RSA CTKIP URLs
I am facing an interesting error. My deployment consist of one primary and one replica instance and also I have webtier Installed. I have imported soft-tokens and hard tokens. everything is working fine except ctkip token distribution. I have question. When I install a web tier server and enable Dynamic seed Provisioning does it automatically move CTKIP service from primary instance to web tier ? and how can i verify on which server ctkip service is running ?
When I I try to Import a token on my phone I get an error " Token Import failed" contact your system admin.
- Auth Manager
- Authentication Manager
- Community Thread
- ct-kip services
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
CTKIP will be on the webtier if you have enabled that on webtier, and it will also be on the self-service console. You could edit the webtier URL to be the self-service console and port 7004, and either one could do CTKIP. Whichever one is used first will expire that CTKIP link.
We have Web Tier implemented.
When we try to import CT-KIP software token (QRCode) we got "Token Import Failed" error.
The QRCode URL is:
As our mobile phone can't access our local server, how to set this default URL to point to our Web Tier?
That is the point of the Virtual Hostname. You specify an externally visible hostname and get it into public DNS, then that address leads to your webtier hosts. You'll need a commercial SSL certificate or the end user devices may not trust it.
A good place to start is the RSA Authentication Manager 8.4 Setup and Configuration Guide, specifically the chapters on Configuring a Load Balancer and Virtual Host, and Installing Web Tiers. The Help menu in the Security Console can give you more information as well as step-by-step instructions.
In the Security Console look up the option in Help Menu to change the CTKIP URL to whatever you want (which will be the webtier). It will be Security Console, setup, system settings, tokens page.
NOTE: The built-in Self Service Console CT-KIP will remain working and always be port 7004 [ https://primary.name.com:7004/... ] and any time you create a URL that is the webtier, you could change it by hand to be the self service page...both will keep working and the ct-kip token can be delivered by whichever one you use first.
This page here sets what URL gets sent to users to retrieve tokens, but the internal one is always up, as well as the webtier.