000032282 - How to synchronize RSA SecurID tokens in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Oct 25, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000032282
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
  • Due to time being off on the RSA Authentication Manager server, some tokens have become out of sync.
  • A large group of tokens needs to be resynchronized.
Tasks
  1. Correct time and set an outside NTP server to prevent time from becoming unstable.
  2. Connect to the RSA Authentication Manager primary server and run the command ./rsautil sync-tokens to generate a report showing token status.
  3. Run ./rsautil sync-tokens again to modify tokens to be in proper sync with the server. 
Resolution

Before running a modify command that will affect the tokens ability to authenticate, please discuss your issue with RSA Customer Support.  While editing the token offset is a way to restore authentication to tokens that are out of the acceptable token authentication window, it is possible that editing the token offset for all tokens will put tokens that are authenticating properly into into a non-functional state.




Prerequisites



  1. All RSA Authentication Manager 8.x servers must have the correct time before proceeding, and be within ten seconds of each other (except for timezone differences).  If any of the servers have time that is incorrect by more than eight minutes, contact RSA Customer Support for assistance before proceeding. 
  2. If Authentication Manager 8.x is running on a virtualization platform such as a VMware ESX host or Microsoft Hyper-V, then all of the ESX hosts that are being used (or could potentially be used in the future with VMware's vMotion or Hyper-V's Live Migration) need to have the correct time set by NTP.
  3. Authentication Manager 8.1 patch 2 fixes a problem related to NTP issues during startup. Part of the fix can trigger an alert from a single failed NTP request, which some customers consider oversensitive.
  4. It is recommended to verify there are NTP server entries for both hostname or IP address and secondary hostname or IP address to reduce alerts.

 * * * 



Run the sync-token utility



  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.




login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>


  1. Navigate to /opt/rsa/am/utils.
  2. Run the sync-tokens wizard to generate a report of all of the tokens in the deployment using the options shown below.

Note that the administrator user ID and password requested must be for an administrative user in the internal database.




rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil sync-tokens -I
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2014 EMC Corporation. All Rights Reserved.
Enter the absolute path for the output report file               : /tmp/token_report.txt
Enter the base security domain name for recursive search [(none)]: <press Enter to select none>
Enter the type of token selection                [ (all) | file ]: <press Enter to select all>
Choose a token filter          [ assigned | unassigned | (both) ]: <press Enter to select both>
What action do you wish to perform?            [ (list) | modify ]:<press Enter to select list>
Enter administrator user ID                                      : <enter the name of a SuperAdmin user>
Enter administrative password                                    : <enter the password for the SuperAdmin user>
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2014 EMC Corporation. All Rights Reserved.



Determining if an offset value needs to be modified



  1. Using cat, open the /tmp/token_report.txt:


rsaadmin@am82p:/opt/rsa/am/utils> cat /tmp/token_report.txt


  1. The token_report.txt will show the token offset values under Clock Offset.

In the example below, the Clock Offset values are zero. If the Clock Offset values are large, you may need to modify this value back to zero using the utility. 

  

# Token
   # Serial Number


  
Clock
   Offset

  

Next Tokencode
   Mode Status


  

  

Last Login
   Date/Time


  
0001160336400falseNone
0001160336410falseNone
0001160336420falseNone
0001160336430falseNone
0001160336440falseNone
0001160336450falseNone
0001160336460falseNone
0001160336470falseNone
0001160336480falseNone
0001160336490falseNone
0001160336500falseNone
0001160336510falseNone
0001160336520falseNone




Modifying the offset value



If modifying the offset values is necessary, take a backup of the database before continuing.  From the Operations Console select Maintenance > Backup and Restore > Back Up Now.



  1. Modify the clock offset value listed in the report by selecting the options listed below:


rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil sync-tokens -I
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2014 EMC Corporation. All Rights Reserved.

Enter the absolute path for the output report file               : /tmp/sync_token.txt
Enter the base security domain name for recursive search [(none)]: <press Enter to select none>
Enter the type of token selection                [ (all) | file ]: <press Enter to select all>
Choose a token filter          [ assigned | unassigned | (both) ]: <press Enter to select none>
What action do you wish to perform?           [ (list) | modify ]: <type modify to select modify>
Enter type of clock offset value  [ absolute | relative | (none)]: <type absolute to select absolute>
Enter clock offset value                                      [0]: <press Enter to select 0>
Do you want to reset the Next Tokencode Mode?             [ y/n ]: y
Do you want to reset the last login date and time?        [ y/n ]: n
Do you want to clear user lockout information?            [ y/n ]: y
Do you want to reset the shutdown date?                   [ y/n ]: n
Enter administrator user ID                                      : <enter the name of a super admin user>
Enter administrative password                                    : <enter the password for the super admin user>
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2014 EMC Corporation. All Rights Reserved


  1. Run the sync-token wizard again, using the list action to ensure your modifications were made and reflected in the output report file.
Notes

 




     

    Attachments

      Outcomes