User guide
Data flow: Generating a token code for a software token
1. An RSA administrator uses the RSA Authentication Manager to import a seed as a soft token file in .asc format to a
software token database and issue the software token file in .sdtid format. If necessary, the administrator can perform
one or more of the following actions:
• Permit a user to specify the software token PIN
• Configure the RSA SecurID to automatically generate and send a software token PIN to a Wi-Fi enabled BlackBerry
device
• Require the user to specify the software token PIN the first time that the user tries to complete RSA authentication
on the device
• Bind the seed to a specific device PIN
• Specify an optional password to encrypt the .sdtid seed file
2. You assign the .sdtid file seed for the device to the user account in the BlackBerry Administration Service. If required,
you specify the optional password that the device can use to decrypt the seed.
3. The BlackBerry Enterprise Server performs the following actions:
a Stores the .sdtid seed file in the BlackBerry Configuration Database.
b Pushes the .sdtid seed file (and the password, if the RSAadministrator specified one) to the device during the
activation process and each time that the RSA administrator changes the .sdtid seed file for the device.
4. The device performs the following actions:
a Imports the .sdtid seed file. If the RSA administrator specified a password in the RSA Authentication Manager to
encrypt the .sdtid file seed, the device uses the password to decrypt the .sdtid seed file. If the RSA administrator
specified that the .sdtid seed file must bind to a specific device PIN, only the device with the specific PIN can
import the seed.
b Stores the .sdtid seed file in flash memory.
c Imports a copy of the .sdtid seed file into the RSA SecurID on the device.
5. The RSA SecurID randomly generates a password to encrypt the .sdtid seed file.
6. The RSA SecurID library on the device authenticates with the RSA Authentication Agent and initializes the software
token algorithm one time for each minute.
7. Each time the user tries to open a Wi-Fi connection or VPN connection that requires RSA authentication, the device
uses the initialized algorithm to combine the .sdtid file seed with random data that is based on the time and generate a
new token code for the software token.
Security Technical Overview Wi-Fi enabled devices
152