CRYPTOCard BlackBerry Token Implementation Guide Copyright Copyright 2007 CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard.
Solution Overview Summary Product Name Vendor Site BlackBerry Server Software BlackBerry http://www.rim.net/ BlackBerry Enterprise Server 4.1 or higher BlackBerry Client Side Software BlackBerry Desktop Software version 4.2 or higher Support BlackBerry Operating System 4.0 and higher CRYPTOCard Product Requirements CRYPTOCard Server software 6.4.69 or higher Supported software token type AES based software tokens (67x series) Note: DES tokens (7x series) are not supported Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either registered trademarks or trademarks of CRYPTOCard. Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Publication History Date January 24, 2007 February 12, 2007 May 11, 2007 Changes Initial Draft Global Draft Minor revision BlackBerry Token Implementation Guide
Table of Contents BLACKBERRY TOKEN DEPLOYMENT OVERVIEW... 1 BLACKBERRY ENTERPRISE SERVER DEPLOYMENT... 3 Initial BlackBerry Enterprise Server Configuration... 3 Adding CRYPTOCard Applications to the BlackBerry Enterprise Software Configuration... 4 Creating an IT Policy... 6 Assigning and Deploying a Software Configuration and IT Policy... 7 Deploying the CRYPTOCard token... 8 BLACKBERRY DESKTOP MANAGER (USB) DEPLOYMENT... 9 Deploying the CRYPTOCard token... 11 CRYPTO-SERVER DEPLOYMENT OF THE CRYPTOCARD TOKEN AUTHENTICATOR... 12 Accepting CRYPTOCard BlackBerry Token Authenticator download requests... 12 Deploying the CRYPTOCard Token Authenticator and CRYPTOCard token... 12 CUSTOMIZING THE BLACKBERRY DEPLOYMENT E-MAILS... 14 BLACKBERRY TOKEN FUNCTIONALITY... 16 Generate a CRYPTOCard One-time Password... 16 Change PIN... 17 Token Resync... 17 Load New Tokens... 17 Exiting the Authenticator... 17 BlackBerry Token Implementation Guide
BlackBerry Token Deployment Overview This document presents an overview and necessary steps in deploying the CRYPTOCard BlackBerry Token Authenticator and CRYPTOCard token to a BlackBerry user. The BlackBerry is a wireless handheld which supports e-mail, mobile telephone, text messaging, internet faxing, web browsing and other wireless information services. While including the usual PDA applications (address book, calendar, to-do lists, etc.) as well as telephone capabilities on newer models, the BlackBerry is primarily known for its ability to send and receive e-mail wherever it can access a wireless network of certain cellular phone carriers. Armed with a CRYPTOCard token the BlackBerry can be used to logon to any CRYPTOCard protected network. CRYPTOCard supports 3 deployment methods: BlackBerry Enterprise Server Deployment, BlackBerry Desktop Manager (USB) Deployment and CRYPTO-Server Deployment. A brief description of each method can be found below. BlackBerry Enterprise Server Deployment 1. A CRYPTOCard BlackBerry Token Authenticator Software Configuration and IT policy is created on the BlackBerry Enterprise Server and pushed to the BlackBerry device. 2. A CRYPTOCard token is emailed to the BlackBerry user for installation. BlackBerry Token Implementation Guide 1
BlackBerry Desktop Manager (USB) Deployment 1. The CRYPTOCard software is installation using BlackBerry Desktop Manager. 2. A CRYPTOCard token is emailed to the BlackBerry user for installation. CRYPTO-Server Deployment 1. CRYPTO-Server Administrator assigns token to a BlackBerry user. 2. BlackBerry users receives email containing link to CRYPTOCard software and PIN. 3. BlackBerry users receives a second email which contains their token. BlackBerry Token Implementation Guide 2
BlackBerry Enterprise Server Deployment Initial BlackBerry Enterprise Server Configuration The following instructions provide the necessary steps in creating policies to push the BlackBerry Token Authenticator to a Blackberry device via a Blackberry Enterprise Server. On the Blackberry Enterprise Server, navigate to the \Program Files\Common Files\Research in Motion directory. Create the following folder structure: Create a folder called Shared. Create a folder called Applications under Shared. Create a folder called TokenAuthenticator under Applications. On the CRYPTOCard server browse to the \CRYPTOCard\CRYPTO-Server\bin\wwwroot\blackberry, /etc/cryptocard/wwwroot/blackberry or Applications CRYPTOCard CRYPTO-Server bin wwwroot blackberry directory. Copy the following files into the \Program Files\Common Files\Research in Motion\Shared\ Applications\ TokenAuthenticator directory on the BlackBerry Enterprise Server: BBAutorun.cod BBAutorun.jad BBAutorun.jar TokenAuthenticator.alx TokenAuthenticator.cod TokenAuthenticator.jad TokenAuthenticator.jar On the BlackBerry Enterprise Server, open up command prompt and navigate to:\program Files\Common Files\Research In Motion\Apploader. Type in the command: loader.exe /index This will a file called PkgDBCache.xml and specification.pkg in the \Program Files\Common Files\Research in Motion\Shared\Applications\TokenAuthenticator directory. BlackBerry Token Implementation Guide 3
