Configuring software tokens for BlackBerry devices
The BlackBerry® Enterprise Server is designed to work with the RSA® Authentication Manager to provide software token support for use with layer 2 and layer 3 Wi-Fi® authentication on Wi-Fi enabled BlackBerry devices.
When you configure a software token for users, BlackBerry devices are designed to use the passcode to authenticate the users to the Wi-Fi network and VPNs automatically using the PEAPv1, EAP-GTC, and EAP-TTLS or EAP-GTC authentication methods.
You can configure multiple software tokens for each user. For example, you can configure one software token that a user can use with Wi-Fi authentication and a second software token that a user can use with VPN authentication. When users try to open a Wi-Fi or VPN connection that requires two-factor authentication on the BlackBerry devices, the BlackBerry devices prompt the users to type the software token PIN and submit the current tokencode for the connection type to create the passcode for two-factor authentication.
For more information about how the BlackBerry Enterprise Server supports software tokens, see the BlackBerry Enterprise Solution Security Technical Overview.
Prerequisites: Configuring BlackBerry devices for RSA authentication
To perform tasks in the RSA®
Authentication Manager, see the RSA Authentication
Manager documentation, and the documentation for the RSA SecurID® token.
- In the RSA Authentication
Manager, configure the following policies for the PINs of the software tokens in your organization's environment:
- whether a PIN is required for authentication
- whether a PIN is defined by the user or generated by the RSA Authentication Manager
- whether a PIN is alphanumeric or numeric only
- whether a PIN has a fixed length or a variable length, with a minimum of four characters and a maximum of eight characters
- Import the token seed file (also known as the *.sdtid file) that contains the UID for each software token into the RSA Authentication Manager Database.
- In the RSA Authentication Manager Database, create a user record for each software token holder.
- In the RSA Authentication
Manager
Administration application, configure the following parameters for the software token seed file:
- serial number
- cryptographic algorithm
- user account that you can assign the software token to
- password to protect the software token seed file
- Communicate the password to the user.
Configure BlackBerry devices for RSA authentication
Software tokens use the UID and current time to authenticate the Wi-Fi® enabled BlackBerry® devices to the RSA®
Authentication Manager. To permit BlackBerry devices to authenticate to the RSA Authentication
Manager, you must synchronize the time and date on BlackBerry devices with the time and date on the computer that hosts the RSA Authentication
Manager, even though the RSA Authentication
Manager
is designed to accommodate time differences of up to three minutes.
Instruct users to use one of the following methods to synchronize the date, time, and time zone settings on the BlackBerry devices with the RSA Authentication
Manager:
- Adjust the time on BlackBerry devices using the Date/Time option on the BlackBerry devices manually.
- Use the BlackBerry® Desktop Manager to synchronize the date and time on the BlackBerry devices with the date and time on the users' computers.
After you finish:
- Assign the Wi-Fi profile to the user accounts.
- Resend the IT policy to BlackBerry devices.
Configure RSA authentication over a Wi-Fi network using a software token
You must add the serial number of the software token that the Wi-Fi®
enabled BlackBerry® devices can use to a Wi-Fi
profile so that RSA® authentication can occur over Wi-Fi
connections.
- In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
- Click Manage Wi-Fi profiles.
- Click the name of the Wi-Fi profile that you want to change.
- Click Edit profile.
- On the Wi-Fi profile settings tab, in the Wi-Fi Token Serial Number field, type the serial number of the software token.
- Click Save All.
After you finish:
- Assign the Wi-Fi profile to the user accounts.
- Resend the IT policy that you assign to the user accounts to BlackBerry devices.
Configure RSA authentication over a VPN network using a software token
You must add the serial number of the software token that the Wi-Fi® enabled BlackBerry® device can use to a VPN profile so that RSA® authentication can occur over VPN connections.
- In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
- Click Manage VPN profiles.
- Click the name of the VPN profile that you want to change.
- Click Edit profile.
- On the VPN profile settings tab, in the VPN Token Serial Number field, type the serial number of the software token.
- Click Save All.
After you finish:
- Assign the VPN profile to the user accounts.
- Resend the IT policy that you assign to the user accounts to BlackBerry devices.
Assign software tokens to a user account
You must assign the software tokens that BlackBerry® device users can use to authenticate to a Wi-Fi®
network or VPN network to the user accounts. Depending on the number of software token records that are available to you, you can assign up to three software tokens to each user account.
- In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand User.
- Click Manage users.
- Search for a user account.
- Click the display name for the user account.
- Click Edit user.
- On the Software tokens tab, type the serial number of the software token.
- To import the software token seed file for the user account, perform the following actions:
- Click Browse.
- Navigate to the software token seed file for the user account.
- Click Open.
- If you configured a password in the RSA® Authentication Manager so that you can encrypt the .sdtid file, type and confirm the password.
- In the Timeout (minutes) field, type the length of time, in minutes, that the Wi-Fi enabled BlackBerry device takes to cache the PIN.
- Click the Add icon.
- Click Save all.