Provisioning a LOT of RSA SecurID iPhone (and other) Tokens using Powershell

So, you can tell from my previous blog post that I kinda dig Powershell and that I enjoy the occasional challenge. It helps me feel like I haven’t lost my technical chops. :)

This challenge started off one afternoon at lunch when I was talking with an RSA Sales Engineer. One of his customers was moving over, en mass, to iPhones and they wanted to provision a bunch of RSA SecurID iPhone tokens. Unfortunately, the iPhone Token Converter tool wasn’t really designed for that. It’s a single use command line. Here’s an example from the documentation:

The following command uses the -mobile option to convert a password-protected token file. The -mobile option is currently used with the SecurID for iPhone application, 1.2 or later.

C:\path_name\TokenConverter user2-passwordtoken.sdtid -p t0kenpw1 -mobile –o tokenfile.txt

The converted token data looks similar to the following:

com.rsa.securid://ctf?ctfData=200002068164720663136011170432774461076477164632456201
026172115044046062716712650

When you install the RSA SecurID iPhone token from the App Store, this funky URL is registered to be opened exclusively by the token. That then provisions the token with the user record and off you go.

But what if you want to provision 100 tokens? Or 1000 tokens? What a PITA that would that be! So, I thought “there’s gotta be a way to do this in Powershell”. And do it even better. Not only did I want to generate the token URL’s for all the users, but I wanted to generate a text file based on the username and the content being the token URL. THEN, I wanted to send out a custom email to each user with the token URL in it so they’d only have to download the app and click on the link! After all, it’s only a few extra lines of simple code, right? As you’ll see below, it really is just a few lines of actual code!

Challenges

To generate the URL for the token, you need a .SDTID file. This is the file that’s generated by RSA Authentication Manager when you marry a token record to a user. Thankfully, the format of this file is XML. Bonus! Powershell loves XML! Unfortunately, provisioning a ton of tokens from the Auth Man GUI isn’t straightforward. I know, I know, “Mike, we need Powershell cmdlets for Authentication Manager!!”

<Official Statement> Please provide that feedback to your RSA representative. <\Official Statement>

Create the files needed

Ok, so you’ve used whatever (supported) tools you needed to get a .SDTID file for every user. I recommend that each user be matched on a per file basis. Example: jsmith.stdid, mfoley.stdid, hsimpson.stdid, etc… Because you can link your Active Directory to your Authentication Manager, the names should be the same as your AD login name.

Note: Make sure all these files are all in one folder!

Now that you have all the files, you’ll need to get the Token Converter Tool we mentioned previously and the Powershell script below. In addition, I highly recommend getting the Quest AD cmdlets. Some BRILLIANT work here by your friends at Quest. Not only do they provide an amazing tool for working with Powershell and Active Directory, the cmdlets are also FREE! It’s almost a crime to download them. :)

Checklist

Downloaded *.stdid files to an accessible location
Downloaded the Token Converter Tool and put it in the same location as the script
Downloaded the script
IP/FQDN of your email server
Downloaded and installed the Quest AD cmdlets

You’ll see in the script that all the Quest/email stuff is commented out. I tested it, but you’ll want to ensure it works for you before you start provisioning a ton of tokens.

Let’s step thru some of the code

Configure the IP address or FQDN of your email server by uncommenting and editing this variable

[sourcecode language=”powershell”]
# $smtpserver = 192.168.1.1

[/sourcecode]

Enable the Quest cmdlets and Connect to AD

[sourcecode language=”powershell”]
# Uncomment for using AD
#add-PSSnapin quest.activeroles.admanagement
#Connect-QADService

[/sourcecode]

Edit the variable that states where the .SDTID files are. Default is the same directory as the script.

[sourcecode language=”powershell”]
# $token_location is the directory that the sdtid files are located in.
# Current value is the same folder this script it.
$token_location = .
[/sourcecode]

Now, the script will read each file and parse information out of it

[sourcecode language=”powershell”]
$list_of_files = Get-ChildItem . -filter "$token_location\*.sdtid"
foreach ($file in $list_of_files)
{
Write-Host "Processing $file"
[/sourcecode]

Remember when I said the .SDTID file is XML at heart and that Powershell loves XML? When, let’s get the username associated with the token out of the file

[sourcecode language=”powershell” padlinenumbers=”true”]
Write-Host "Processing $file"
#Get the username out of the token file.
[xml]$list = get-content $file
$username = $list.TKNBatch.TKN.UserLogin
[/sourcecode]

So, why are we getting the username? Well, because with the AD cmdlets, we can use that to retrieve the email address!