Share the Research in Motion folder so the Blackberry Enterprise Server can access the files, and leave the permissions to default. Adding CRYPTOCard Applications to the BlackBerry Enterprise Software Configuration Log into your Blackberry Enterprise Server. Highlight the Blackberry Domain (root level), then select Software Configurations. Choose Add New Configuration then select Change. In the Device Software Share Location enter \\hostname\research in Motion Select OK. Create a Policy to allow the installation of the Token Authenticator. Click New. Enter a description in the name field. BlackBerry Token Implementation Guide 4
Change Disposition to Disallowed. Expand Application Software. In the Delivery Column select Wireless for BBAutorun and Token Authenticator. In the Policy column allow the installation of the BBAutorun and Token Authenticator. Click OK. BlackBerry Token Implementation Guide 5
Creating an IT Policy Select the Blackberry Domain (root level), and then click on Global. Select Edit Properties, IT Policy, IT Policies. Create a new IT Policy, this will allow the installation of the CRYPTOCard applications onto the BlackBerry device(s). Select Security Policy Group. Set Disallow Third Party Application Download to False. Set Allow Third Party Apps to Use Persistent Store to True. Slect OK until all the dialogs are closed. BlackBerry Token Implementation Guide 6
Assigning and Deploying a Software Configuration and IT Policy Launch the BlackBerry Manager and select the BlackBerry server. Select a BlackBerry user. Expand the Device Management pane. Select Assign Software Configuration. Choose the CRYPTOCard software configuration then select OK. Expand the IT Admin pane. Select Assign IT Policy. Choose the IT Policy that allows the download of third party applications then select OK. In the IT Admin pane select Resend IT Policy. Note: The IT Policy may take several minutes to take effect. BlackBerry Token Implementation Guide 7
Deploying the CRYPTOCard token CRYPTOCard BlackBerry tokens are deployed to users via email. BlackBerry users will receive two email messages; the first email contains the initial PIN to activate their token and the second email contains the CRYPTOCard token. The content of each email is customizable. Refer to the Customizing the BlackBerry deployment email section for more information. The following steps to deploy the CRYPTOCard token: Highlight the user in the CRYPTO-Console then select Assign Token. In the Assign Token To User dialog highlight an ST-A (67x series) token then click Next. In the Method dropdown select Email PIN and token file for BlackBerry Deployment. In the first email make note of the intial PIN used to load the CRYPTOCard Token into the BlackBerry Token Authenticator. In the second email select the token. This will launch the installation wizard. Enter the username and PIN to install the token. The BlackBerry device may now be used to logon to a CRYPTOCard protected resource. BlackBerry Token Implementation Guide 8
BlackBerry Desktop Manager (USB) Deployment The following instructions provide the necessary steps to install the CRYPTOCard BlackBerry Token Authenticator using the BlackBerry Desktop Manager. The end user must be provided with the following files: TokenAuthenticator.alx TokenAuthenticator.cod TokenAuthenticator.jad BBAutorun.jar TokenAuthenticator.jar BBAutorun.cod BBAutorun.jad On Windows these files can be found in the \CRYPTOCard\CRYPTO-Server\bin\wwwroot\blackberry, on Linux /etc/cryptocard/wwwroot/blackberry and on Mac OSX Applications CRYPTOCard CRYPTO- Server bin wwwroot blackberry. On the end user system perform the following: Launch the BlackBerry Desktop Manager, and open the Application Loader. Click on the Add button to install CRYPTOCard software. BlackBerry Token Implementation Guide 9
Browse to TokenAuthenticator.alx file. The Application Loader Wizard will display BBAutorun and TokenAuthenticator. Note: The Token Authenticator is dependant on BBAutorun and should not be deselected. Select Next then Finish to complete the installation of BBAutorun and TokenAuthenticator onto the BlackBerry device. BlackBerry Token Implementation Guide 10
Deploying the CRYPTOCard token CRYPTOCard BlackBerry tokens are deployed to users via email. BlackBerry users will receive two email messages; the first email contains the initial PIN to activate their token and the second email contains the CRYPTOCard token. The content of each email is customizable. Refer to the Customizing the BlackBerry deployment email section for more information. The following steps to deploy the CRYPTOCard token: Highlight the user in the CRYPTO-Console then select Assign Token. In the Assign Token To User dialog highlight an ST-A (67x series) token then click Next. In the Method dropdown select Email PIN and token file for BlackBerry Deployment. In the first email make note of the intial PIN used to load the CRYPTOCard Token into the BlackBerry Token Authenticator. In the second email select the token. This will launch the installation wizard. Enter the username and PIN to install the token. The BlackBerry device may now be used to logon to a CRYPTOCard protected resource. BlackBerry Token Implementation Guide 11
