000037940 - Can RSA SecurID tokens exist in more than one RSA Authentication Manager deployment?

Document created by RSA Customer Support Employee on Oct 23, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037940
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4.0
IssueCan RSA SecurID tokens exist in more than one RSA Authentication Manager deployment?
ResolutionIt is technically possible to import the token XML record into different RSA Authentication Manager primary instances; however, it is not recommended for the following reasons:
  • Hardware token seed records existing in multiple Authentication Manager deployments put each Authentication Manager deployment at risk. Each Authentication Manager deployment where the token record has been imported knows the same token code being displayed on the token and this could lead to compromising each Authentication Manager deployment.
  • PIN management for the token may be confusing for the end user as the end user would have to ensure they create and use the same PIN for the different Authentication Manager deployments.
  • RSA Authentication Manager is a time synchronous solution and the token records have a clock offset value to ensure the end user can always authenticate in an Authentication Manager deployment. Should the same token exist in another Authentication Manager deployment, there is no guarantee this token record in the other Authentication Manager deployment will have the same clock offset value and there is a likelihood that the token will authenticate in one Authentication Manager deployment but not the other or vice versa.
A better approach would be to set up a trusted realm (either a one-way or two-way trust) between the Authentication Manager deployments.  Detailed information on trusted realms and related tasks can be found on RSA Link.