[sourcecode language=”powershell”]
Write-Host "Generating Token for $username"
# Uncomment for using AD
#$AD_user = Get-QADUser $username
#$user_email = $AD_user.email
[/sourcecode]

Great, we’ve gathered up a bunch of info and now it’s time to run the token converter. But it’s an old-school CLI tool, right? How do I get the output that contains that funky URL? Easy.

[sourcecode language=”powershell” wraplines=”true”]
#Generate the token URL and output to a variable
$token_link = .\TokenConverter.exe $file -iphone
#Write out a file on a per-user basis with the iPhone Token URL inside it.
$filename = $username + "_Token.txt"
New-Item $filename -type file -Force -Value "URL for $username is $token_link"
#
[/sourcecode]

The output of the converter tool is now in the variable “$token_link”. Just to be safe, we’ll write out a text file with the contents of the URL.

Now, let’s send an email to the user with their custom URL for their token record.

[sourcecode language=”powershell” padlinenumbers=”true” wraplines=”true”]
# Uncomment for using AD and sending email.
#Send-MailMessage -SMTPserver $smtpserver -To $user_email -Subject "Your iPhone Token" -Body "Please click on the link provided $token_link to add the token to your iPhone"
}
[/sourcecode]

The closing “}” signifies that this is the end of the foreach loop we started with.

The script will chug thru each .SDTID file and generate the token URL and email to the user.

Wrap-up

The final script is here. I hope this was helpful. It shouldn’t take much to do the same thing for Android and other SecurID soft tokens. They all use the same Token Converter tool. I’ll leave it as an exercise for the reader to figure out how to make it work for them. RTFM :)

As always, read the EULA in the script and tread carefully. Most of all, I hope you enjoyed this as much as I did.

{UPDATE}
Line 43 below has a type due to the Syntax Highlighter I use. Replace with this line only changing the word “bracket” to the appropriate open and close brackets with no spaces.

bracket xml bracket $list = get-content $file

mike

The Script

[sourcecode language=”powershell”]
#
# Bulk iPhone Token creator
# Mike Foley, mfoley@rsa.com, 781-515-6391
# RSA, the Security Division of EMC
#——————————————————————————
# All information, statements, and descriptions herein are offered AS IS
# only and are provided for informational purposes only. EMC Corporation
# does not guarantee the performance of, or offer a warranty of any kind,
# whether express, implied, or statutory, regarding the information herein
# or the compatibility of the information herein with EMC Corporation software
# or hardware products or other products.
#——————————————————————————-
# Requirements:
# Windows Powershell – Run Windows Update and you’ll get it. Ships with Win7 and
# Win2008 by default
# Quest Active Directory cmdlets – Free download from
# http://www.quest.com/powershell/activeroles-server.aspx
#——————————————————————————-
# SMTP Server you can send email thru. If you are using Exchange and your CORP
# account, uncomment and point $smtpserver at a CORP Exchange server and the
# script will use your current AD credentials to automatically log in.
#
# $smtpserver = 192.168.1.1
#
# To take advantage of the Active Directory stuff, uncomment the code below and
# have a valid account that can browse the AD store
#
# Connect to any available domain controller with the credentials of the locally
# logged on user.
# See Help Connect-QADService -examples for more info
# Uncomment for using AD
#add-PSSnapin quest.activeroles.admanagement
#Connect-QADService
#
# $token_location is the directory that the sdtid files are located in.
# Current value is the same folder this script it.
$token_location = .
$list_of_files = Get-ChildItem . -filter "$token_location\*.sdtid"
foreach ($file in $list_of_files)
{
Write-Host "Processing $file"
#Get the username out of the token file.
[xml]$list = get-content $file
$username = $list.TKNBatch.TKN.UserLogin
Write-Host "Generating Token for $username"
# Uncomment for using AD
#$AD_user = Get-QADUser $username
#$user_email = $AD_user.email
#
#Generate the token URL and output to a variable
$token_link = .\TokenConverter.exe $file -iphone
#Write out a file on a per-user basis with the iPhone Token URL inside it.
$filename = $username + "_Token.txt"
New-Item $filename -type file -Force -Value "URL for $username is $token_link"
#
# Uncomment for using AD and sending email.
#Send-MailMessage -SMTPserver $smtpserver -To $user_email -Subject "Your iPhone Token" -Body "Please click on the link provided $token_link to add the token to your iPhone"
}
[/sourcecode]