CRYPTO-Server Deployment of the CRYPTOCard Token Authenticator The following instructions provide the necessary steps to install the CRYPTOCard BlackBerry Token Authenticator using the CRYPTOCard server s CRYPTO-Protocol server\daemon. CRYPTO-Server deployment of the CRYPTOCard BlackBerry Token Authenticator can be used if an organization does not have a BlackBerry Enterprise Server or the ability to deploy via USB. The CRYPTO-Server deployment method is limited by the restrictions imposed by the BlackBerry Service Provider. Various providers do not allow the installation of third party products. Please consult your BlackBerry Service Provider for more information. Accepting CRYPTOCard BlackBerry Token Authenticator download requests The CRYPTO-Protocol server, a built-in component of the CRYPTO-Server, must be modified to accept incoming HTTP requests from a BlackBerry device. Perform the following steps: 1. In the CRYPTO-Console select Server, System Configuration. 1. In the Entity column highlight HTTPProtocol. In the Key column double click Host, change the default value of 127.0.0.1, CC_HTTP_PROTOCOL, 8081, 8082 to 127.0.0.1, CC_HTTP_PROTOCOL, 80, 8082 Click Apply. This will allow the CRYPTO-Protocol server do bind to TCP port 80 so it can accept regular HTTP requests. 2. In the Entity column highlight PtclServer. In the Key column double click Protocol.HTTP.Status, change Off to On. Click Apply. 3. In the Entity column highlight CRYPTODeploy.AutoDeployment. In the key column double click BlackBerry.Host.Name. The default entry must be modifed to reflect the Public IP Address configured in Step 6. This entry cannot be a reserved IP address. 4. Restart the CRYPTO-Protocol service\daemon for the settings to take effect. 5. Modify your Firewall to direct TCP port 80 (HTTP) traffic to the CRYPTOCard server. User will now be able to download the CRYPTOCard BlackBerry Token Authenticator for a CRYPTOCard Server. Deploying the CRYPTOCard Token Authenticator and CRYPTOCard token BlackBerry users will receive two email messages. The initial email contains a URL to the CRYPTOCard BlackBerry software and the PIN for their token, the second email contains their CRYPTOCard token. The content of each email is customizable. Refer to the Customizing the BlackBerry deployment email BlackBerry Token Implementation Guide 12
section for more information. The following steps must be performed: Highlight the user in the CRYPTO-Console then select Assign Token. In the Assign Token To User dialog highlight an ST-A (67x series) token then click Next. In the Method dropdown select Email PIN and token file for BlackBerry Deployment. In the first email select the Blackberry URL. Download Token Authenticator and BBAutorun. Make note of the PIN as it will need to be used once the CRYPTOCard software is installed and you have received the CRYPTOCard token. In the second email select the token. This will launch the installation wizard. Enter the username and PIN to install the token. The BlackBerry device may now be used to logon to a CRYPTOCard protected resource. BlackBerry Token Implementation Guide 13
Customizing the BlackBerry deployment e-mails The email templates provided to end users are found in the BlackBerry.msg and BBNewToken.msg file on the CRYPTO-Server. On Windows these files can be found in \CRYPTOCard\CRYPTO-Server\bin, on Linux /etc/cryptocard and on Mac OS X Applications CRYPTO-Server bin. The BlackBerry.msg file contains information on where to download the CRYPTOCard BlackBerry Token Authenticator and BBAutorun. It will also include the initial PIN used during the installation of the token. The BBNewToken.msg file contains CRYPTOCard BlackBerry token installation instructions. The end user will receive two emails when a BlackBerry token is deployed to their BlackBerry The first email will include the following information: 1. A link to download the CRYPTOCard BlackBerry Token authenticator and BBAutorun 2. Their initial PIN. The link to the CRYPTOCard BlackBerry software (http://$cd.ip.address$ /blackberry) is only needed for CRYPTO-Server Deployment. It is not needed for For BlackBerry Enterprise Server and BlackBerry Desktop Manager (USB) Deployment. The $CD.IP.ADDRESS$ argument will be replaced with the information found in the CRYPTODeploy.AutoDeployment, BlackBerry.Host.Name in System Configuration. BlackBerry.msg This e-mail will assist you in the installation and activation of your new