000038577 - Details on RSA SecurID tokens and RSA Authentication Manager licenses

Document created by RSA Customer Support Employee on Mar 18, 2020Last modified by RSA Customer Support Employee on Mar 18, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038577
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager, RSA SecurID Tokens
IssueMany support cases are opened related to issues where RSA Authentication Manager licenses have been purchased, but not RSA SecurID tokens, or vice versa. This causes issues in a deployment because there are either not enough available licenses to assign more tokens or not enough tokens available to assign to new users, even after the license is increased.

This article provides detail on the differences between RSA SecurID tokens (both hardware and software) and a user license for RSA Authentication Manager and what must be purchased to increase the number of users with tokens in your deployment.

ResolutionWhen making a new purchase for either RSA SecurID hardware or software tokens or additional user licenses, be mindful that tokens and licenses are separate purchases and may require you to specifically state what you are trying to order.

RSA Authentication Manager licenses

An RSA Authentication Manager license provides the upper limit of the number of active users who are allowed in a deployment of the software. To view license information, 

  1. Log in to the Security Console.
  2. Browse to Setup > Licenses > Status, as shown here: 

  1. In the screenshot above, the software license is for 100,000 users to have one or more authenticators assigned to them. Here, only 1,673 licenses have been used.

If you are assigning tokens to new users, but the Actual number is close to, or at the Limit number, you must specify to your RSA sales rep or your reseller during the purchase process that you need both a new license and additional token seeds. Once you reach the Actual number, you cannot assign more tokens to users.

The serial number can be found in the same location as when selecting View installed licenses. Select the drop-down on a LID number, and choose View.

Ensure that the new license is issued with a serial number that matches your currently installed production serial number. If you are using a trial license, see 000013162 - The customer account identifier in the license does not match that stored in the system message when installing an RSA Authentication Manager license for steps to uninstall the trial before applying the production license.


License limit has been exceeded message

This warning is an indicator that you have reached 95% of the license limit. Tokens can still be assigned but consider either unassigning tokens from users who no longer need them, or purchasing a larger license.

RSA SecurID hardware and software tokens

Each user can possess up to three authenticators or tokens which only count against the user license once. This is why there can be a difference between the Actual number that you see under the license status and what you see for number of assigned tokens.

  1. Log in to the Security Console.
  2. Browse to Authentication > SecurID Tokens > Manage Existing.
  3. Choose the Unassigned tab.
  4. The page that is shown here displays the currently installed tokens in the system. As shown, search results can be filtered at left to show tokens that are currently not expired and are ready for use. 


RSA SecurID Risk Based Authentication (RBA) and On-Demand Authentication (ODA)

You must have an Enterprise License for Risk Based Authentication (RBA) or On-Demand Authentication to enable these options. Confirm the license type in the Security Console under Setup > License Status.

If a user does not already have a token assigned to them, enabling them for RBA/ODA adds a user to both the Users with assigned authenticators license and the RBA/ODA license.

If a user already has a hardware or software token assigned to them, enabling them for RBA/ODA increases the RBA/ODA license.
NotesThe RSA Authentication Manager license shows the maximum number of users that can have tokens assigned. That being said, despite the Limit value for a license, there can be millions of users in the RSA Authentication Manager database and millions of RSA SecurID token seeds imported. The Actual value increases by one when one or more authenticators are assigned to a user.

Authenticators can be any combination of hardware tokens, software tokens, RBA/ODA, and fixed passcode (maximum of one fixed passcode), with a maximum of three per user.

RSA Authentication Manager licenses are imported into the system using Setup > Licenses > Add New

RSA SecurID token seed records are added to the deployment by browsing to Authentication > SecurID Tokens > Import Tokens Job > Add New.

For information about decrypting an RSA SecurID token pack so it can be imported into the Security Console, go to 000029318 - Information on the RSA SecurID protected delivery program and how it will impact the token record media decryption process for customers.