentially a proxy server) and allow internet access to do CTKIP without being on your inside network.The web tier then has it's own private connection to your internal RSA Authentication Manager primary on a separate TCP port (7022). 


The URL is correct if the device that is doing CTKIP understands the URL format (there have been some changes over time on some URL formats). So, the best thing do do is: refer to the Software Token admin guide for [device type] and see what the URL format should be, and then you can configure a software token profile and create the appropriate CTKIP link for an end user to click. The instructs the device to pass this string to itself where an internal app is listening (which is the RSA software token app) and then the app does it's own real network connection to perform the token download.


On this page 

you can find the documentation for [device] and it will show 'token delivery methods' and any special URL formatting required to do CTKIP with that device.



CTF (compressed token format) is another option for some devices, where you get a very large 'URL like string'  in which the entire token is encoded, and requires zero network connectivity.

Example: com.rsa.securid://ctf?ctfData=200002073572073562316564702224415011025055165634316176564172163270773376671627232