CRYPTOCard token into your Blackberry. Step one is to install the Token Authenticator application on your BlackBerry, step two is the installation and activation of the actual token. Please make note of the PIN below, as it is required to activate your token. To install the Token Authenticator "Over the Air", browse to the URL below with your BlackBerry. If the application is installed via Desktop Manager (USB) or Blackberry Enterprise Server, this step is not necessary. Again, please make note of your token activation PIN. Your token will be issued to you shortly. http://$cd.ip.address$ /blackberry Your token activation PIN is: $PIN$ This e-mail is the default, token deployment message set in your CRYPTOCard server. It can be modified by editing the Blackberry.msg file on the CRYPTO-Server system. The IP address or hostname can be modified by setting the Blackberry.Host.Name within the CRYPTODeploy.AutoDeployment settings. This e-mail should be modifed to reflect the policies and procedures of your organization. BlackBerry Token Implementation Guide 14
The second email will include the following information: Token file to load into the BlackBerry BBNewToken.msg Your new CRYPTOCard BlackBerry token is attached. To install the token, move the cursor to the attached file. Click the trackwheel or trackball and then select the 'Load Token' option on the menu. It will pop up the CRYPTOCard BlackBerry token installation wizard and prompt for the user name and activation PIN. Use the activation PIN received in the previous e-mail. If you have not received an activation PIN, contact your HELP Desk. This e-mail is the default, token deployment message set in your CRYPTOCard authentcation server. It can be modified by editing the "BBNewToken.msg" file. Please refer to the CRYPTO-Server documentation to insure substitution tags are maintained. This e-mail should be modified to reflect the policies and procedures of your organization. Caveat: Users MUST have BBAutorun installed on the BlackBerry BEFORE receiving their token. If the user does not have this installed prior to receiving the token, when they click on the Token Attachement, it will not give them the option to Load Token. To work around this, please re-issue the token after the user has installed the Authenticator. BlackBerry Token Implementation Guide 15
BlackBerry Token Functionality The BlackBerry token functions include: Generate a CRYPTOCard One-time Password Challenge Response Mode Change PIN Token Resync Load a new token onto the BlackBerry device Exit the application. Generate a CRYPTOCard One-time Password To generate a token password 1. Highlight the Token Password button, and click with the track wheel. The application displays 1 of 4 options: PIN Dialog: This is the standard. The PIN dialog allows the user to enter in their token PIN. With the correct PIN, the token password is displayed in the white space below the CRYPTOCard logo. With multiple un-successful PIN attempts, the token locks. Tokens cannot be unlocked. The next time the user starts the Token Authenticator; they will be prompted to load a new token. Change PIN Dialog: This is displayed if the token is in Change PIN Mode.. Challenge Dialog: This is displayed if the token is in Challenge-Response Mode. Nothing is displayed: This is because no tokens are loaded into the device yet. Challenge Response Mode In challenge response mode, the challenge/ PIN dialog is displayed: With the correct PIN/challenge, the token displays the correct password in the white space below the CRYPTOCard logo. With an incorrect PIN / correct (or incorrect) challenge, the token displays an error dialog box. With a correct PIN and the incorrect challenge the token displays the token password, but the token is out of sync. As a result you need to re-synchronize the token to get a correct token password. BlackBerry Token Implementation Guide 16
Change PIN To change the token PIN 1. Highlight the Options button and click with the track wheel. 2. Select the Change PIN option. The Change Token PIN dialog box. Enter the current PIN. Enter the new PIN and enter it a second time to provide confirmation. The new PIN is saved. Token Resync To re-synchronize the token response 1. Highlight the Options button and click with the track wheel. 2. Select the Token Resync option. The Token Resync dialog box is displayed 3. Enter the current PIN and the current challenge provided by the CRYPTO-Server. The new token password is displayed. An error is displayed if the challenge is invalid. Load New Tokens To load new tokens 1. Select the token from the email provided by your CRYPTOCard Administrator. Enter the username and initial PIN to activate the token. Exiting the Authenticator To exit the Token Authenticator 1. Do one of the following: Highlight the Options button and select Close. At the main screen, click on the escape: button BlackBerry Token Implementation Guide 17